What's new

How do I isolate clients on guest wifi?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

MikeInNJ

Occasional Visitor
I've done a lot of searching and reading but I haven't been able to figure out a clear answer to this question. I have an RT-AC68U router running 378.55 (because it's stable and I haven't needed to upgrade).

I'd like to be able to prevent clients on the guest wifi from being able to communicate with each other. I did a quick test, and right now guest network clients can see each other.

"Set AP Isolated" under the Professional tab affects both the guest and non-guest networks, and I'd prefer not to isolate wifi clients on the non-guest network.

Is there any way to do this via command line? Is there some other way to do it? Setting up a bunch of guest SSIDs is something I'd like to avoid.

Thanks!
 
Last edited:
Can the guest network clients still communicate with each other even when you have "Acces Intranet" = No for the guest network?

How many clients are you talking about, because if 6 or less, one option might be to put each on its own guest network with Access Intranet turned off for all guest networks.
 
Can the guest network clients still communicate with each other even when you have "Acces Intranet" = No for the guest network?

Yes, they can still communicate with each other when "Access Intranet" = No for the guest network

How many clients are you talking about, because if 6 or less, one option might be to put each on its own guest network with Access Intranet turned off for all guest networks.

This is something I'm trying to avoid if I can.
 
Try upgrading your firmware, as I think the Access Intranet setting was broken at some point. That option on the Guest Network page is what you need (it must be set to "No").
 
Try upgrading your firmware, as I think the Access Intranet setting was broken at some point. That option on the Guest Network page is what you need (it must be set to "No").
OK, I'll try it.

But just to be clear, I am trying to isolate guest network clients from one another. "Access Intranet = No" already seems to be blocking guest network clients from accessing the non-guest network clients connected to the router. So my assumption had been that is was working properly.

Thanks
 
OK, I'll try it.

But just to be clear, I am trying to isolate guest network clients from one another. "Access Intranet = No" already seems to be blocking guest network clients from accessing the non-guest network clients connected to the router. So my assumption had been that is was working properly.

In that case, no, Guest network doesn't allow you to block only access between themselves. The AP isolation option is only available globally, not on a per-guest network basis.

It might be doable through scripting, but I don't know as I've never looked into it.
 
In that case, no, Guest network doesn't allow you to block only access between themselves. The AP isolation option is only available globally, not on a per-guest network basis.

It might be doable through scripting, but I don't know as I've never looked into it.
Got it. Thanks for the clarification. I'm mainly interested in this because I try to put cloud accessible devices/appliances onto the guest wifi when they don't need intranet access. I thought isolating these devices from each other wouldn't be a bad idea either.
 
Will be tricky to script in iptables as AsusWRT does not use separate IP ranges for guests, otherwise would be not too hard to create a drop rule for destinations of 192.168.n.n
 
Will be tricky to script in iptables as AsusWRT does not use separate IP ranges for guests, otherwise would be not too hard to create a drop rule for destinations of 192.168.n.n

People were probably using ebtables to accomplish it.
 
I was not able to reproduce the issue of access between guests.
I have just tested and was not able to ssh between 2 of my machines on same guest network (works fine when both on my regular WiFi).

I am running latest Merlin on AC56U.
 
I was not able to reproduce the issue of access between guests.
I have just tested and was not able to ssh between 2 of my machines on same guest network (works fine when both on my regular WiFi).

I am running latest Merlin on AC56U.

I think what the OP wants to achieve is a bit different. He wants this scenario:

- Wifi guest 1 cannot connect to Wifi guest 2
- Wifi guest 1 can connect to an Ethernet-connected NAS, printer or computer

The Access Intranet setting would also block access to his Ethernet-connected LAN devices.
 
I'm running RT-AC68U 380.64

I want to isolate IOT clients on the Wireless Guest network from each other (2.4Ghz)
Access Intranet is set to disabled. Set AP Isolated NO (default)

Connect to Guest Network
Use Net Analyzer on iOS - Lan Scan

Result: I CAN see all the devices on the guest network.

Set AP Isolated Yes for 2.4Ghz Band
Retest

Result: I CANNOT see the devices on the guest network, but this also affect the regular 2.4Ghz network.

Is there a way to make Set AP Isolated take effect for just the 2.4Ghz Guest Network?

Workaround when Set AP Isolated= Enabled for 2.4Ghz - Have clients connect to 5Ghz band which allows access to devices connected to 2.4Ghz band (IOT devices)
 
Last edited:
Disable "Access Intranet" on the Guest configuration.
 
As I mentioned, Access Intranet was set to Disabled.

I am running most all my IoT on an ASUS N66 running Merlins latest.

I have all six guest network SSIDs enabled. Access Intranet on all SSIDs is set to disabled.

When I run the FING app on my tablet and connect using one of the guest SSIDs and scan the the network all it sees are the devices connected to the same SSID. It does not see any of the devices connected to other SSIDs nor does it see any of the devices connected to the router's LAN ports.

When I go to the router's connected devices list it does show me all the devices connected to the router either on regular SSIDs Guest network SSIDs and Ethernet LAN ports

In my opinion the isolation is working with the guest networks.
 
I am running most all my IoT on an ASUS N66 running Merlins latest.

I have all six guest network SSIDs enabled. Access Intranet on all SSIDs is set to disabled.

When I run the FING app on my tablet and connect using one of the guest SSIDs and scan the the network all it sees are the devices connected to the same SSID. It does not see any of the devices connected to other SSIDs nor does it see any of the devices connected to the router's LAN ports.

When I go to the router's connected devices list it does show me all the devices connected to the router either on regular SSIDs Guest network SSIDs and Ethernet LAN ports

In my opinion the isolation is working with the guest networks.

Yes, I agree that the guest network separated from the host network.

I want more security for IOT devices. If they can locate each other on the guest network, then infecting each other is possible.
 
I'm running RT-AC68U 380.64

Is there a way to make Set AP Isolated take effect for just the 2.4Ghz Guest Network?

Set AP Isolated NO for 2.4Ghz Band
and
wl -i wl0.1 ap_isolate 1
wl -i wl0.2 ap_isolate 1
wl -i wl0.3 ap_isolate 1

Try this on telnet or SSH.
Maybe this is what you want.
 
Yes, I agree that the guest network separated from the host network.

I want more security for IOT devices. If they can locate each other on the guest network, then infecting each other is possible.

I divide the the IoT devices among the 6 guest networks. I have one SSID I use for new devices until I determine how they behave or see any risky behavior.
 

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top