Guest Network not working in Firmware 386.2_2

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

Mike S

Regular Contributor
Are you expecting your guest internet traffic to be routed through the VPN or to bypass the VPN and go directly out through the WAN?

If the former, your VPN server could be dropping traffic destined to the different subnet used by Guest #1. Perhaps it needs an additional route/iroute defined.

If the latter, do you have "Force internet traffic through tunnel" enabled or disabled on your VPN client settings? I have it set to "No" so that only traffic going to other VPN subnets gets routed through the VPN. With this configuration everything works fine even for guest #1. If you want your non-guest LAN traffic to use the VPN but the guest LAN to bypass it, then it seems like it would take some custom routing rules to make it work.
Actually this is another problem. Ideally, the Guest Network should only be open to the internet via the WAN port. However, this was discussed in another thread a year or so ago. Apparently, VPN connections are open to the Guests.

My VPN Clients are configured Policy Rules (strict), so only traffic to my remote office subnets go thru the VPN connections. All other, non-local traffic goes thru the WAN port.
 

bbunge

Part of the Furniture
Actually this is another problem. Ideally, the Guest Network should only be open to the internet via the WAN port. However, this was discussed in another thread a year or so ago. Apparently, VPN connections are open to the Guests.

My VPN Clients are configured Policy Rules (strict), so only traffic to my remote office subnets go thru the VPN connections. All other, non-local traffic goes thru the WAN port.
I was playing around with routing settings this afternoon in the OpenVPN client. Trying to get the Guest to go through the VPN. Did not work. Maybe there should be a script to reset the routing for the Guest 1 after the VPN client connects? Reset it to go through the WAN.
 

Mike S

Regular Contributor
I was playing around with routing settings this afternoon in the OpenVPN client. Trying to get the Guest to go through the VPN. Did not work. Maybe there should be a script to reset the routing for the Guest 1 after the VPN client connects? Reset it to go through the WAN.
Guest1 traffic will not go thru an open VPN Client connection. It will go thru the WAN port (not sure why this is working now, when it wasn't before).

Guest2 traffic WILL go thru and Open VPN Client connection, as well as the WAN port, depending on the destination subnet, when you have Policy Rules enabled on the VPN Client.

It would be nice to get a detailed explanation on why Guest1 and Guest2 work differently.
 

manocinca

New Around Here
Guest1 traffic will not go thru an open VPN Client connection. It will go thru the WAN port (not sure why this is working now, when it wasn't before).

Guest2 traffic WILL go thru and Open VPN Client connection, as well as the WAN port, depending on the destination subnet, when you have Policy Rules enabled on the VPN Client.

It would be nice to get a detailed explanation on why Guest1 and Guest2 work differently.
I have the same problem with 2peaces of RT-AX68U device in AiMESH system
the differences between guest 1 and guest 2 networks is the AI mesh nod extension support. Guest 1 network can work on AiMESH client devices, not just the on the master router. Guest2 network can't extend to other aImess nods devices. It can work just a master router.
An this is my problem. If on guest network 1 intranet = DISABLED the client devices not became an ip address. But this fail is on just AImesk client nodes. On the master AImesh router ist work fine the guest1 network.
And sorry for my english.
 

ninja888

Occasional Visitor
I assume this is still a bug since I’m on the latest firmware with AC86 master router and AX56U node and see the following. Note: I also have OpenVPN client configured on the Master node…

(A) 2.4ghz guest #1 does not work - Master and AiMesh node clients do not get a valid DHCP address and cannot access internet.

(B) 2.4ghz Guest #2 seems to work fine at the master node (but obviously cannot then extend to AiMesh node).

(C) 5ghz Guest #1 does seem to work ok

If there is a conflict with OpenVPN client and 2.4ghz Guest #1 can this be fixed (or at least mitigated so that the conflict only conflicts with say 2.4ghz Guest #3 and therefore does not then impact either the 2.4/5ghz Guest #1 networks and AiMesh node sync)?

thanks!
 

ninja888

Occasional Visitor
So I did a little more digging here and something definitely doesn’t look right with the 2.4Ghz Guest Network 1 interface (wl0.1) / br1 when “Access Intranet” is set to “Disable” - In this scenario, the wl0.1 interface is not attached to any bridge and all 2.4Ghz Guest 1 clients cannot access the internet - They are not even able to get a DHCP address from the router).

Should the wl0.1 interface get attached to the br1 bridge in this scenario (and should the br1 bridge have an IP address in the 192.168.1.101.0/24 range)?

SETUP:
- Main Router (AiMesh Master): RT-AC86U running 386.3_2. All config is done here and cli output below from this device. 2.4Ghz Guest 1/2 are configured as is 5Ghz Guest1 and an OpenVPN Client is also configured / Running.
- AiMesh Node: RT-AX56U running 386.3_2 - 2.4/5Ghz Guest 1 Networks sync’d here and all connection tests done here


Scenario (1): ENABLE Intranet Access for 2.4Ghz Guest 1 (wl0.1)
(a) wl0.1 - 2.4Ghz Guest1 ON (Access Intranet ON)
(b) wl0.2 - 2.4Ghz Guest2 ON (Access Intranet OFF)
(c) wl1.1 - 5Ghz Guest 1 ON (Access Intranet OFF)

[email protected]:/tmp/home/root# ip a | grep wl
21: wl0.2: <BROADCAST,MULTICAST,ALLMULTI,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master br0 state UNKNOWN group default qlen 1000
75: wl0.1: <BROADCAST,MULTICAST,ALLMULTI,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master br0 state UNKNOWN group default qlen 1000
76: wl1.1: <BROADCAST,MULTICAST,ALLMULTI,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master br2 state UNKNOWN group default qlen 1000

[email protected]:/tmp/home/root# ifconfig | grep 'br' -A1
br0 Link encap:Ethernet HWaddr MAC1
inet addr:192.168.0.1 Bcast:192.168.1.255 Mask:255.255.254.0
--
br1 Link encap:Ethernet HWaddr MAC1
inet addr:169.254.132.138 Bcast:169.254.255.255 Mask:255.255.0.0
--
br2 Link encap:Ethernet HWaddr MAC2
inet addr:192.168.102.1 Bcast:192.168.102.255 Mask:255.255.255.0

RESULTS:
2.4Ghz Guest 1 (wl0.1) and 2.4Ghz Guest 2 (wl0.2) are both attached to Bridge br0 (with IP on 192.168.0.0/23 range) and can access Internet. 5Ghz Guest 1 (wl1.1) is attached to br2 (with an IP on the 192.168.102.0/24 range) and can access Internet - ALL GOOD!


Scenario (2): DISABLE Intranet Access for 2.4Ghz Guest 1 (wl0.1)
(a) wl0.1 - 2.4Ghz Guest1 ON (Access Intranet OFF)
(b) wl0.2 - 2.4Ghz Guest2 ON (Access Intranet OFF)
(c) wl1.1 - 5Ghz Guest 1 ON (Access Intranet OFF)

[email protected]:/tmp/home/root# ip a | grep wl
21: wl0.2: <BROADCAST,MULTICAST,ALLMULTI,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master br0 state UNKNOWN group default qlen 1000
75: wl0.1: <BROADCAST,MULTICAST,ALLMULTI,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 1000
76: wl1.1: <BROADCAST,MULTICAST,ALLMULTI,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master br2 state UNKNOWN group default qlen 1000

[email protected]:/tmp/home/root# ifconfig | grep 'br' -A1
br0 Link encap:Ethernet HWaddr MAC1
inet addr:192.168.0.1 Bcast:192.168.1.255 Mask:255.255.254.0
--
br1 Link encap:Ethernet HWaddr MAC1
inet addr:169.254.132.138 Bcast:169.254.255.255 Mask:255.255.0.0
--
br2 Link encap:Ethernet HWaddr MAC2
inet addr:192.168.102.1 Bcast:192.168.102.255 Mask:255.255.255.0

RESULTS:
- 2.4Ghz Guest 1 (wl0.1) is NOT attached to any bridge - Any 2.4Ghz Guest 1 clients do not get any IP address and cannot access Internet.
- 2.4Ghz Guest 2 (wl0.2) is attached to Bridge br0 (with IP on 192.168.0.0/23 range) and can access Internet.
- 5Ghz Guest 1 (wl1.1) is attached to br2 (with an IP on the 192.168.102.0/24 range) and can access Internet
 

ColinTaylor

Part of the Furniture
So I did a little more digging here and something definitely doesn’t look right with the 2.4Ghz Guest Network 1 interface (wl0.1) / br1 when “Access Intranet” is set to “Disable” - In this scenario, the wl0.1 interface is not attached to any bridge and all 2.4Ghz Guest 1 clients cannot access the internet - They are not even able to get a DHCP address from the router).

Should the wl0.1 interface get attached to the br1 bridge in this scenario (and should the br1 bridge have an IP address in the 192.168.1.101.0/24 range)?
Yes, wl0.1 should be attached to br1 which has an address of 192.168.101.1.

Are you using IPTV or PPoE?
 

ninja888

Occasional Visitor
My WAN connection is PPPoE and I have to enable an ISP IPTV profile for the connection to work (even though I don’t actually use the IPTV).

So it appears that the issue is caused by wl0.1 not being attached to br1 (192.168.101.0/24)? Is that something the Asus Merlin devs could take a look at or would it need to be investigated by Asus themselves?

It would be great if we can get to the cause of this issue as currently there is no working 2.4Ghz Guest WiFi that can shared over AIMesh with this bug.
 
Last edited:

ColinTaylor

Part of the Furniture
My WAN connection is PPPoE and I have to enable an ISP IPTV profile for the connection to work (even though I don’t actually use the IPTV).
On the router's WAN page set Enable VPN + DHCP Connection to No and see if that makes a difference (reboot the router just to be sure).
 

ninja888

Occasional Visitor
On the router's WAN page set Enable VPN + DHCP Connection to No and see if that makes a difference (reboot the router just to be sure).
With “Enable VPN + DHCP Connection” set to No (and router rebooted), the 2.4Ghz Guest1 network wl0.1 appears to be connected to the br1 bridge but the br1 bridge still has an IP range of 169.254.0.0 and all 2.4Ghz Guest 1 clients are not given a DHCP IP address when connecting and therefore still cannot connect to the internet.

ASUSWRT-Merlin RT-AC86U 386.3_2 Fri Aug 6 21:48:26 UTC 2021
[email protected]:/tmp/home/root# ip a | grep wl
21: wl0.1: <BROADCAST,MULTICAST,ALLMULTI,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master br1 state UNKNOWN group default qlen 1000
22: wl0.2: <BROADCAST,MULTICAST,ALLMULTI,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master br0 state UNKNOWN group default qlen 1000
23: wl1.1: <BROADCAST,MULTICAST,ALLMULTI,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master br2 state UNKNOWN group default qlen 1000
[email protected]:/tmp/home/root#

[email protected]:/tmp/home/root# ifconfig | grep br -A1
br0 Link encap:Ethernet HWaddr MAC1
inet addr:192.168.0.1 Bcast:192.168.1.255 Mask:255.255.254.0
--
br1 Link encap:Ethernet HWaddr MAC1
inet addr:169.254.132.138 Bcast:169.254.255.255 Mask:255.255.0.0

--
br2 Link encap:Ethernet HWaddr MAC2
inet addr:192.168.102.1 Bcast:192.168.102.255 Mask:255.255.255.0

out of interest, should br0 and b1 have the same MAC1 address above given that the br2 MAC2 address is distinct from both br0 and br1 MAC?
 

ColinTaylor

Part of the Furniture
out of interest, should br0 and b1 have the same MAC1 address above given that the br2 MAC2 address is distinct from both br0 and br1 MAC?
No, br1's MAC address should be the same as wl0.1's (which is different to br0's MAC address).

What VLAN ID does your IPTV connection use?

P.S. Please don't remove the MAC addresses from your output. It serves no purpose other than making it more difficult to debug the problem.
 

ninja888

Occasional Visitor
How would I find the VLAN ID of IPTV? I checked the LAN->IPTV tab and this just indicates the Profile Name of “Unifi-Home”?

here are the MAC addresses in the ifconfig output for brX and wlX.Y - As you can see br0 and br1 share the same MAC (which is different to br2) but all of the wlX.Y interfaces have distinct MAC addresses:

Code:
[email protected]:/tmp/home/root# ifconfig | grep br -A1
br0       Link encap:Ethernet  HWaddr 04:D9:F5:92:77:58 
          inet addr:192.168.0.1  Bcast:192.168.1.255  Mask:255.255.254.0
--
br1       Link encap:Ethernet  HWaddr 04:D9:F5:92:77:58 
          inet addr:169.254.132.138  Bcast:169.254.255.255  Mask:255.255.0.0
--
br2       Link encap:Ethernet  HWaddr 04:D9:F5:92:77:5D 
          inet addr:192.168.102.1  Bcast:192.168.102.255  Mask:255.255.255.0
[email protected]:/tmp/home/root# ifconfig | grep wl -A1
wl0.1     Link encap:Ethernet  HWaddr 04:D9:F5:92:77:59 
          UP BROADCAST RUNNING ALLMULTI MULTICAST  MTU:1500  Metric:1
--
wl0.2     Link encap:Ethernet  HWaddr 04:D9:F5:92:77:5A 
          UP BROADCAST RUNNING ALLMULTI MULTICAST  MTU:1500  Metric:1
--
wl1.1     Link encap:Ethernet  HWaddr 04:D9:F5:92:77:5D 
          UP BROADCAST RUNNING ALLMULTI MULTICAST  MTU:1500  Metric:1
 

ColinTaylor

Part of the Furniture
How would I find the VLAN ID of IPTV? I checked the LAN->IPTV tab and this just indicates the Profile Name of “Unifi-Home”?
I'm not sure as I don't use IPTV. I am just wondering whether there's a conflict between the VID used by your IPTV and the VID used by guest network #1.

Guest network #1 uses VID 501. As far as I can see Unifi-Home uses VID 500, but I can't be sure.

What is the complete output of brctl show ?
 

ninja888

Occasional Visitor
What is the complete output of brctl show ?

Here is the brctl show output:

Code:
[email protected]:/tmp/home/root# brctl show
bridge name     bridge id               STP enabled     interfaces
br0             8000.04d9f5927758       yes             eth2
                                                        eth3
                                                        eth4
                                                        eth5
                                                        eth5.0
                                                        eth6
                                                        eth6.0
                                                        wl0.2
br1             8000.04d9f5927758       yes             eth0.v0
                                                        eth1.501
                                                        eth1.v0
                                                        eth2.501
                                                        eth3.501
                                                        eth4.501
                                                        eth5.501
                                                        eth6.501
                                                        wl0.1
br2             8000.04d9f592775d       yes             eth1.502
                                                        eth2.502
                                                        eth3.502
                                                        eth4.502
                                                        eth5.502
                                                        eth6.502
                                                        wl1.1
 

ColinTaylor

Part of the Furniture
Here is the brctl show output:

Code:
[email protected]:/tmp/home/root# brctl show
bridge name     bridge id               STP enabled     interfaces
br0             8000.04d9f5927758       yes             eth2
                                                        eth3
                                                        eth4
                                                        eth5
                                                        eth5.0
                                                        eth6
                                                        eth6.0
                                                        wl0.2
br1             8000.04d9f5927758       yes             eth0.v0
                                                        eth1.501
                                                        eth1.v0
                                                        eth2.501
                                                        eth3.501
                                                        eth4.501
                                                        eth5.501
                                                        eth6.501
                                                        wl0.1
br2             8000.04d9f592775d       yes             eth1.502
                                                        eth2.502
                                                        eth3.502
                                                        eth4.502
                                                        eth5.502
                                                        eth6.502
                                                        wl1.1
Thanks. That looks messed up to me, but I don't use IPTV so don't really know what it's meant to look like. I suspect that if you turn off IPTV, even though you won't have internet the bridges and guest networks will be created properly.

In any case it looks like a bug that Asus will have to fix.

Maybe another forum member that has an RT-AC86U and IPTV can post their output.
 
Last edited:

ninja888

Occasional Visitor
Thanks - I’ll raise it with Asus although I guess it is likely they will want me to revert to the standard firmware to see if still an issue - meaning downtime as I don’t have a spare RT-AC86U to confirm this with.

It would be useful to see whether others have this issue (whether or not AC86u and with/without IPTV) and what their brctl show config is.

I’ll keep this thread updated with any further updates. Thanks again!
 

Morris

Senior Member
Thanks - I’ll raise it with Asus although I guess it is likely they will want me to revert to the standard firmware to see if still an issue - meaning downtime as I don’t have a spare RT-AC86U to confirm this with.

It would be useful to see whether others have this issue (whether or not AC86u and with/without IPTV) and what their brctl show config is.

I’ll keep this thread updated with any further updates. Thanks again!
My pleasure. The issue has been discussed here before.

Morris
 

Similar threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top