Solved Guest network can access private net

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

spokey

Occasional Visitor
I'm having a problem with guest networks. I don't use them very often but have set up one for testing equipment for some volunteer work I do.

My router RT-AC86U running merlin 386.2. I probably should post some other info. Just tell me what

Basically when I set up the Guest 2.4 wifi it seems to be isolated. I connect my laptop to the guest network. I'm in the same subnet but can't ping my desktop in the main network. The desktop can ping the guest laptop. I assume that is expected.

But if I connect one of the routers we use for the volunteer work to the guest network and the laptop to that router, I can ping the desktop.

The volunteer router is configured with 172.25.25.x network. It connects to the guest network which is 172.21.17.x

I connect the laptop to the volunteer router and get the expected 172.25.25.x ip and gateway. But I can now ping the desktop.

Am I likely doing something wrong? A bug? Feature?

thanks
 

Tech9

Very Senior Member
Related information:


Seems like Asus messed up GN trying to provide GN to AiMesh nodes.
 

eibgrad

Very Senior Member
Even under the best of conditions, guest networks on Asus/Merlin are nothing to write home about. Made even worse by this need to accommodate AiMesh. Asus just did a crappy job and needs to get its act together on this matter.

I suggest using a separate guest router daisy-chained to the primary router (WAN to LAN respectively) and using firewall rules on the guest router to deny access by guests to the upstream private network. Simple and effective.
 
Last edited:

spokey

Occasional Visitor
thanks. I mostly wanted to make sure I wasn't screwing up. In this particular case, the reason for using the guest network is so I don't have to make sure I delete all my main network settings from the volunteer equipment. So I'm connecting their laptops to their routers to a temporary network that I'll get rid of when I'm done.
 

slidermike

Regular Contributor
I do not necessarily read his OP to say he put a 2nd router into Mesh mode. I could be mistaken though.
 

spokey

Occasional Visitor
no i did not. The ASUS is in WIreless router. Are you saying then that mesh issues should not be the issue?

I just have the volunteer router (TP Link) connecting wirelessly to the the ASUS guest network and the laptop connected wirelessly to the TP Link. They are different networks. ASUS 172.21.71.x and the TP Link 172.25.25.x

That mimics it's normal use. Normally the router is used to connect our stuff to a site's wifi. Usually senior centers, libraries, etc.

The person that handled this passed away and I'm trying to go through a bunch of stuff to figure out what works, what should be recycled, etc.
 

slidermike

Regular Contributor
I have read your 2 description comments a couple of times and struggling to understand how exactly you have connected the TP Link to the Asus via 2.4Ghz wifi and are passing user traffic from the TP Link to the Asus and back while stating both routers are in router mode. Unless I misunderstood that.

I have attempted to build a drawing based on my understanding of your explanation of how these 2 routers and clients are connected.
If you can draw out something or write out the specifics maybe that would help us assist.
 

Attachments

  • Drawing1.jpg
    Drawing1.jpg
    47.4 KB · Views: 37

spokey

Occasional Visitor
I have read your 2 description comments a couple of times and struggling to understand how exactly you have connected the TP Link to the Asus via 2.4Ghz wifi and are passing user traffic from the TP Link to the Asus and back while stating both routers are in router mode. Unless I misunderstood that.

I have attempted to build a drawing based on my understanding of your explanation of how these 2 routers and clients are connected.
If you can draw out something or write out the specifics maybe that would help us assist

Your drawing is pretty much right. The 172.21.17.60 laptop is actually the same machine as 172.25.25.100. I disconnect from one wifi and connect to the other in these tests.

The TP Link connects to the ASUS guest wifi via it's WISP mode. So on the server side, it has the 172.25.25.1 gateway IP. On it's WISP client side, the TP Link WAN side, the IP is something like 172.21.17.194 as assigned by the guest wifi.


So the ping that happens that should not is that 172.25.25.100 pings 172.21.17.50 successfully . It appears to
  1. connect to TP Link Router via TP Link served wifi
  2. out TP Link through its WISP to the ASUS Guest wifi
  3. somehow from Guest wifi to internal lan wifi to 172.21.17.50
It's number 3 that seems wrong. The TP Link router as a client is on the same net as 172.21.17.50 as it appears that is the way ASUS does a guest network. It apparently uses the normal network but somehow must isolate the IPs assigned on the guest wifi?

But that is where the 172.21.17.60 laptop comes in to the picture. It's actually the same machine as 172.25.25.100 which successfully pings 172.21.17.50. But when I disconnect from the TP Link router and connect directly to the guest network, I am isolated.

So 172.25.25.100 can ping 172.21.17.50.
But when that machine is connected directly to the guest wifi as 172.21.17.60 the ping fails as expected.

thanks for your efforts. I hope that makes it a bit clearer.
 

ColinTaylor

Part of the Furniture
But that is where the 172.21.17.60 laptop comes in to the picture. It's actually the same machine as 172.25.25.100 which successfully pings 172.21.17.50. But when I disconnect from the TP Link router and connect directly to the guest network, I am isolated.
You're right that this makes no sense. Just to be clear, the guest network WiFi network is not slot #1, but #2 or #3, correct? Slot #1 on each band is special and has different IP addressing.

Can you test your laptop when it is connected to the TP-Link by Ethernet instead of WiFi.
 

spokey

Occasional Visitor
No. It is in slot #1. I assume #1 is the left? What is the difference? The manual doesn't mention anything. Is that a Merlin thing?

Snap1.jpg
 

ColinTaylor

Part of the Furniture
The change in slot #1 behaviour is something new that Asus added to support guest networks in AiMesh setups. From what I've read (because I don't use that router or firmware) the first guest slots of 2.4 and 5 GHz should have subnets 192.168.101.x and 192.168.102.x respectively. Maybe there's a bug that's caused because your main LAN is not using the expected 192.168.x.y configuration.

Try using slots #2 or #3 instead.

Your screenshot shows "Access Intranet" as Enabled so there should be no isolation happening. Is that your ultimate objective?

Can you confirm that the TP-Link is configured for NAT? In other words all clients on the 172.25.25.x network are being NATed to 172.21.17.194.

Have you tried the wired Ethernet connection?
 

slidermike

Regular Contributor
On the Asus guest wifi, the "Access Intranet" looks enabled.
If you want WiFi guest client to LAN client isolation that needs to be disabled.
 

spokey

Occasional Visitor
Glad I posted the screenshot. I mis-read that. Thought it said access internet which did seem odd as that is kind of the purpose. I've moved to third position and been playing with the enable / disable intranet. It does seem to be working correctly.

My excuse for not reading that correctly - I'm mostly blind in one eye.

Your conclusion - I am an idiot.

thanks guys
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top