Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

Guest WiFi security in AP mode

Discussion in 'ASUS Wireless' started by colecaz, Feb 14, 2018.

  1. colecaz

    colecaz Regular Contributor

    Joined:
    Dec 24, 2013
    Messages:
    56
    Location:
    Phoenix, Az
    I'd like to get confirmation of what I'm seeing when I use my Asus RT-AC66U routers in access point mode and enable guest wifi.

    I have a home network of an RT-AC68P for the main router with two RT-AC66U's running in access point mode and hardwired to a 24 port switch. They're all running Merlin 380.69. The AP's are connected using one of their LAN ports, which is their only port used. The 24 port switch is connected to one of the AC68P's LAN ports in "router-on-a-stick" fashion to allow internet access for the entire network.

    All three routers/AP's have only one 2.4 GHz guest network enabled in addition to the standard wifi. All have the same SSID and password and have Roaming Assistant enabled.

    The problem is the user is isolated from the rest of the network only if the user is connected to the main routers guest SSID. If the user is connected to either of the AP's guest SSID's, the full network is accessible just like when connected to the primary, non-guest, SSID.

    Can anyone confirm this is normal in this configuration or point out where I'm going wrong? If it's normal there are probably a lot of Asus routers used in AP mode for guest networks that don't have the protection they think they do.
     
  2. RMerlin

    RMerlin Part of the Furniture

    Joined:
    Apr 14, 2012
    Messages:
    25,874
    Location:
    Canada
    It's a technical limitation. The parent router has no way of controlling what connects to the AP, and vice-versa. For all intents and purposes, a client connected to a separate AP is identical to one connected to an Ethernet port of the main router. The main router has no way of knowing if the client on the AP is connected through the AP's main wifi, guest wifi or Ethernet.
     
  3. colecaz

    colecaz Regular Contributor

    Joined:
    Dec 24, 2013
    Messages:
    56
    Location:
    Phoenix, Az
    I thought it might be something like that. It looks like a dedicated AP that has vlan capability, managed switch, and a router to match is the way I'll need to go.

    Thanks for the quick response, RMerlin. And for your work on the firmware.
     
  4. RMerlin

    RMerlin Part of the Furniture

    Joined:
    Apr 14, 2012
    Messages:
    25,874
    Location:
    Canada
    If you need better management control, look into a mesh-based solution, where your master node might be able to fully control the child nodes.
     

Share This Page