Guest Network Pro and wider subnets (supernetting, route summarisation)

[Phantomski]

First of all - massive kudos and thumbs up for all the work done on Guest Network Pro in 3006.102.5 firmware. I'm not sure how much tweaking was required for the original ASUS codebase, but let's just say it reached the stage, where the VLANs are now very useful for a practical use and very cleanly and securely defined in the bridge interfaces and iptables, which is very welcome and nice to see.

So thank you.

The prerequisites and assumptions:

• I am using RT-BE88U (great piece of kit btw, especially for the price) with Merlin's 3006.102.5 firmware.
• When I create a new Customised Network in Guest Network Pro, in its Advanced Settings I am able to define the LAN IP and subnet mask. All great so far
• Assume I don't want to enable the DHCP server (I'll be using external one), so I don't need to care about dnsmasq and lease limitations
• I would like to create a wider subnet (say 10.20.0.0/16 instead of /24), but the GUI only allows dropdown selections for smaller subnets - /25 to /28, not larger subnets - like /16. It's done by a dropdown selector, rather than a subnet input box like in LAN settings for the main bridge.
• Yes, I can create a new IP address for the bridge I plan to use with a wider subnet by using ip addr add 10.20.0.0/16 brd 10.20.255.255 dev br55 and deleting the old allocation, which if I understand correctly won't be permanent
• Yes, I can modify the nvram's subnet_rl value subsection 1>br55>10.20.0.1>255.255.255.0>0>10.20.0.2>10.20.0.254>86400>> and change it to 1>br55>10.20.0.1>255.255.0.0>0>10.20.0.2>10.20.0.254>86400>> using nvram set subnet_rl= and nvram commit which achieves the same thing after reboot

My questions (and maybe a wink request) is around the subnetting for the guest networks:

• By using the methods above, am I potentially causing any issues? My downstream DHCP happily allocates the IPs for the whole /16 subnet, I couldn't reach them in the /24 subnet interface on the router and now I can in the /16 subnet, iptables use interfaces instead of networks as far as I've checked, so I can't see issues there, GUI's code doesn't seem to mind (unless I try to change it there again)?
• Is there any reason for the narrower scopes, but not wider?
• Is there a possibility this can be modified in the future revisions?

Why do I need this? I'm currently testing an idea for a sort of a net-frankenstein VLAN infrastructure.
A) because I like experimenting with it, B) Because I am cheap, C) because of the needs of a flat network for HomeKit purposes (don't get me started on mDNS, avahi and Thread IPv6) and D) because I like the flexibility it gives me
It's not gonna be a "proper" setup like an UniFi or an external firewall on the stick like a Protectli / Netgate, etc. with BE-88Us only as WiFi APs. Essentially the BE-88U is still gonna sit up on top as a WAN router/firewall for the main network, but the downstream VLANs will only be "defined" on the BE-88U in GNP for the purpose of "flat" WiFi/LAN bridge, which will then be propagated and further managed by downstream Mikrotik routers, Proxmox SDNs, pfSense and PiHole/unbound. I know it's not ideal (well depending how you define ideal), but that's what I've got and so far in testing I haven't hit major stumbling blocks or an obvious security problem.

Now hit me up and tell me if this is a terrible idea and why