Menu
What's new
By:
Filters Better Search

How does Guest Networks work on the technical level behind the scene ?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

T

TikingAlien007

Occasional Visitor
Hello,

It looks like Asus routers have 6 guest networks and from what I can see in the options you can turn on or off network isolation which I presume would only block ICMP or All packets reaching from one host to anohter on the same guest network you are connected to ?

My main question is this, does all the guest networks share the same wireless network and can reach other hosts independent of the SSID used or not depending if you select the isolation option ? Are all the SSIDs a true guest network where each SSID have its own set of devices that is only visible to that network so for example Guest 2 can only see devices connected to Guest 2 but not the other ones ?

I know the explanation is a bit chaotic and all over the place but I'm looking for clarification how the guest networks work behind the scene on a more in depth technical level.

Thanks
 
Each guest network is created from a separate virtual interface (wl0.1, wl0.2, wl0.3, wl1.1, wl1.2, wl1.3,). There is no communication between them other than what is allowed by bridging, routing and firewall rules.
 
TikingAlien007 said:
Hello,

It looks like Asus routers have 6 guest networks and from what I can see in the options you can turn on or off network isolation which I presume would only block ICMP or All packets reaching from one host to anohter on the same guest network you are connected to ?

My main question is this, does all the guest networks share the same wireless network and can reach other hosts independent of the SSID used or not depending if you select the isolation option ? Are all the SSIDs a true guest network where each SSID have its own set of devices that is only visible to that network so for example Guest 2 can only see devices connected to Guest 2 but not the other ones ?

I know the explanation is a bit chaotic and all over the place but I'm looking for clarification how the guest networks work behind the scene on a more in depth technical level.

Thanks
Click to expand...

They use several layers of isolation. It differs for Guest Wireless 1 vs. GW 2 and 3 (and 4 if the router has it). But I've poked around in them a lot and they do provide very good security. Clients in a guest network can't even do an ARP for any IP on any other network (LAN or other guest) which pretty much blocks all traffic, then there are two layers of firewall (EBTABLES and IPTABLES) plus AP isolation which prevents the clients on the same guest network from talking to each other. GW1 uses VLAN isolation where GW 2/3/4 use virtual bridge interfaces in the same subnet and rely a bit more heavily on the firewall and ARP filtering (since there is no routing involved). They accomplish the same thing in the long run, just a bit different path to it.

The new pro models are a bit different, from what I can see on those all guest networks use the VLAN isolation model of GW1 on the non-pro models.
 
Also if you use AiMesh with a Guest network, I think not all the guest network slots support roaming between the nodes
 
Dezzo said:
Also if you use AiMesh with a Guest network, I think not all the guest network slots support roaming between the nodes
Click to expand...

Correct, only GW1 will propagate to the nodes. That's why it was revised to use VLANs etc (before 386 code they all just used the same isolation model that could not propagate to other nodes).
 
@drinkingbird Thanks for the detailed explanation, it helps a lot. However, I have one more question if you don't mind.

I was looking around and noticed that in a topic about YazFi and Guest Networks that apparently the 1st Guest Network of each band (2.4 Ghz and 5 Ghz) is used for AiMesh and it is not isolated from the rest of the guest networks as it can communicate with them as there's no isolation. Also, from what I read, the 1st Guest Network apparently uses a different subnet with some strange VLAN and it's implementation done by ASUS themselves.

If such is the case, is the true total number of guest networks 4 and not 6 due to the lack of isolation on the 1st ones on each band ? Is this correct or am I misconstructing something ?
 
TikingAlien007 said:
@drinkingbird Thanks for the detailed explanation, it helps a lot. However, I have one more question if you don't mind.

I was looking around and noticed that in a topic about YazFi and Guest Networks that apparently the 1st Guest Network of each band (2.4 Ghz and 5 Ghz) is used for AiMesh and it is not isolated from the rest of the guest networks as it can communicate with them as there's no isolation. Also, from what I read, the 1st Guest Network apparently uses a different subnet with some strange VLAN and it's implementation done by ASUS themselves.

If such is the case, is the true total number of guest networks 4 and not 6 due to the lack of isolation on the 1st ones on each band ? Is this correct or am I misconstructing something ?
Click to expand...

I think we already discussed this in another thread. Guest Network 1 can still be isolated, in fact it is more isolated than 2 or 3. It can also be propagated to other nodes (and still be isolated) if you use AIMESH. Guest 2 and 3 cannot be propagated to other nodes, they only exist on the main router, but they are isolated from 1 and from the LAN.

Note that as far as I know with Yazfi you cannot propagate isolation/guest networks to other nodes, that is not supported by Yazfi, only the standard/stock guest network 1. Yazfi does however support isolation on the main router on all guest networks and gives you some more control over how much/little isolation you want. It also lets you assign the subnets you want (where stock guest network 1 uses 192.168.101.x and 192.168.102.x and you can't change those without doing scripting).

So depending on your needs, one or the other may be a better fit for you.
 
ColinTaylor said:
Each guest network is created from a separate virtual interface (wl0.1, wl0.2, wl0.3, wl1.1, wl1.2, wl1.3,). There is no communication between them other than what is allowed by bridging, routing and firewall rules.
Click to expand...
Hi, first time posting on this forum and network noob here (so apologies in advance for dumb questions).

I set up a guest network (Guest Network 1) to segregate all the IoT devices from the main network but I want them to communicate only to one device (2 way communication indeed) on the main network (I also want that the IoT devoces don't see each other). Can you please explain to me/point me to a guide on how to allow for this type communication?

I am using the stock firmware on my ASUS RT-AX56U router.

Thanks
 
Narios said:
Hi, first time posting on this forum and network noob here (so apologies in advance for dumb questions).

I set up a guest network (Guest Network 1) to segregate all the IoT devices from the main network but I want them to communicate only to one device (2 way communication indeed) on the main network (I also want that the IoT devoces don't see each other). Can you please explain to me/point me to a guide on how to allow for this type communication?

I am using the stock firmware on my ASUS RT-AX56U router.

Thanks
Click to expand...

The IOT devices can't see each other, that is a built in feature when you have "Access Intranet = Disabled".

If you want 2-way communication to the LAN with stock firmware, you must allow 2-way communication to all devices (which will also let the IOT device see each other.

If you need more flexibility than that, you need to move to Merlin firmware and use firewall scripts to allow the communication to that single device.
 
drinkingbird said:
The IOT devices can't see each other, that is a built in feature when you have "Access Intranet = Disabled".

If you want 2-way communication to the LAN with stock firmware, you must allow 2-way communication to all devices (which will also let the IOT device see each other.

If you need more flexibility than that, you need to move to Merlin firmware and use firewall scripts to allow the communication to that single device.
Click to expand...
Great. So, if i understand correctly, the firewall script will superseed the 'Access Intranet = Disabled' feature but only for the devices declared in such script, correct?

Is there any guide to write such script? I'd like to allow the IoT devices (which are on a the guest network 1 with subnet 192.168.101.x/24) to communicate with my Raspberry Pi which is on the main network with static IP 192.168.50.2.

Thanks
 
Narios said:
Is there any guide to write such script? I'd like to allow the IoT devices (which are on a the guest network 1 with subnet 192.168.101.x/24) to communicate with my Raspberry Pi which is on the main network with static IP 192.168.50.2.
Click to expand...
Use the forum search, there are various posts on writing scripts to perform various actions.

If you want more control over Guest Network(s) and are not using AiMesh then you may want to consider installing Asus Merlin firmware (if your router is supported) then using the addon script YazFi. The YazFi script extends the features of Guest Networks. It has some extended scripting options to allow communication from one or more YazFi Guest Network clients to specific main LAN clients. If one is using Pi-Hole or similar on the Raspberry Pi, YazFi allows one to set the YazFi DNS values to that Pi-Hole for adblocking. Use the forum search, there are a number of discussions on using scripting with YazFi and for scripting communication between YazFi clients and the main LAN.
https://www.asuswrt-merlin.net/
https://github.com/jackyaz/YazDHCP
https://www.snbforums.com/threads/yazfi-v4-x-continued.83846/
https://www.snbforums.com/threads/allowing-access-to-selected-network-devices.80405/#post-784521
https://github.com/jackyaz/YazFi/wiki/Setting-up-YazFi-with-PiHole-and-Reverse-DNS-records
 
Last edited:
bennor said:
Use the forum search, there are various posts on writing scripts to perform various actions.

If you want more control over Guest Network(s) and are not using AiMesh then you may want to consider installing Asus Merlin firmware (if your router is supported) then using the addon script YazFi. The YazFi script extends the features of Guest Networks. It has some extended scripting options to allow communication from one or more YazFi Guest Network clients to specific main LAN clients. If one is using Pi-Hole or similar on the Raspberry Pi, YazFi allows one to set the YazFi DNS values to that Pi-Hole for adblocking. Use the forum search, there are a number of discussions on using scripting with YazFi and for scripting communication between YazFi clients and the main LAN.
https://www.asuswrt-merlin.net/
https://github.com/jackyaz/YazDHCP
https://www.snbforums.com/threads/yazfi-v4-x-continued.83846/
https://www.snbforums.com/threads/allowing-access-to-selected-network-devices.80405/#post-784521
https://github.com/jackyaz/YazFi/wiki/Setting-up-YazFi-with-PiHole-and-Reverse-DNS-records
Click to expand...
I've used the Search thread function indeed but I couldn't find the information in the 4th link you posted...apologies.

At the moment I am not using AiMesh at all, so I'll flash Merlin and use YazFi. Just to understand, the AiMesh would not work with YazFi only for the guest networks or even for the main one?

Thanks
 
Narios said:
I've used the Search thread function indeed but I couldn't find the information in the 4th link you posted...apologies.

At the moment I am not using AiMesh at all, so I'll flash Merlin and use YazFi. Just to understand, the AiMesh would not work with YazFi only for the guest networks or even for the main one?

Thanks
Click to expand...

I think yazfi only lets you set all communication allowed, not specific IPs, but not positive on that.

Here is my firewall-start script to allow printing from guest network to my main network printer. Note this is for Guest Wireless 1 only (and only 5ghz in my case, but it could be set to do 2.4ghz also). It will not work with Guest wireless 2 or 3 since those use a very different configuration.

If you want to use Yazfi, you can use a similar script but you'll probably need to modify the rules that Yazfi adds (or ensure these are above those rules, which they will be). So you can probably use Yazfi, leave access blocked, then add these. But you'll need to research what the rules look like after yazfi install and modify as needed.

Code: 
#!/bin/sh
iptables -D FORWARD -i br2 -d 10.0.0.5 -p tcp --dport 161 -j ACCEPT
iptables -I FORWARD -i br2 -d 10.0.0.5 -p tcp --dport 161 -j ACCEPT
iptables -D FORWARD -i br2 -d 10.0.0.5 -p udp --dport 161 -j ACCEPT
iptables -I FORWARD -i br2 -d 10.0.0.5 -p udp --dport 161 -j ACCEPT
iptables -D FORWARD -i br2 -d 10.0.0.5 -p tcp --dport 9100 -j ACCEPT
iptables -I FORWARD -i br2 -d 10.0.0.5 -p tcp --dport 9100 -j ACCEPT
#
ebtables -t broute -D BROUTING -p IPv4 -i wl1.1 --ip-dst 10.0.0.5 --ip-proto tcp --ip-dport 9100 -j ACCEPT
ebtables -t broute -I BROUTING -p IPv4 -i wl1.1 --ip-dst 10.0.0.5 --ip-proto tcp --ip-dport 9100 -j ACCEPT
ebtables -t broute -D BROUTING -p IPv4 -i wl1.1 --ip-dst 10.0.0.5 --ip-proto tcp --ip-dport 161 -j ACCEPT
ebtables -t broute -I BROUTING -p IPv4 -i wl1.1 --ip-dst 10.0.0.5 --ip-proto tcp --ip-dport 161 -j ACCEPT
 
ColinTaylor said:
Each guest network is created from a separate virtual interface (wl0.1, wl0.2, wl0.3, wl1.1, wl1.2, wl1.3,). There is no communication between them other than what is allowed by bridging, routing and firewall rules.
Click to expand...

Yes.. and the AP isolation switch disables bridging for the selected VLAN/BSSID...

With AP isolation, the attached clients drop traffic is not directly from the internet.
 
I have the AX86u running in AccessPoint mode (with lan cable to my fiber provider box), so my Guest networks do not have the access-intranet option available to select.
Does this mean by default that any devices on Guest_1 has its access-intranet always forced to disable? (which is what I want)
 
quick3questions said:
I have the AX86u running in AccessPoint mode (with lan cable to my fiber provider box), so my Guest networks do not have the access-intranet option available to select.
Does this mean by default that any devices on Guest_1 has its access-intranet always forced to disable? (which is what I want)
Click to expand...
Nope, in your case there is no isolation between devices In current setup. Since there is no way isolate traffic between different wifi names.
 
Last edited:
You must log in or register to reply here.

Similar threads

S
Network printer no longer available after activating Guest networks
Replies
18
Views
496
Tech9
Tech9
D
Guest network with intranet access v. using the main network
Replies
4
Views
487
ColinTaylor
C
H
Guest Network Causes 2.4 Ghz Conflict
Replies
5
Views
675
OzarkEdge
OzarkEdge
E
Guest network isolation - what did I miss?
Replies
0
Views
585
eightiescalling
E
M
Guest network on mesh node
Replies
9
Views
951
L&LD
L&LD
Similar threads
Thread starter Title Forum Replies Date
P Does AiProtection work when dcd crashes? ASUSWRT - Official 1
L Does the official firmware support SMBv2 now? ASUSWRT - Official 2
C Does Asus' IPsec implementation allow LAN access? ASUSWRT - Official 7
L For how many years does Asus provide security updates to the Routers? ASUSWRT - Official 13
L Does it make sense to have AiProtection enabled? ASUSWRT - Official 5
L Wireguard VPN Server does not work with DMZ enabled ASUSWRT - Official 1
T There are no multiple VLANs and Guest Network Pro for Asus ROG-AX11000 pro ? ASUSWRT - Official 20
T I can't add profiles in Guest Network pro ROG-GTAX6000 ASUSWRT - Official 5
L Guest wifi last fw ax86u pro ASUSWRT - Official 6
B Understanding VLAN Assignments with Guest Network Pro: Managing VLANs Across Multiple SSIDs on ASUS RT-AX88U Pro ASUSWRT - Official 1

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 931 (members: 22, guests: 909)
Top