How to give Guest Wi-Fi Internet Access to 2nd router (VLAN)

[WillyTP]

Hello everybody.
I'm trying to setup properly my home network.
I'll resume a bit the conversation I'm making here.
Actually at home I've a RT-AC87U, RT-AC68U (which I were going to sell.... but maybe I'll give back the AC87U), an RT-N10U and I should get a RT-N66U to replace the current RT-N10U.
Hope not to make excessive mess while describing!

My network is configured like this:
1)My ISP Modem / Router, configured as bridged modem only, with IP 192.168.0.1
2)Main Router, Asus RT-AC87U, which makes the PPPoE connection, IP 192.168.1.1, provides DHCP and Wi-Fi for all my devices.
3)Secondary router configured as Access Point only, an Asus RT-N10U (in the next days a RT-N66U), IP 192.168.1.101, physically connected via ETH cable LAN/LAN port.

The second device, RT-N10U, is needed for two things:
1)Covering via Wi-Fi another area of my home which the first router doesn't reach (I'm using the same SSID in order to provide Wi-Fi roaming); here I need the full Internet + Intranet access;
2)Giving Wi-Fi access to my guests, which I want to be restricted to Internet only.
It is not used for giving any wired LAN access.

Here we go to the point.
As far as I've read in the linked post, the way to achieve what I need seems to be fine by using Tomato firmware.
Soon I'm going to try it.

Would it be possibile too by using two routers running AsusWRT-Merlin, primary one configured as router and second one as Access Point?
As far as I've read around I'd need to enter some command line strings in order to make VLANs properly working, but actually I've no clue on how to make it.
I'm a long time Merlin user, I'd be sorry to change it since I'm quite used with it.

Thanks to all for the patience in responding.

Best regards

 

[Katmeat]

Why not just use the Guest Network feature built into the Asus/Merlin firmware?

 

[ColinTaylor]

Would it be possibile too by using two routers running AsusWRT-Merlin, primary one configured as router and second one as Access Point?

No. Asus' and Merlin's firmware do not support VLANs.

 

[TheUntouchable]

No. Asus' and Merlin's firmware do not support VLANs.

Completely wrong, the gui does not have options for that, but of course you can configure VLANs over the console!

 

[ColinTaylor]

Completely wrong, the gui does not have options for that, but of course you can configure VLANs over the console!

I chose my words quite deliberately . Asus and Merlin don't support user VLANs. If you think otherwise please show me any documentation from Asus or Merlin that says otherwise.

Now I am not saying that it's not possible to create VLAN's, but it requires using undocumented and unsupported commands (like robocfg) that vary from router to router. This is different from say, user scripts or custom configuration files, which are supported and documented.

But if you think it's straight forward please go ahead and answer the OP's question.

 

[TheUntouchable]

I chose my words quite deliberately . Asus and Merlin don't support user VLANs. If you think otherwise please show me any documentation from Asus or Merlin that says otherwise.

Now I am not saying that it's not possible to create VLAN's, but it requires using undocumented and unsupported commands (like robocfg) that vary from router to router. This is different from say, user scripts or custom configuration files, which are supported and documented.

But if you think it's straight forward please go ahead and answer the OP's question.

Okay, perhaps I had choosen my words not as deliberately as you
Official creating and maintaining VLANs is not supported by Asus or Merlin, thats right. But at least its possible on the most models to create and configure them. Here at the forum are a lot of threads with examples about that But as you have said, it's not that easy

 

[WillyTP]

I was hoping that by using Merlin on two Asus routers, with almost identical configuration, would have been not excessively difficult to setup a VLAN.
I understand that's not.
Thanks anyway

 

[Jack Yaz]

Why not just use the Guest Network feature built into the Asus/Merlin firmware?

 

[ColinTaylor]

@Jack Yaz @Katmeat
A guest network would be ineffective because of the way he has linked his devices together.

 

[WillyTP]

For the sake of knowledge, there is a way in which I may partially accomplish what I need by connecting the first router to the second one via LAN <-> WAN?
Even a single WiFi for guests and myself, without intranet access to anyone?

 

[ColinTaylor]

No, because your primary router (RT-AC87U) has no way of distinguishing guest traffic from non-guest traffic when it is coming from your secondary router (RT-N10U).

You would have to create the guest network on your primary router (RT-AC87U).

Edit: See below.

 

[Jack Yaz]

No, because your primary router (RT-AC87U) has no way of distinguishing guest traffic from non-guest traffic when it is coming from your secondary router (RT-N10U).

You would have to create the guest network on your primary router (RT-AC87U).

Could you not set a guest network on the AP to use a different subnet (through script), and then set appropriate firewalls on the primary router to allow the guest subnet to talk to the WAN? The AP could also have firewall rules to prevent communication with anything other than WAN/primary router.

Would that work?

 

[ColinTaylor]

Could you not set a guest network on the AP to use a different subnet (through script), and then set appropriate firewalls on the primary router to allow the guest subnet to talk to the WAN? The AP could also have firewall rules to prevent communication with anything other than WAN/primary router.

Would that work?

Interesting idea. Technically if the AP was on a different subnet then it's effectively the same as being in router mode. But that would probably work.

If the RT-N10U was configured as a router on 192.168.2.x and the cables connected as normal (RT-AC87U LAN to RT-N10U WAN), then you could probably use the Network Services Filter on the RT-N10U to block access to 192.168.1.x.

Good idea.

It does mean that the RT-N10U can only be used as a guest gateway device with no access to the main intranet.

 

[Jack Yaz]

Interesting idea. Technically if the AP was on a different subnet then it's effectively the same as being in router mode. But that would probably work.

If the RT-N10U was configured as a router on 192.168.2.x and the cables connected as normal (RT-AC87U LAN to RT-N10U WAN), then you could probably use the Network Services Filter on the RT-N10U to block access to 192.168.1.x.

Good idea.

It does mean that the RT-N10U can only be used as a guest gateway device with no access to the main intranet.

Point noted re. Ap mode (not used myself so I don't know what options are available). And the caveat re. Nothing but guest access makes OP's point 1) not possible, so perhaps not such a good suggestion of mine!

 

[ColinTaylor]

Point noted re. Ap mode (not used myself so I don't know what options are available). And the caveat re. Nothing but guest access makes OP's point 1) not possible, so perhaps not such a good suggestion of mine!

Well he did say that as a compromise solution he would accept just "a single WiFi for guests and myself, without intranet access to anyone".

 

[The H-Man Cometh]

When running an Asus router in AP Mode, many of the configuration options found in Router Mode no longer appear... perhaps for obvious reasons (e.g., they don't apply to AP Mode, etc.). But the ability to create Guest Wi-Fi Networks does NOT disappear from the GUI in AP Mode. If a device that connects to one of these AP Mode Guest SSIDs can access all local network resources, then what is the point of using Guest Networks in AP Mode? What is the intended purpose of the Guest Network feature in AP Mode? I ask in relation to the setup described in the OP, where the AP Mode router is hard-wired to the Main Router from LAN-to-LAN ports, and the desired outcome is to extend the overall network's Wi-Fi coverage area while still maintaining both "regular" and (restricted) "guest" access.

 

[RMerlin]

If a device that connects to one of these AP Mode Guest SSIDs can access all local network resources, then what is the point of using Guest Networks in AP Mode?

It allows you to provide them with a different SSID and passphrase, and you can easily either change it afterward, or disable the guest network rather than having to change the password for all your regular devices after your guest leave.