how to restrict access of intranet in DHCP or WIFI

[hotsauce2007]

Hi

How can we restrict the intranet access for users who are connect using the cable or WIFI? The best way is just set a password for windows network or a group?

I was planning to restrict the access for the home network only for some mac addressees saved in my DHCP, is it possible?

 

[JDB]

The Guest Wi-fi network has this option.
Just connect restricted devices to the guest SSID.
Don’t think there is a simple option for cables devices though.


Sent from my iPhone using Tapatalk

 

[hotsauce2007]

The Guest Wi-fi network has this option.
Just connect restricted devices to the guest SSID.
Don’t think there is a simple option for cables devices though.


Sent from my iPhone using Tapatalk

Yah, but I dont want to create a guest wifi, just use the same wifi as me, any idea?
The cables devices are the step2, way further to block, the main desire is the wifi devices suchs cellphones and tablets from family / friends who don´t live over here

 

[JDB]

Why not use the guest Wi-fi!?
I use it for the exact reason you describe - any friends etc go on the guest SSID. That is what it is designed for!!!!


Sent from my iPhone using Tapatalk

 

[hotsauce2007]

Why not use the guest Wi-fi!?
I use it for the exact reason you describe - any friends etc go on the guest SSID. That is what it is designed for!!!!


Sent from my iPhone using Tapatalk

too late, a lot of friends and family has the main password and if I change it I will have to change the password for more than 70 devices at home, which include all the home automation and more features,
I have 3 AC68U at home, two in AP mode and the main router using merlim ultimate FW, I wish I could just set a list of which devices would access the intranet, I´am not afraid of hacking stuff , I´am more concern about someone getting into the home module or the security module and mess with something, even with the admin password that I´ve set for each step, here is the part of the problem

https://hardforum.com/threads/post-your-workstations-2016.1887080/page-8#post-1042912905

 

[JDB]

I’d be changing the password if I were you! 70 devices to update once for a perfect solution VS hacking about and probably having to mess and manage the security of multiple devices individually (and for future devices too).


Sent from my iPhone using Tapatalk

 

[hotsauce2007]

I’d be changing the password if I were you! 70 devices to update once for a perfect solution VS hacking about and probably having to mess and manage the security of multiple devices individually (and for future devices too).


Sent from my iPhone using Tapatalk

yah, I just dont feel comfortable to making more 3 guest wifi just to friends and family, also I´ve already set the DNS filter for all of the devices except the ones that I use daily to protect the network and devices from bad stuff on internet, I was living alone with my devices and now I have company for a couple of years

 

[ColinTaylor]

yah, I just dont feel comfortable to making more 3 guest wifi just to friends and family

Even if you use a Guest Wi-Fi on your AP's the clients still won't be isolated from the intranet. The only way to make this work the way you want is to replace your Asus equipment with devices that support VLANs.

 

[JDB]

Even if you use a Guest Wi-Fi on your AP's the clients still won't be isolated from the intranet. The only way to make this work the way you want is to replace your Asus equipment with devices that support VLANs.

This option doesn’t do anything then!!??

Sent from my iPhone using Tapatalk

 

[ColinTaylor]

This option doesn’t do anything then!!??

Not when it's in Access Point mode. Guest networks on the router will work though.

 

[hotsauce2007]

Not when it's in Access Point mode. Guest networks on the router will work though.

whoa, so what is the point of having the guest in AP mode if this doesn´t cut the intranet?

 

[ColinTaylor]

whoa, so what is the point of having the guest in AP mode if this doesn´t cut the intranet?

Good question.

@JDB I've just checked on my spare router and when in AP mode the "Access Intranet" option is not present for guest networks.

 

[JDB]

That is quite the oversight, however I can see why as the AP is effectively a L2 device and so not necessarily aware of the default gw (or even L3).
I wonder if in the new AiMesh feature this is solved...?


Sent from my iPhone using Tapatalk

 

[ColinTaylor]

That is quite the oversight, however I can see why as the AP is effectively a L2 device and so not necessarily aware of the default gw (or even L3).

Exactly. The AP would have to mark the packets in some way that the gateway understood so it could differentiate guest from non-guest traffic, which is why I suggested VLANs. I don't know how other products do it but VLANs would seem the obvious solution without having to resort to proprietary solutions.

I wonder if in the new AiMesh feature this is solved...?

Yes, that will be interesting to see.

 

[JDB]

Exactly. The AP would have to mark the packets in some way that the gateway understood so it could differentiate guest from non-guest traffic, which if why I suggested VLANs. I don't know how other products do it but VLANs would seem the obvious solution without having to resort to proprietary solutions.

I was thinking if the AP had some L3 awareness it would simply only allow packets between Guest Clients and the IP (and/or MAC learnt from ARP) of the Default GW in its own local IP configuration. This has some inherent limitations but for 99% of users that just have a main router doing normal DHCP and a single subnet etc plus some range extending AP's it should work.

As you say, VLAN's would be the proper way though. It's a shame they are not in AsusWRT/Merlin, it's the one major thing missing IMO.

 

[ColinTaylor]

If the AP's are being used exclusively for internet-only use then they could be setup in router mode and the network services filter configured to block access to the upstream LAN.