Guest Network on 386 builds doesn't play nice with Chromecast, and a potential workaround

[cooloutac]

I think whats happening here is Asus is responding to criticism that their vlans didn't properly isolate even with ap isolate on. Adding different subnets helps with this, contrary to what you believe, and there is probably something wonky going on with the allow intranet. This is why Yazfi addon allowed to do this and I think asus is taking the hint. But It is obviously not routing between the different subnets, so the only solution as bbunge said is to use guest 2 or 3. You can petition asus to fix it, but I personally would rather they didn't for security reasons lol. Maybe you need a more advanced router for your purposes.

But Again, it makes no sense to use a guest network with intranet enabled unless a timeout period is set. Or intranet is enabled only temporarily to allow some functions and you will again disable it.

 

[Morris]

the problem here is protocols though. This first statement in this article might be easier to understand Are Layer 2 or Layer 3 Protocols Better? Yes. - Component (biamp.com) I was asking which category you assume chromecast falls into. As an above poster stated google implies it won't work with a guest network, which is assumed to be isolated. So the question is, is your chromecast routing outside the subnet/lan? I'm assuming it stays within the lan. I use chromecast to my tv but specifically made sure not to put my phone and tv on different vlans. Aka ssid with diff Subnet(which latest firmware does for guest 1) or with intranet disabled. Also make sure ap isolate is not on.

As a different example, i put my echo, ring, blink and nest devices on isolated guest networks because those are accessed through the wan side.

There is no better or worse for Layer 2 V Layer 3 protocols. Layer 3 rids on top of Layer 2 just as a house sits on a foundation.

The discovery protocol that Chrome Cast devices answer to, mDNS, uses IP Multicasts. By default, multicasts do not traverse an IP router. This means that both the device doing the discovery, say a phone, and the Chrome Cast must be in the same IP Subnet. Furthermore, a firewall that acts on traffic in the same IP Subnet yet has two zones in this subnet must allow the traffic to traverse for discovery to work. The intranet allow/disallow is is the firewall rule that makes the difference on our Asus routers.

Morris

 

[Morris]

I think whats happening here is Asus is responding to criticism that their vlans didn't properly isolate even with ap isolate on. Adding different subnets helps with this, contrary to what you believe, and there is probably something wonky going on with the allow intranet. This is why Yazfi addon allowed to do this and I think asus is taking the hint. But It is obviously not routing between the different subnets, so the only solution as bbunge said is to use guest 2 or 3. You can petition asus to fix it, but I personally would rather they didn't for security reasons lol. Maybe you need a more advanced router for your purposes.

But Again, it makes no sense to use a guest network with intranet enabled unless a timeout period is set. Or intranet is enabled only temporarily to allow some functions and you will again disable it.

It's not just criticism, there routes have failed security audits. Part of the problem is the incorrect use of network terms that confuses both the expert and those learning.

VLAN:

VLAN - Wikipedia

en.wikipedia.org

Subnet:

Subnet - Wikipedia

en.wikipedia.org

Broadcast Domain:

Broadcast domain - Wikipedia

en.wikipedia.org

.

Morris

 

[cooloutac]

It's not just criticism, there routes have failed security audits. Part of the problem is the incorrect use of network terms that confuses both the expert and those learning.

VLAN:

VLAN - Wikipedia

en.wikipedia.org

Subnet:

Subnet - Wikipedia

en.wikipedia.org

Broadcast Domain:

Broadcast domain - Wikipedia

en.wikipedia.org

.

Morris

Its best to give your own interpretation of what a label means rather then linking an article so we know we are on the same page. Thats where the confusion starts. The most intelligent and experienced people I know in the industry are ones that dont' even have network certifications.

To me a vlan is a different ssid if wireless, and assumed to have a different subnets on the same network hardware. period. You could also define it as a bunch of different networks and on separate network hardware's grouped together(subnetwork). I would not expect the asus router to route between the different subnets. Neither does google apparently for any home router. Only on asus have I ever used different "vlans" with the same subnet. Probably specifically for wireless purposes with a set timer. Sure, its possible on more advanced routers that give more control but as I've said that defeats the purpose.

Your chromecast protocol is layer 2 from what I understand you interpret it as(Lan only). So for the reasons stated above its not going to work with different subnet on the guest 1 network of the asus router, even if its theoretically possible, because the asus does not allow it keeping it isolated and it is not layer 3(wan side), so you won't be able to communicate with it from a different vlan network. I'm going to refrain from constantly rephrasing this now lol.

 

[JWoo]

Asus probably needs to separate "AP Isolation" which is a parameter from "Access Intranet" which is a user settable function in the Guest Network GUI. As a suggestion, Asus could have these as 2 user settable selections in the Guest Network GUI.

 

[ColinTaylor]

The seems to be some confusion in this thread about some terminology.

1. Asus doesn't use VLANs to create guest WiFi networks.

2. "Access Intranet - enable/disable" is achieved by using packet filtering rules. (And now has the added complication of using a separate subnet for the first guest network per band.)

3. ap_isolate is a WiFi driver setting which only effects client to client communication between devices connected to the same BSSID. This value is usually set per band in Wireless > Professional.

Asus probably needs to separate "AP Isolation" which is a parameter from "Access Intranet" which is a user settable function in the Guest Network GUI. As a suggestion, Asus could have these as 2 user settable selections in the Guest Network GUI.

John added this to his firmware some time ago.

 

[JimbobJay]

Having read through this thread, isn’t the issue here that we all seem to be misunderstanding what exactly it is that JWoo is highlighting as an issue?

JWoo doesn’t want devices on the Guest Network SSID to be able to communicate with devices on the main LAN SSID (makes sense - that’s what most of us want to achieve with Guest Networks). However, at the same time, JWoo does want devices that are on the Guest Network to be able to communicate with each other - ie other devices also on the Guest Network. And it is this that ASUS has broken in 386.

Makes sense to me that this would be an issue for some people, and I think it’s good JWoo has highlighted this change and posted a potential workaround. JWoo doesn’t want to just have the chromecasts back on the main LAN, as has been suggested.

Given JWoo’s workaround, seems to me like something that Merlin could potentially offer as option in the GUI when creating a Guest Network, if he had the time and was so inclined. i.e.
Option 1) Access intranet enabled
Option 2) Access intranet disabled but enable Guests to communicate with other Guests on same SSID
Option 3) Access intranet disabled and isolate all devices on Guest SSID

EDIT: Ah, ColinTaylor got in just before me! Seems like he also read this through thread and saw some misunderstandings too

 

[cooloutac]

The seems to be some confusion in this thread about some terminology.

1. Asus doesn't use VLANs to create guest WiFi networks.

2. "Access Intranet - enable/disable" is achieved by using packet filtering rules. (And now has the added complication of using a separate subnet for the first guest network per band.)

3. ap_isolate is a WiFi driver setting which only effects client to client communication between devices connected to the same BSSID. This value is usually set per band in Wireless > Professional.

I'd still call the guest network a vlan since its virtual especially now with different subnets. but your explanations of points 2 and 3 are how I understood them. Thanks for clearing that up.

 

[cooloutac]

Having read through this thread, isn’t the issue here that we all seem to be misunderstanding what exactly it is that JWoo is highlighting as an issue.

JWoo doesn’t want devices on the Guest Network SSID to be able to communicate with devices on the main LAN SSID (makes sense - that’s what most of us want to achieve with Guest Networks). However, at the same time, JWoo does want devices that are on the Guest Network to be able to communicate with each other - ie other devices also on the Guest Network. And it is this that ASUS has broken in 386.

Makes sense to me that this would be an issue for some people, and I think it’s good JWoo has highlighted this change and posted a potential workaround. JWoo doesn’t want to just have the chromecasts back on the main LAN, as has been suggested.

Given JWoo’s workaround, seems to me like something that Merlin could potentially offer as option in the GUI when creating a Guest Network, if he had the time and was so inclined. i.e.
Option 1) Access intranet enabled
Option 2) Access intranet disabled but enable Guests to communicate with other Guests on same SSID
Option 3) Access intranet disabled and isolate all devices on Guest SSID

EDIT: Ah, ColinTaylor got in just before me! Seems like he also read this through thread and saw some misunderstandings too

I guess I did totally misunderstand cause I assumed the opposite. That would indeed explain why enabling intranet would not be working, because as Colin explained the AP isolation setting could be causing him issues. but I have had issues in the past where ap isolation never actually isolated anything. Could it be its not now broken but actually fixed? lol

Unless its not even enabled in his settings but he still has issues communicating within in the same guest network then something is definitely wrong. I haven't run into such problems but must be some bug going on with guest 1.

 

[L&LD]

No, it's not a VLAN. The correct terminology is important. And its use is imperative when discussing such topics.

 

[JWoo]

The seems to be some confusion in this thread about some terminology.

1. Asus doesn't use VLANs to create guest WiFi networks.

2. "Access Intranet - enable/disable" is achieved by using packet filtering rules. (And now has the added complication of using a separate subnet for the first guest network per band.)

3. ap_isolate is a WiFi driver setting which only effects client to client communication between devices connected to the same BSSID. This value is usually set per band in Wireless > Professional.


John added this to his firmware some time ago.

@ColinTaylor you nailed it. The Access Intranet = Disabled setting for Guest Networks in addition to packet filtering rules is setting ap_isolate = 1 on the 386 builds. This was never done on the 384 builds. This is what is breaking Chromecast as the clients on the same SSID cannot communicate so DIAL protocol fails. On the guest networks, the ap_isolate variables are:

wl0.1_ap_isolate
wl0.2_ap_isolate
wl0.3_ap_isolate
wl1.1_ap_isolate
wl1.2_ap_isolate
wl1.3_ap_isolate

On the 386 builds, the default value = 0 but as soon as you activate a guest network with Access Intranet = Disabled, ap_isolate is changed to 1. Not sure what John did on his builds as I don't currently have a router running his release. Solution would be a separate setting on Guest Networks for AP Isolation. Can you attach a screenshot of what John did on his builds?

 

[JWoo]

Having read through this thread, isn’t the issue here that we all seem to be misunderstanding what exactly it is that JWoo is highlighting as an issue?

JWoo doesn’t want devices on the Guest Network SSID to be able to communicate with devices on the main LAN SSID (makes sense - that’s what most of us want to achieve with Guest Networks). However, at the same time, JWoo does want devices that are on the Guest Network to be able to communicate with each other - ie other devices also on the Guest Network. And it is this that ASUS has broken in 386.

Makes sense to me that this would be an issue for some people, and I think it’s good JWoo has highlighted this change and posted a potential workaround. JWoo doesn’t want to just have the chromecasts back on the main LAN, as has been suggested.

Given JWoo’s workaround, seems to me like something that Merlin could potentially offer as option in the GUI when creating a Guest Network, if he had the time and was so inclined. i.e.
Option 1) Access intranet enabled
Option 2) Access intranet disabled but enable Guests to communicate with other Guests on same SSID
Option 3) Access intranet disabled and isolate all devices on Guest SSID

EDIT: Ah, ColinTaylor got in just before me! Seems like he also read this through thread and saw some misunderstandings too

@JimbobJay and @ColinTaylor, you can be my IT psychologists as you understand me.

 

[JimbobJay]

No, it's not a VLAN. The correct terminology is important. And its use is imperative when discussing such topics.

Is this also the case when using YazFi? I always assumed that by being able to specify a different subnet, it was creating a VLAN, but tbh I don’t quite know how YazFi works.

When using Ubiquiti SOHO devices, I’ve been able to create different SSIDs and use VLAN tagging to route them accordingly to their different VLANs which use different subnets, but I always had trouble trying to also allow them to use a PiHole as their DNS server, which was on my main LAN and using its subnet. YazFi on Merlin seemed to make enabling this as an option a breeze, but I never quite understood if under the hood it was making a VLAN or not.

 

[ColinTaylor]

Solution would be a separate setting on Guest Networks for AP Isolation. Can you attach a screenshot of what John did on his builds?

When I tested a version of Merlin some time ago I found that even if you set the individual nvram variables (e.g. wl0.1_ap_isolate) they were overwritten with the parent value (e.g. wl0_ap_isolate) as soon as the wireless system was restarted. It sounds like this is no longer the case from what you've said, so that's an improvement.

 

[john9527]

On the 386 builds, the default value = 0 but as soon as you activate a guest network with Access Intranet = Disabled, ap_isolate is changed to 1.

I already tried to help out someone running the ASUS OEM 386....

RT-AC68U Chromecast doesn't work on guest network

Hello, I upgraded my ASUS router RT-AC68U firmware (standard not merlin) recently to 3.0.0.4.386_40558-gc48f410 (from a 2018 firmware) and then suddenly my Chromecast was not visible anymore. So I reset my Chromecast and then it tells me: Your Chromecast is connected by cannot be reached. I...

www.snbforums.com

The ap-isolate code is now closed source, and it also appears as if they have a monitor on ebtables that prevents it from being disabled.

 

[JimbobJay]

@JimbobJay and @ColinTaylor, you can be my IT psychologists as you understand me.

Ha, why thank you Have you tried using YazFi on 386? I’m waiting for 386 builds to come out of beta before I update to that branch, but I’m using YazFi on Merlin’s 384 branch, and that has an option of choosing whether or not to isolate clients from each other on the Guest SSIDs

 

[ColinTaylor]

Is this also the case when using YazFi? I always assumed that by being able to specify a different subnet, it was creating a VLAN, but tbh I don’t quite know how YazFi works.

No YazFi doesn't use VLANs, just subnets and packet filtering.

 

[L&LD]

@JimbobJay, no YazFi does not use/create VLANs. Subnets, yes.

 

[Morris]

No, it's not a VLAN. The correct terminology is important. And its use is imperative when discussing such topics.

Thank you :-}

 

[JWoo]

View attachment 28418

When I tested a version of Merlin some time ago I found that even if you set the individual nvram variables (e.g. wl0.1_ap_isolate) they were overwritten with the parent value (e.g. wl0_ap_isolate) as soon as the wireless system was restarted. It sounds like this is no longer the case from what you've said, so that's an improvement.

Setting AP isolate = 0 for the Guest Network variables (keep in mind there are separate AP isolate variables for the main radios) survives restart of the router. If you make any change to the Guest Network via the GUI while Access Intranet is set to Disabled in the GUI, it will write the variable back to 1 and your ChromeCast will be broken again unless you set the variable manually I am using the first 5GHz Guest Network for IoT devices that use ChromeCast, so I set wl1.1_ap_isolate = 0 to allow ChromeCast to work.