Guest network with intranet access v. using the main network

[Deetlemore]

I've taken the time to enable two guest networks, one for actual guests and one for IoT devices. I have access intranet disabled on both, and have disabled client isolation on the IoT network with a script so that the IoT devices can see each other.

That being said, I obviously have to connect to the IoT network to control devices on that network. That got me thinking, what exactly is the purpose of enabling intranet access on a guest network? That seems (at least from a security standpoint) similar to just connecting to the main network. I'm aware of YazFi having an option for one-way access, though I don't use it due to utilizing IPv6 and being unfamiliar with creating custom IPTable rules.

I apologize if this has been answered before, but I couldn't manage to find a thread detailing this.

 

[bennor]

If you search through past discussions you'll see that there are some who want or need the capability of enabling Intranet access from the Guest Nework:
https://www.snbforums.com/search/10...t&c[child_nodes]=1&c[nodes][0]=37&o=relevance

Various reasons people have for using the Access Intranet on Guest Network include certain IoT devices that have a base station that uses an Ethernet rather than WiFi connection.

IF one isn't using AiMesh or AP nodes, and one's router is supported by Asus-Merlin firmware, one can use YazFi add-on script on Asus-Merlin firmware to extend the Guest Network features and have more granular control over the Guest Network options and settings. This includes using custom scripting to allow access to/from the YazFi Guest Nework (or it's clients) to specific clients on the main LAN.

YazFi - YazFi v4.x

v4.4.4 Updated 2023-11-26 Feature expansion of guest WiFi networks on AsusWRT-Merlin, including, but not limited to: * Dedicated VPN WiFi networks * Separate subnets for organisation of devices * Restrict guests to only contact router for ICMP, DHCP, DNS, NTP and NetBIOS * Allow guest networks...

www.snbforums.com

GitHub - jackyaz/YazFi: Feature expansion of guest WiFi networks on AsusWRT-Merlin, including SSID -> VPN, separate subnets per guest network, pinhole access to LAN resources (e.g. DNS) and more!

Feature expansion of guest WiFi networks on AsusWRT-Merlin, including SSID -> VPN, separate subnets per guest network, pinhole access to LAN resources (e.g. DNS) and more! - jackyaz/YazFi

github.com

 

[Deetlemore]

That's where my confusion lies as I don't understand how a guest network with intranet access is any different than just connecting to the main network.

I'm aware of YazFi, I mentioned that I don't use it due to the ramifications of using it with IPv6.

 

[bennor]

That's where my confusion lies as I don't understand how a guest network with intranet access is any different than just connecting to the main network.

Some people may have their own requirements or desires to use the Guest Network but have access intranet enabled. Better to have the option than not have it. Personally I don't see the need or reason to enable that option while using Guest Networks but someone else might/may.

Just speculating but one option may be certain WiFi clients support a specific security protocol so one may want to isolate those WiFi clients to the guest network and use a different security protocol for the main LAN WiFi network. For example main LAN wifi using WPA3 where as Guest Network uses WPA. Or maybe they want to enable bandwidth limiter on certain WiFi clients or limit their access time on mass.

 

[ColinTaylor]

That's where my confusion lies as I don't understand how a guest network with intranet access is any different than just connecting to the main network.

Essentially it's not. However it does give you the option to setup temporary access to your network for "guests" using a different or time limited password, rather than giving them your normal password. You can also quickly turn the guest network off without taking down your main WLAN.