Guest network (IoT) and network time

[jorgsmash]

Never tried but you should be able to access it via SSH I would assume.

Not sure why that value changed for you and not me. I don't know what uses it. Maybe it turns back to 0 after a reboot. For now I'd ignore it and try changing wl0.1 to 0 and see if you can now ping between devices.

Real quick before I do that, I was able to SSH into the node router (AX58U). This one has different values for nvram isolate. Lol

@RT-AX58U-8670:/tmp/home/root# nvram show | grep -i isolate
size: 79304 bytes (51768 left)
wl0.1_ap_isolate=0
wl0.2_ap_isolate=1
wl0.3_ap_isolate=0
wl0.4_ap_isolate=0
wl0.5_ap_isolate=0
wl0_ap_isolate=0
wl1.1_ap_isolate=0
wl1.2_ap_isolate=0
wl1.3_ap_isolate=0
wl1_ap_isolate=0
wl_ap_isolate=0
jorg@RT-AX58U-8670:/tmp/home/root#

 

[jorgsmash]

Perhaps I need to reboot them. I don't think I did that after I enabled guest wifi.

 

[drinkingbird]

Perhaps I need to reboot them. I don't think I did that after I enabled guest wifi.

Yes reboot after enabling guest, mentioned that in my previous post.

I just tested on mine and immediately after issuing
wl -i wl1.1 ap_isolate 0

My 5ghz devices could ping each other, and after changing it back it was immediately blocked again. So no need to restart wireless. However as I mentioned, that command will only work when scripted, it won't survive a reboot I don't think. The NVRAM variable will survive a reboot, however any settings changes can reset it back to 1.

 

[jorgsmash]

Yes reboot after enabling guest, mentioned that in my previous post.

I just tested on mine and immediately after issuing
wl -i wl1.1 ap_isolate 0

My 5ghz devices could ping each other, and after changing it back it was immediately blocked again. So no need to restart wireless. However as I mentioned, that command will only work when scripted, it won't survive a reboot I don't think. The NVRAM variable will survive a reboot, however any settings changes can reset it back to 1.

So all I need to do is add
wl -i wl0.1 ap_isolate 0

To a script in /jffs/scripts/ and it will run every boot? For instance, my 'init-start' script:

# cat init-start
#!/bin/sh
/jffs/scripts/init2-start
sh /jffs/addons/unbound/stuning start                   # unbound_manager

wl -i wl0.1 ap_isolate 0                                            # Allow guest clients to talk to each other

[ -x /jffs/addons/AdGuardHome.d/AdGuardHome.sh ] && /jffs/addons/AdGuardHome.d/AdGuardHome.sh init-start &
jorg@RT-AX88U-F610:/jffs/scripts#

And I need to do that on both routers?

 

[jorgsmash]

Crap, even after a reboot, running 'nvram show | grep -i isolate' on the mesh node AX58U it still doesn't seem like this is going to work.

AX58U-8670:/jffs/scripts# nvram show | grep -i isolate
size: 79378 bytes (51694 left)
wl0.1_ap_isolate=0
wl0.2_ap_isolate=1
wl0.3_ap_isolate=0
wl0.4_ap_isolate=0
wl0.5_ap_isolate=0
wl0_ap_isolate=0
wl1.1_ap_isolate=0
wl1.2_ap_isolate=0
wl1.3_ap_isolate=0
wl1_ap_isolate=0
wl_ap_isolate=0
jorg@RT-AX58U-8670:/jffs/scripts#

The node router isn't recognizing the "Allow access to Intranet" setting is disabled on the main router. And it has wl0.2 set to isolate for some reason.

 

[drinkingbird]

So all I need to do is add
wl -i wl0.1 ap_isolate 0

To a script in /jffs/scripts/ and it will run every boot? For instance, my 'init-start' script:

# cat init-start
#!/bin/sh
/jffs/scripts/init2-start
sh /jffs/addons/unbound/stuning start                   # unbound_manager

wl -i wl0.1 ap_isolate 0                                            # Allow guest clients to talk to each other

[ -x /jffs/addons/AdGuardHome.d/AdGuardHome.sh ] && /jffs/addons/AdGuardHome.d/AdGuardHome.sh init-start &
jorg@RT-AX88U-F610:/jffs/scripts#

And I need to do that on both routers?

You'll need to test which script it works best with, you may want to make it pretty late in the process such as services-start. Don't forget to make it executable.

Yes you'd need to run it on both. You'll need to monitor and see if anything changes it back (updating settings in the GUI likely will so just remember to reboot if needed after doing that). But if it seems to change on its own without you having changed anything, you'll probably need to look to put it into a service-event or service-event-end script. Or maybe update the NVRAM variable too so that when stuff changes it sees that and uses it. Probably can't hurt to update it regardless on each boot.

 

[drinkingbird]

Crap, even after a reboot, running 'nvram show | grep -i isolate' on the mesh node AX58U it still doesn't seem like this is going to work.

AX58U-8670:/jffs/scripts# nvram show | grep -i isolate
size: 79378 bytes (51694 left)
wl0.1_ap_isolate=0
wl0.2_ap_isolate=1
wl0.3_ap_isolate=0
wl0.4_ap_isolate=0
wl0.5_ap_isolate=0
wl0_ap_isolate=0
wl1.1_ap_isolate=0
wl1.2_ap_isolate=0
wl1.3_ap_isolate=0
wl1_ap_isolate=0
wl_ap_isolate=0
jorg@RT-AX58U-8670:/jffs/scripts#

The node router isn't recognizing the "Allow access to Intranet" setting is disabled on the main router. And it has wl0.2 set to isolate for some reason.

Put it in a later script and make sure the script is executable and being run.

Ignore wl0.2. You aren't using it. It's just a leftover value. WL0.1 and WL1.1 are both set to 0 above so looks good. What's the issue?

ONLY guest wireless 1 (wl0.1 and wl1.1) is propagated to the node. 2 and 3 are not part of aimesh, don't use those.

 

[jorgsmash]

Put it in a later script and make sure the script is executable and being run.

Ignore wl0.2. You aren't using it. It's just a leftover value. WL0.1 and WL1.1 are both set to 0 above so looks good. What's the issue?

ONLY guest wireless 1 (wl0.1 and wl1.1) is propagated to the node. 2 and 3 are not part of aimesh, don't use those.

The issue is that wl0.1_ap_isolate=0 is set to 0 on the node router without me having changed anything. I haven't issued the command to change it from a 1 to a 0 yet, and I haven't added it to any scripts. It's just set that way by default even though I have guest network on, set to sync to mesh nodes, and I have access to Intranet disabled. So on the main router, it is still set to 1 (because I haven't changed it yet), and on the node router, it's set to 0 already.

 

[jorgsmash]

Unfortunately I don't think this is going to work with AI mesh. I issued the commands, and connected my mac to the guest network and I am not able to ping any of the devices on the guest network.

# wl -i wl0.1 ap_isolate 0
jorg@RT-AX88U-F610:/jffs/scripts# nvram show | grep -i isolate
wl0.1_ap_isolate=1
wl0.2_ap_isolate=0
wl0.3_ap_isolate=0
wl0.4_ap_isolate=0
wl0_ap_isolate=0
wl1.1_ap_isolate=0
wl1.2_ap_isolate=0
wl1.3_ap_isolate=0
size: 87668 bytes (43404 left)
wl1_ap_isolate=0
wl_ap_isolate=1
jorg@RT-AX88U-F610:/jffs/scripts# nvram set wl0.1_ap_isolate=0
jorg@RT-AX88U-F610:/jffs/scripts# nvram show | grep -i isolate
wl0.1_ap_isolate=0
size: 87668 bytes (43404 left)
wl0.2_ap_isolate=0
wl0.3_ap_isolate=0
wl0.4_ap_isolate=0
wl0_ap_isolate=0
wl1.1_ap_isolate=0
wl1.2_ap_isolate=0
wl1.3_ap_isolate=0
wl1_ap_isolate=0
wl_ap_isolate=1

jorg@RT-AX88U-F610:/jffs/scripts# nvram commit
jorg@RT-AX88U-F610:/jffs/scripts# service restart-wireless

Done.
jorg@RT-AX88U-F610:/jffs/scripts# nvram show | grep -i isolate
wl0.1_ap_isolate=0
wl0.2_ap_isolate=0
wl0.3_ap_isolate=0
wl0.4_ap_isolate=0
wl0_ap_isolate=0
size: 87668 bytes (43404 left)
wl1.1_ap_isolate=0
wl1.2_ap_isolate=0
wl1.3_ap_isolate=0
wl1_ap_isolate=0
wl_ap_isolate=1
jorg@RT-AX88U-F610:/jffs/scripts#

% ping 192.168.101.36
PING 192.168.101.36 (192.168.101.36): 56 data bytes
Request timeout for icmp_seq 0
Request timeout for icmp_seq 1
Request timeout for icmp_seq 2
Request timeout for icmp_seq 3
Request timeout for icmp_seq 4
^C
--- 192.168.101.36 ping statistics ---
6 packets transmitted, 0 packets received, 100.0% packet loss
jorgsmash@SmackMac ~ % ping 192.168.101.223
PING 192.168.101.223 (192.168.101.223): 56 data bytes
Request timeout for icmp_seq 0
Request timeout for icmp_seq 1
Request timeout for icmp_seq 2
^C
--- 192.168.101.223 ping statistics ---
4 packets transmitted, 0 packets received, 100.0% packet loss
jorgsmash@SmackMac ~ % ping 192.168.101.87
PING 192.168.101.87 (192.168.101.87): 56 data bytes
Request timeout for icmp_seq 0
Request timeout for icmp_seq 1
Request timeout for icmp_seq 2
^C
--- 192.168.101.87 ping statistics ---
4 packets transmitted, 0 packets received, 100.0% packet loss
jorgsmash@SmackMac ~ % ping 192.168.101.87
PING 192.168.101.87 (192.168.101.87): 56 data bytes
Request timeout for icmp_seq 0
Request timeout for icmp_seq 1
Request timeout for icmp_seq 2
Request timeout for icmp_seq 3
^C
--- 192.168.101.87 ping statistics ---
5 packets transmitted, 0 packets received, 100.0% packet loss
jorgsmash@SmackMac ~ % ping 192.168.101.87
PING 192.168.101.87 (192.168.101.87): 56 data bytes
ping: sendto: No route to host
ping: sendto: Host is down
Request timeout for icmp_seq 0
ping: sendto: Host is down
Request timeout for icmp_seq 1
ping: sendto: Host is down
Request timeout for icmp_seq 2
ping: sendto: Host is down
Request timeout for icmp_seq 3
ping: sendto: Host is down
Request timeout for icmp_seq 4
ping: sendto: Host is down
Request timeout for icmp_seq 5
^C
--- 192.168.101.87 ping statistics ---
7 packets transmitted, 0 packets received, 100.0% packet loss
jorgsmash@SmackMac ~ % ping 192.168.101.87
PING 192.168.101.87 (192.168.101.87): 56 data bytes
Request timeout for icmp_seq 0
Request timeout for icmp_seq 1
Request timeout for icmp_seq 2
Request timeout for icmp_seq 3
ping: sendto: No route to host
Request timeout for icmp_seq 4
^C
--- 192.168.101.87 ping statistics ---
6 packets transmitted, 0 packets received, 100.0% packet loss
jorgsmash@SmackMac ~ % ping 192.168.101.36
PING 192.168.101.36 (192.168.101.36): 56 data bytes
Request timeout for icmp_seq 0
Request timeout for icmp_seq 1
Request timeout for icmp_seq 2
Request timeout for icmp_seq 3
Request timeout for icmp_seq 4
Request timeout for icmp_seq 5
Request timeout for icmp_seq 6
^C
--- 192.168.101.36 ping statistics ---
8 packets transmitted, 0 packets received, 100.0% packet loss
jorgsmash@SmackMac ~ % ping 192.168.101.5
PING 192.168.101.5 (192.168.101.5): 56 data bytes
Request timeout for icmp_seq 0
Request timeout for icmp_seq 1
Request timeout for icmp_seq 2
^C
--- 192.168.101.5 ping statistics ---
4 packets transmitted, 0 packets received, 100.0% packet loss
jorgsmash@SmackMac ~ % ping 192.168.101.5
PING 192.168.101.5 (192.168.101.5): 56 data bytes
Request timeout for icmp_seq 0
Request timeout for icmp_seq 1
Request timeout for icmp_seq 2
^C
--- 192.168.101.5 ping statistics ---
4 packets transmitted, 0 packets received, 100.0% packet loss
jorgsmash@SmackMac ~ % ping 192.168.101.5
PING 192.168.101.5 (192.168.101.5): 56 data bytes
ping: sendto: No route to host
Request timeout for icmp_seq 0
ping: sendto: Host is down
Request timeout for icmp_seq 1
ping: sendto: Host is down
Request timeout for icmp_seq 2
ping: sendto: Host is down
Request timeout for icmp_seq 3
^C
--- 192.168.101.5 ping statistics ---
5 packets transmitted, 0 packets received, 100.0% packet loss
jorgsmash@SmackMac ~ % ifconfig
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
    options=1203<RXCSUM,TXCSUM,TXSTATUS,SW_TIMESTAMP>
    inet 127.0.0.1 netmask 0xff000000
    inet6 ::1 prefixlen 128
    inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
    nd6 options=201<PERFORMNUD,DAD>
gif0: flags=8010<POINTOPOINT,MULTICAST> mtu 1280
stf0: flags=0<> mtu 1280
en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
    options=400<CHANNEL_IO>
    ether b8:f6:b1:17:67:2b
    inet 192.168.101.191 netmask 0xffffff00 broadcast 192.168.101.255
    media: autoselect
    status: active

jorgsmash@SmackMac ~ % ping 192.168.101.5
PING 192.168.101.5 (192.168.101.5): 56 data bytes
Request timeout for icmp_seq 0
Request timeout for icmp_seq 1
Request timeout for icmp_seq 2
^C
--- 192.168.101.5 ping statistics ---
4 packets transmitted, 0 packets received, 100.0% packet loss
jorgsmash@SmackMac ~ %

 

[drinkingbird]

Unfortunately I don't think this is going to work with AI mesh. I issued the commands, and connected my mac to the guest network and I am not able to ping any of the devices on the guest network.

# wl -i wl0.1 ap_isolate 0
jorg@RT-AX88U-F610:/jffs/scripts# nvram show | grep -i isolate
wl0.1_ap_isolate=1
wl0.2_ap_isolate=0
wl0.3_ap_isolate=0
wl0.4_ap_isolate=0
wl0_ap_isolate=0
wl1.1_ap_isolate=0
wl1.2_ap_isolate=0
wl1.3_ap_isolate=0
size: 87668 bytes (43404 left)
wl1_ap_isolate=0
wl_ap_isolate=1
jorg@RT-AX88U-F610:/jffs/scripts# nvram set wl0.1_ap_isolate=0
jorg@RT-AX88U-F610:/jffs/scripts# nvram show | grep -i isolate
wl0.1_ap_isolate=0
size: 87668 bytes (43404 left)
wl0.2_ap_isolate=0
wl0.3_ap_isolate=0
wl0.4_ap_isolate=0
wl0_ap_isolate=0
wl1.1_ap_isolate=0
wl1.2_ap_isolate=0
wl1.3_ap_isolate=0
wl1_ap_isolate=0
wl_ap_isolate=1

jorg@RT-AX88U-F610:/jffs/scripts# nvram commit
jorg@RT-AX88U-F610:/jffs/scripts# service restart-wireless

Done.
jorg@RT-AX88U-F610:/jffs/scripts# nvram show | grep -i isolate
wl0.1_ap_isolate=0
wl0.2_ap_isolate=0
wl0.3_ap_isolate=0
wl0.4_ap_isolate=0
wl0_ap_isolate=0
size: 87668 bytes (43404 left)
wl1.1_ap_isolate=0
wl1.2_ap_isolate=0
wl1.3_ap_isolate=0
wl1_ap_isolate=0
wl_ap_isolate=1
jorg@RT-AX88U-F610:/jffs/scripts#

% ping 192.168.101.36
PING 192.168.101.36 (192.168.101.36): 56 data bytes
Request timeout for icmp_seq 0
Request timeout for icmp_seq 1
Request timeout for icmp_seq 2
Request timeout for icmp_seq 3
Request timeout for icmp_seq 4
^C
--- 192.168.101.36 ping statistics ---
6 packets transmitted, 0 packets received, 100.0% packet loss
jorgsmash@SmackMac ~ % ping 192.168.101.223
PING 192.168.101.223 (192.168.101.223): 56 data bytes
Request timeout for icmp_seq 0
Request timeout for icmp_seq 1
Request timeout for icmp_seq 2
^C
--- 192.168.101.223 ping statistics ---
4 packets transmitted, 0 packets received, 100.0% packet loss
jorgsmash@SmackMac ~ % ping 192.168.101.87
PING 192.168.101.87 (192.168.101.87): 56 data bytes
Request timeout for icmp_seq 0
Request timeout for icmp_seq 1
Request timeout for icmp_seq 2
^C
--- 192.168.101.87 ping statistics ---
4 packets transmitted, 0 packets received, 100.0% packet loss
jorgsmash@SmackMac ~ % ping 192.168.101.87
PING 192.168.101.87 (192.168.101.87): 56 data bytes
Request timeout for icmp_seq 0
Request timeout for icmp_seq 1
Request timeout for icmp_seq 2
Request timeout for icmp_seq 3
^C
--- 192.168.101.87 ping statistics ---
5 packets transmitted, 0 packets received, 100.0% packet loss
jorgsmash@SmackMac ~ % ping 192.168.101.87
PING 192.168.101.87 (192.168.101.87): 56 data bytes
ping: sendto: No route to host
ping: sendto: Host is down
Request timeout for icmp_seq 0
ping: sendto: Host is down
Request timeout for icmp_seq 1
ping: sendto: Host is down
Request timeout for icmp_seq 2
ping: sendto: Host is down
Request timeout for icmp_seq 3
ping: sendto: Host is down
Request timeout for icmp_seq 4
ping: sendto: Host is down
Request timeout for icmp_seq 5
^C
--- 192.168.101.87 ping statistics ---
7 packets transmitted, 0 packets received, 100.0% packet loss
jorgsmash@SmackMac ~ % ping 192.168.101.87
PING 192.168.101.87 (192.168.101.87): 56 data bytes
Request timeout for icmp_seq 0
Request timeout for icmp_seq 1
Request timeout for icmp_seq 2
Request timeout for icmp_seq 3
ping: sendto: No route to host
Request timeout for icmp_seq 4
^C
--- 192.168.101.87 ping statistics ---
6 packets transmitted, 0 packets received, 100.0% packet loss
jorgsmash@SmackMac ~ % ping 192.168.101.36
PING 192.168.101.36 (192.168.101.36): 56 data bytes
Request timeout for icmp_seq 0
Request timeout for icmp_seq 1
Request timeout for icmp_seq 2
Request timeout for icmp_seq 3
Request timeout for icmp_seq 4
Request timeout for icmp_seq 5
Request timeout for icmp_seq 6
^C
--- 192.168.101.36 ping statistics ---
8 packets transmitted, 0 packets received, 100.0% packet loss
jorgsmash@SmackMac ~ % ping 192.168.101.5
PING 192.168.101.5 (192.168.101.5): 56 data bytes
Request timeout for icmp_seq 0
Request timeout for icmp_seq 1
Request timeout for icmp_seq 2
^C
--- 192.168.101.5 ping statistics ---
4 packets transmitted, 0 packets received, 100.0% packet loss
jorgsmash@SmackMac ~ % ping 192.168.101.5
PING 192.168.101.5 (192.168.101.5): 56 data bytes
Request timeout for icmp_seq 0
Request timeout for icmp_seq 1
Request timeout for icmp_seq 2
^C
--- 192.168.101.5 ping statistics ---
4 packets transmitted, 0 packets received, 100.0% packet loss
jorgsmash@SmackMac ~ % ping 192.168.101.5
PING 192.168.101.5 (192.168.101.5): 56 data bytes
ping: sendto: No route to host
Request timeout for icmp_seq 0
ping: sendto: Host is down
Request timeout for icmp_seq 1
ping: sendto: Host is down
Request timeout for icmp_seq 2
ping: sendto: Host is down
Request timeout for icmp_seq 3
^C
--- 192.168.101.5 ping statistics ---
5 packets transmitted, 0 packets received, 100.0% packet loss
jorgsmash@SmackMac ~ % ifconfig
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
    options=1203<RXCSUM,TXCSUM,TXSTATUS,SW_TIMESTAMP>
    inet 127.0.0.1 netmask 0xff000000
    inet6 ::1 prefixlen 128
    inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
    nd6 options=201<PERFORMNUD,DAD>
gif0: flags=8010<POINTOPOINT,MULTICAST> mtu 1280
stf0: flags=0<> mtu 1280
en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
    options=400<CHANNEL_IO>
    ether b8:f6:b1:17:67:2b
    inet 192.168.101.191 netmask 0xffffff00 broadcast 192.168.101.255
    media: autoselect
    status: active

jorgsmash@SmackMac ~ % ping 192.168.101.5
PING 192.168.101.5 (192.168.101.5): 56 data bytes
Request timeout for icmp_seq 0
Request timeout for icmp_seq 1
Request timeout for icmp_seq 2
^C
--- 192.168.101.5 ping statistics ---
4 packets transmitted, 0 packets received, 100.0% packet loss
jorgsmash@SmackMac ~ %

Like I said, with the NVRAM value you may have to reboot the router. With the WL command it takes effect immediately.

If you issue the WL command with no value you can see what it is currently set to, probably still 1 until you reboot. Or use the WL command to set it and it takes effect immediately.

 

[drinkingbird]

The issue is that wl0.1_ap_isolate=0 is set to 0 on the node router without me having changed anything. I haven't issued the command to change it from a 1 to a 0 yet, and I haven't added it to any scripts. It's just set that way by default even though I have guest network on, set to sync to mesh nodes, and I have access to Intranet disabled. So on the main router, it is still set to 1 (because I haven't changed it yet), and on the node router, it's set to 0 already.

May be one of your other addons interfering. Did you reboot the node after enabling Guest 1? Typically that is required (actually you have to reboot both usually).

 

[jorgsmash]

Like I said, with the NVRAM value you may have to reboot the router. With the WL command it takes effect immediately.

If you issue the WL command with no value you can see what it is currently set to, probably still 1 until you reboot. Or use the WL command to set it and it takes effect immediately.

I used the WL command initially. It's in the code snip I posted above.

May be one of your other addons interfering. Did you reboot the node after enabling Guest 1? Typically that is required (actually you have to reboot both usually).

Yes I rebooted both of them after I enabled the guest 1. That is what I was referring to in post #25. I had enabled the guest 1 and rebooted both.

 

[drinkingbird]

I used the WL command initially. It's in the code snip I posted above.


Yes I rebooted both of them after I enabled the guest 1. That is what I was referring to in post #25. I had enabled the guest 1 and rebooted both.

May be time to factory reset that node and re-join it. Maybe even both and start from scratch (configure by hand, re-add 3rd party stuff one at a time, etc). Are both on the same code base (388 or 386)? Probably want them matching as close as possible.

On mine as soon as I disable AP isolation the devices on the same band (both 5 or both 2.4) can talk to each other. Between bands won't be able to due to some firewall rules that are in place. You're certain the devices you were testing with respond to ping?

 

[jorgsmash]

May be time to factory reset that node and re-join it. Maybe even both and start from scratch (configure by hand, re-add 3rd party stuff one at a time, etc). Are both on the same code base (388 or 386)? Probably want them matching as close as possible.

On mine as soon as I disable AP isolation the devices on the same band (both 5 or both 2.4) can talk to each other. Between bands won't be able to due to some firewall rules that are in place. You're certain the devices you were testing with respond to ping?

They are both on the latest firmware. In my signature. Are you using AI mesh?

 

[drinkingbird]

They are both on the latest firmware. In my signature. Are you using AI mesh?

Sorry was talking in another thread where they said the AX5 series didn't support 388 code. If they're both on the same code, only suggestion at this point is to factory reset the whole thing and start over. Some of your addons (or maybe ones you've uninstalled) may be interfering. Maybe that wl_ap_isolate value is something to do with it, mine is set to 0 even though I have guest and isolation enabled.

No, not running aimesh, but you're saying it isn't even working off the main router so thats before even getting into the node and aimesh.

Edit - that user had a 56U not a 58U.

 

[jorgsmash]

Sorry was talking in another thread where they said the AX5 series didn't support 388 code. If they're both on the same code, only suggestion at this point is to factory reset the whole thing and start over. Some of your addons (or maybe ones you've uninstalled) may be interfering. Maybe that wl_ap_isolate value is something to do with it, mine is set to 0 even though I have guest and isolation enabled.

No, not running aimesh, but you're saying it isn't even working off the main router so thats before even getting into the node and aimesh.

Edit - that user had a 56U not a 58U.

Thanks for your help. I haven't been able to figure anything that's going to work for my needs. Are you any good at IPtables?

Link to another post about IPtables

Cheers!

 

[drinkingbird]

Thanks for your help. I haven't been able to figure anything that's going to work for my needs. Are you any good at IPtables?

Link to another post about IPtables

Cheers!

IPTABLES and even EBTABLES won't help with changing client isolation. Seems the user in the other thread resolved their issues with isolation (opposite issue, clients on Aimesh node were not isolated) by downgrading to 386 code. But like I said, your best bet is probably start from scratch, get it working (hopefully on 388, if not try 386) then start re-adding your 3rd party stuff an make sure it keeps working.

 

[jorgsmash]

IPTABLES and even EBTABLES won't help with changing client isolation. Seems the user in the other thread resolved their issues with isolation (opposite issue, clients on Aimesh node were not isolated) by downgrading to 386 code. But like I said, your best bet is probably start from scratch, get it working (hopefully on 388, if not try 386) then start re-adding your 3rd party stuff an make sure it keeps working.

Thanks. I'll give it a shot when I find some time to screw the wifi up for an extended period of time lol.

 

[jorgsmash]

IPTABLES and even EBTABLES won't help with changing client isolation. Seems the user in the other thread resolved their issues with isolation (opposite issue, clients on Aimesh node were not isolated) by downgrading to 386 code. But like I said, your best bet is probably start from scratch, get it working (hopefully on 388, if not try 386) then start re-adding your 3rd party stuff an make sure it keeps working.

Why would I not be able to use IPtables to block client traffic from accessing other devices on the LAN? Even if they are on the same subnet. I should be able to isolate devices by only allowing them Internet access and not be able to reach other clients on the same subnet.

 

[drinkingbird]

Why would I not be able to use IPtables to block client traffic from accessing other devices on the LAN? Even if they are on the same subnet. I should be able to isolate devices by only allowing them Internet access and not be able to reach other clients on the same subnet.

IPtables only gets hit for routed traffic. Traffic in the same subnet is not routed. If the clients are on different interfaces but in the same subnet (as happens with guest 2 and 3) you can use ebtables. If they are on the same interface and same subnet, neither will get hit, AP isolation (which just blocks the shared connection used for broadcasts so clients can't ARP for each other or send MDNS etc) is the only option.

Note that AP isolation is only a basic security feature if using WPA2 since that has been cracked and anyone with a piece of software and a USB wifi card that supports promiscuous mode can still sniff the data being sent between AP and other clients. With WPA3 it is more secure.

With guest 1 and/or Yazfi you can use iptables to filter between subnets (but not within) since the guest is in a different interface and subnet from LAN and other guests.