What's new

Guest network DHCP and isolation oddity - what's going on here?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!


Occasional Visitor
Found a bit of an oddity with guest networks on Asuswrt-merlin 388.1 on my GT-AXE11000, and while I'm not sure it's a problem per se would appreciate if anyone has thoughts on what's happening here.

On my 2.4Ghz and 5Ghz bands, I have AP isolation OFF, because devices on the main (non-guest) network do need to communicate with each other. The base LAN address is, and the guest network setup is as follows:

Slot 1 / SSID Azkaban / Access intranet DISABLED​
Slot 2 / SSID BarnIoT / Access intranet DISABLED​
Slot 1 / SSID BarnWFH-5G / Access intranet ENABLED​
Slot 2 / SSID BarnIoT-5G / Access intranet DISABLED​

Azkaban works as expected - it assigns IP addresses in the 192.168.101.x range, and nothing there can talk to anything on the intranet. BarnWFH-5G also works as I'd expect - it's assigning an address in the 192.168.56.x range - I think normally it would be 192.168.102.x for that guest, but since it has intranet access (bridged?) getting an intranet address doesn't surprise me, and it's got working access to intranet devices as intended. Both of those are in slot 1 in their frequency bands so they're available via AiMesh, although at the moment my second router is not connected. So for slot 1, all working fine.

However, the slot 2 guests are a surprise - they're assigning IPs in the intranet address range, i.e. 192.168.56.x! I would've expected those to have their own unique ranges, since they're set with intranet access disabled. Oddly, though, the intranet access DOES seem blocked! I can't ping any devices on 192.168.56.x from those guest networks, or vice versa; and I can't reach intranet devices from those guest networks via any other protocols. So - guest devices on BarnIoT and BarnIoT-5G get intranet IP addresses (weird, concerning); but as intended can't communicate with other intranet devices.

I'm just not sure how that's working, exactly - why don't those guests get dedicated non-intranet ranges like the slot 1 guests typically do? And given the addresses are issued in the intranet subnet, what's (correctly!) blocking access to other intranet devices from these guests?


Part of the Furniture
Yes it's working as expected. Historically all guest networks got IP addresses from the main network. Access to the intranet is controlled by ebtables rules. Then for AiMesh Asus changed the behaviour the first guest network on each band so that it could be propagated to AiMesh nodes.


Part of the Furniture
Thanks @ColinTaylor , much appreciated! I'll have to look into ebtables; I'm familiar with iptables from my dd-wrt days but haven't played with ebtables at all.

Another thing worth noting, the main LAN can access machines on Guest Wireless 1 but can not access machines on Guest Wireless 2 or 3 (when access LAN is disabled anyway). Neither guest wireless can access the main LAN so it appears the rules are written so that GW1 allows "response only" and GW2 blocks everything.

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!