What's new

Solved Guest Network on AiMesh Node has access to LAN on AiMesh Router

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

w0ks2

Occasional Visitor
Solved: Downgrading Asus RT-AX88U from 3.0.0.4.388.22525 to 3.0.0.4.386.49674 fixed the issue.
Solved: Option 2 is to enable firewall

-------------------

Hardware:
Using Asus RT-AX88U as AiMesh Router (3.0.0.4.388.22525, latest firmware),
Using Asus RT-AX56U as AiMesh Node (3.0.0.4.386.49380, latest firmware),

Settings:
Access Intranet = Disable
Guest network on AiMesh = All AiMesh node(s)

Issue:
Any device connected to Guest Network on AiMesh Node (Asus RT-AX56U) can ping and access devices connected to LAN on AiMesh Router (Asus RT-AX88U).

Example:
My phone (192.168.101.111) connected to the Guest Network on AiMesh Node (Asus RT-AX56U) can ping and access my NAS server (192.168.50.5).

The entire purpose of Guest Network is "The Guest Network provides Internet connection for guests but restricts access to your local network.", and it fails to do it on the AiMesh node.
Am I the only one having this issue? Does Asus know about it? Am I missing any setting that needs to be changed?
 
Last edited:
Am I missing any setting that needs to be changed?

Not likely... it's a very simple bit of configuration which you have likely done:

Guest1 WLANs SSIDs
WPA2-Personal (to be most compatible with unknown guest clients)
WPA Key
Access intranet disabled
on all nodes

Did you try rebooting the entire network and your test client to affect the configuration change/clear conditions before testing?

Note that Guest WLANs defined on an AiMesh root node in AP Mode (not Router Mode) will not be isolated from the non-AiMesh intranet.

OE
 
Last edited:
Not likely... it's a very simple bit of configuration which you have likely done:

Guest1 WLANs SSIDs
WPA2-Personal (to be most compatible with unknown guest clients)
WPA Key
Access intranet disabled
on all nodes

Did you try rebooting the entire network and your test client to affect the configuration change/clear conditions before testing?

Note that Guest WLANs defined on an AiMesh root node in AP Mode (not Router Mode) will not be isolated from the non-AiMesh intranet.

OE
As you said - Guest1 WLAN SSID, WPA2-Personal, WPA Key, Access intranet disabled, on all nodes.
Guest Network 1.png


I did not try to reboot the entire network manually but there was a power outage recently (2 days ago) and every device did reboot by itself.

I'm sorry I did not quite understand the last line, I am NOT using my Asus RT-AX56U as a "Access Point(AP) mode / AiMesh Router in AP mode", I am using it as "AiMesh Node".
System.png

If I navigate to "AiMesh" on the WebUI - I can see Asus RT-AX88U and Asus RT-AX56U.
 
As you said - Guest1 WLAN SSID, WPA2-Personal, WPA Key, Access intranet disabled, on all nodes.
View attachment 50059

I did not try to reboot the entire network manually but there was a power outage recently (2 days ago) and every device did reboot by itself.

I'm sorry I did not quite understand the last line, I am NOT using my Asus RT-AX56U as a "Access Point(AP) mode / AiMesh Router in AP mode", I am using it as "AiMesh Node".
View attachment 50062
If I navigate to "AiMesh" on the WebUI - I can see Asus RT-AX88U and Asus RT-AX56U.

You do need to reboot the devices after enabling guest wireless 1 to allow all the VLANs to be created. Sounds like you already did (or nature did for you). But I'd try disabling and re-enabling, rebooting after each one.

If no good, then my only thought is the mismatch in code versions, 388 and 386. If 388 isn't available for the node yet (thought it was for all AX but guess not) then maybe try downgrading your master to the same/similar 386 version.

Your master is running in Aimesh router mode right?
 
As you said - Guest1 WLAN SSID, WPA2-Personal, WPA Key, Access intranet disabled, on all nodes.
View attachment 50059

I did not try to reboot the entire network manually but there was a power outage recently (2 days ago) and every device did reboot by itself.

I'm sorry I did not quite understand the last line, I am NOT using my Asus RT-AX56U as a "Access Point(AP) mode / AiMesh Router in AP mode", I am using it as "AiMesh Node".
View attachment 50062
If I navigate to "AiMesh" on the WebUI - I can see Asus RT-AX88U and Asus RT-AX56U.

All sounds correct... should work. Ignore the last bit since you are not using AP Mode.

Do you reset new firmware before you configure it from scratch?

That AX56U has not seen a new firmware release in almost a year... seems neglected but I'm not familiar with that model.

Firmware Reset FAQ

Reset button/webUI Restore/node removal - clears settings in NVRAM; reboot restores fw defaults from CFE

Hard Reset via WPS button/webUI Restore+Initialize - also clears data logged in /jffs partition

OE
 
Last edited:
You do need to reboot the devices after enabling guest wireless 1 to allow all the VLANs to be created. Sounds like you already did (or nature did for you). But I'd try disabling and re-enabling, rebooting after each one.
I did try it and it did not fix the issue.

If no good, then my only thought is the mismatch in code versions, 388 and 386. If 388 isn't available for the node yet (thought it was for all AX but guess not) then maybe try downgrading your master to the same/similar 386 version.
Sounds.... bad... but it does makes sense to think this way.
I did NOT try to downgrade the Asus RT-AX88U (AiMesh Router) to version 386, and also not an ideal solution (security, features, updates, etc).

Your master is running in Aimesh router mode right?
"Master" in this case is Asus RT-AX88U running "Wireless router mode / AiMesh Router mode (Default)".

Do you reset new firmware before you configure it from scratch?
Yes, many times (for other reasons other than the issue with Guest Network).
My devices are up-to-date and I did Factory Default to both the Asus RT-AX88U (AiMesh Router) and the Asus RT-AX56U (AiMesh Node).
 
I did try it and it did not fix the issue.


Sounds.... bad... but it does makes sense to think this way.
I did NOT try to downgrade the Asus RT-AX88U (AiMesh Router) to version 386, and also not an ideal solution (security, features, updates, etc).


"Master" in this case is Asus RT-AX88U running "Wireless router mode / AiMesh Router mode (Default)".


Yes, many times (for other reasons other than the issue with Guest Network).
My devices are up-to-date and I did Factory Default to both the Asus RT-AX88U (AiMesh Router) and the Asus RT-AX56U (AiMesh Node).

386 is still supported and secure. I don't know if there is any issue mixing the two, just a thought.

Once Aimesh is configured, both should have VLAN 501 and 502 on them (you can SSH in and look at ifconfig to confirm) and that should provide total isolation across the whole system.

Another thought, how are the two connected - is there a switch in the path that might be stripping the VLAN tags off? Long shot but worth asking.
 
Another thought, how are the two connected - is there a switch in the path that might be stripping the VLAN tags off? Long shot but worth asking.
No switch, CAT7 cable from Asus RT-AX88U (LAN4) to Asus RT-AX56U (WAN). Nothing in between.
 
Last edited:
No switch, CAT7 cable from Asus RT-AX88U (LAN5) to Asus RT-AX56U (WAN). Nothing in between.

Try moving it to ports 1-4. 5-8 are on a totally separate switch that is a different architecture.

Other than that, only suggestion is try getting them both on the same (or as close as possible) firmware and start over.
 
Try moving it to ports 1-4. 5-8 are on a totally separate switch that is a different architecture.
My bad, it wasn't connected to LAN5, but to LAN4, so this suggestion doesn't help fix the issue.

Other than that, only suggestion is try getting them both on the same (or as close as possible) firmware and start over.
The oldest firmware available for Asus RT-AX88U that closest to Asus RT-AX56U firmware is 3.0.0.4.386.49674 ( according to https://www.asus.com/networking-iot...s/rt-ax88u/helpdesk_bios/?model2Name=RT-AX88U )
I might try it, but I really don't expect it to fix the issue, I will post a reply to this thread once I try it and I will update you here if it fixed or not.
 
My bad, it wasn't connected to LAN5, but to LAN4, so this suggestion doesn't help fix the issue.


The oldest firmware available for Asus RT-AX88U that closest to Asus RT-AX56U firmware is 3.0.0.4.386.49674 ( according to https://www.asus.com/networking-iot...s/rt-ax88u/helpdesk_bios/?model2Name=RT-AX88U )
I might try it, but I really don't expect it to fix the issue, I will post a reply to this thread once I try it and I will update you here if it fixed or not.

I wouldn't be surprised if it fixed the issue, mismatched code has caused plenty of issues with Aimesh. Merlin has 388 code for the 56U - not sure why asus doesn't, but if you want to be on 388 code base maybe try merlin. However the recommendation is to run stock on nodes, not merlin, so sort of a catch-22.

The whole point of introducing VLANs in 386 code base (and carrying on to 388) for Guest Wireless 1 was so that the blocking of LAN could be extended to the nodes, which wasn't the case before.

If your guest devices on the node are getting 192.168.101.x or 192.168.102.x then the VLANs are working and propagating, but something is causing it to bypass the firewall rules.
 
I wouldn't be surprised if it fixed the issue, mismatched code has caused plenty of issues with Aimesh. Merlin has 388 code for the 56U - not sure why asus doesn't, but if you want to be on 388 code base maybe try merlin. However the recommendation is to run stock on nodes, not merlin, so sort of a catch-22.
Downgrading Asus RT-AX88U from 3.0.0.4.388.22525 to 3.0.0.4.386.49674 fixed the issue.
 
Downgrading Asus RT-AX88U from 3.0.0.4.388.22525 to 3.0.0.4.386.49674 fixed the issue.

Good to hear. If you want to go to 388 you have the option of trying merlin on both, but there are some issues with it and aimesh in past releases (not sure about 388). You're not really losing out on much (if anything).
 
Sorry for the late update but I found another option to fix this issue - enable firewall (yes, I disabled it for some reason).
 
Sorry for the late update but I found another option to fix this issue - enable firewall (yes, I disabled it for some reason).

Makes sense. LAN isolation uses IPTABLES (and to a lesser extent, EBTABLES). It should probably warn you that it won't work because firewall is disabled (or at least enable the firewall for that function only) but I don't think many disable the firewall so probably not a common issue.
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top