Looking for a router with multiple Guest Networks (SSIDs)

[TikingAlien007]

Hi all,

I'm looking for a new router besides Asus where you can use multiple guest networks for a network isolation. I know this can be done on SOHO equipment with a combination of managed switch and VLAN aware access point but I'm looking for all in one\consumer router type of solution. So far, I only managed to come across Netgear Orbi Pro series that have 4 built in VLANS as well as Asus routers that have 6 guest networks.

Any recommendations ?

 

[drinkingbird]

Hi all,

I'm looking for a new router besides Asus where you can use multiple guest networks for a network isolation. I know this can be done on SOHO equipment with a combination of managed switch and VLAN aware access point but I'm looking for all in one\consumer router type of solution. So far, I only managed to come across Netgear Orbi Pro series that have 4 built in VLANS as well as Asus routers that have 6 guest networks.

Any recommendations ?

Pretty sure just about every brand has ones that can do this. Not necessarily with VLANs (even the Asus only uses VLANs on one of the guest networks) but a combination of AP isolation and firewall rules.

It has been a common feature for quite a while now.

What are you looking for that Asus doesn't have (or is it a price thing). If price, look at TP link.

Now if you want it to span multiple routers/access points (i.e. a mesh system) that is something you need to buy a specific system to do. Asus can only do isolation across nodes with two of the guest networks (one 5ghz and one 2.4ghz), not sure what the limitations of other mesh systems are.

 

[TikingAlien007]

Pretty sure just about every brand has ones that can do this. Not necessarily with VLANs (even the Asus only uses VLANs on one of the guest networks) but a combination of AP isolation and firewall rules.

It has been a common feature for quite a while now.

What are you looking for that Asus doesn't have (or is it a price thing). If price, look at TP link.

Now if you want it to span multiple routers/access points (i.e. a mesh system) that is something you need to buy a specific system to do. Asus can only do isolation across nodes with two of the guest networks (one 5ghz and one 2.4ghz), not sure what the limitations of other mesh systems are.

I'm looking for routers that have at least 4 guest networks or more, as far as I know, most routers have only 2 guest networks, 1 per each band (2.4 Ghz and 5 Ghz). I don't like that my router have exposed FTP on its WAN port of which on the ASUS's firmware, it can't be disabled and Merlin gives you ability to disable it but the firmware usually is behind with fixes or patches. You either have FTP port exposed on the WAN which is a bad security posture and stay up to date with patches and fixes or have the FTP port disabled but stay behind with fixes and patches. You can't have the cake and eat it too kind of situation, therefore, I'm exploring what's out there. As far as updates go, Asus seems to support their routers with firmware updates for a long time but I'm getting tired of their basic security mistakes that a company like ASUS should know better.

I managed to find a line of Synology routers, Synology RT 2600AC as well as RT 6600AC of which what I read are plagued by bad Wi-Fi performances as well as random firewall failures. I'm not looking for any meshes but that Netgear I mentioned in my original post acts as a router box + you get a satellite that acts as a access point and the guest network is super easy to setup with no need for the managed switch.

There doesn't seem to be that many options with routers that have more than 2 isolated guest networks. I'm looking for a new router that is easy and fast to setup with multiple isolated SSIDs. I'm willing to spend way more money than on a normal router but it seems like I'm very limited with what's out there.

 

[PunchCardBoss]

multiple guest networks for a network isolation

@TikingAlien007 - I know you said "...besides Asus...". But my new AX88U PRO seems to do what you want. The FW is still a little buggy, but my testing of multiple wireless vLANs does seem to work. Networks can be isolated or given intranet access.

I have added 5 WIRELESS networks. 4 are "Custom" with their own vLANs. And I'm still testing.

 

[L&LD]

@TikingAlien007, your understanding of RMerlin's security is not correct, by a long shot.

All other consumer/prosumer routers are far below what Asus offers, with respect to security, too.

 

[TikingAlien007]

@PunchCardBoss I have so many questions about this screenshot. First of all, is Guest Network Pro a default Guest Netowork feature or how guest networks operate in the more expensive models ? Is it a paid feature ? What do you mean a firewall is still a little buggy, are the issues mostly to do with the VLANs or the normal way you setup the guest networks on the ASUS router ? Is that first network without VLAN still isolated but the old way ? Does your router have any option for creating custom firewall rules ?

@L&LD That's the conclusion that I came to when I was trying to find more information about it, from what I understand is that ASUS provides some packages\parts of Asus's firmware to RMerlin which usually can be days, weeks or months behind. Feel free to correct me if I got anything wrong.

Also, yes, that seems to be the case but that's also a reason why there are soo many vulnerabilities in ASUS routers, features are not everything.

 

[L&LD]

Asus provides the GPL code to RMerlin. RMerlin can choose to implement additional fixes and often does (ahead of Asus many times).

Look for recent posts (last week or so) about this very topic. Straight from RMerlin too.

 

[tgl]

FWIW, this isn't hard to find if you're willing to look at SMB-grade access points. I'm currently using Zyxel NWA210AX units, which per the manual support up to 64 SSIDs. (You probably don't want to have anywhere near that many because of the airtime all those beacons would consume...) For isolation, I'd tie each SSID to a different VLAN ID. You need a VLAN-aware router or at least a VLAN-aware switch to enforce isolation if you go that route. (Another option is to make a whitelist of which MAC addresses on your LAN can be reached from the guest SSIDs; that doesn't require anything special from the rest of your equipment.)

I understand the attraction of a one-box solution, but you're really limiting your options if you insist on one consumer-grade unit for this. You are almost certainly at the point where you're better off separating the router functionality from the wireless access point(s). You probably needn't even replace your router, if you are happy with what it can do for firewall etc. Just turn off its wifi and plug in separate access points.

 

[drinkingbird]

I'm looking for routers that have at least 4 guest networks or more, as far as I know, most routers have only 2 guest networks, 1 per each band (2.4 Ghz and 5 Ghz). I don't like that my router have exposed FTP on its WAN port of which on the ASUS's firmware, it can't be disabled and Merlin gives you ability to disable it but the firmware usually is behind with fixes or patches. You either have FTP port exposed on the WAN which is a bad security posture and stay up to date with patches and fixes or have the FTP port disabled but stay behind with fixes and patches. You can't have the cake and eat it too kind of situation, therefore, I'm exploring what's out there. As far as updates go, Asus seems to support their routers with firmware updates for a long time but I'm getting tired of their basic security mistakes that a company like ASUS should know better.

I managed to find a line of Synology routers, Synology RT 2600AC as well as RT 6600AC of which what I read are plagued by bad Wi-Fi performances as well as random firewall failures. I'm not looking for any meshes but that Netgear I mentioned in my original post acts as a router box + you get a satellite that acts as a access point and the guest network is super easy to setup with no need for the managed switch.

There doesn't seem to be that many options with routers that have more than 2 isolated guest networks. I'm looking for a new router that is easy and fast to setup with multiple isolated SSIDs. I'm willing to spend way more money than on a normal router but it seems like I'm very limited with what's out there.

Merlin is typically way ahead of Asus on security patches.

Most Asus routers have 3 or 4 guest networks (double that if you consider that 2.4 and 5ghz can be configured separately). The Yazfi addon gives you more flexibility too if you want it.

The new Asus Pro routers have the pro guest networks too with VLAN segmentation for all etc.

Other than that you're probably going to be looking at Ubiquiti, TP-Link Pro/Omada, Mikrotik, etc. SMB type stuff.

 

[PunchCardBoss]

First of all, is Guest Network Pro a default Guest Netowork feature or how guest networks operate in the more expensive models

On Asus routers running FW (Firm Ware) 6.102.21514, this is the new Guest WiFi GUI.

See here for Asus instructions: https://www.asus.com/support/FAQ/1049414#:~:text=Login to ASUSWRT and go to Guest Network,guest network" to create a Guest network pro.

Is it a paid feature

It comes standard with the PRO models and (I may be wrong here) AX6000 model. See here for FW release notice: https://www.snbforums.com/threads/asus-gt-ax6000-firmware-version-3-0-0-6-102_21514.85565/

What do you mean a firewall is still a little buggy, are the issues mostly to do with the VLANs or the normal way you setup the guest networks on the ASUS router

FW = Firmware (not Fire Wall). Again, see the thread above for bug observations.

I have noticed 2 anomalies that may or may not be bugs.

1. While activating both "Guest WiFi" and IoT WiFi networks, IoT devices could not connect. I my case, the IoT device that could not connect was on my DHCP static IP list. So there may be a condition that does not permit the connection of WiFi "IoT Network" devices if they are on a static IP address (or MAC filter perhaps). More study and testing is required. My fix was to create a Guest WiFi Pro "Custom Network" and use it as a Guest WiFi network. It worked along side my "IoT Network" and all is good with this config.
2. The Network Services Filter does not seem to register entries. I only tested with "Source LAN IP" as a single IP rather than a pool or sub-net (to block internet access. It didnt seem to matter if I chose port 80 or 443 and TCP or UDP. Instead, I used a field in the Network Map area that allows for a single LAN IP address to be blocked from Internet access. It may be that the Network Services Filter no longer records a filter for the blocking a single LAN IP from internet access. More testing is required to determine if this is truly a bug or just a new "feature".

My setup is rather simple - a single router connected to two Netgear L2+ "Smart" switches (which I hope to split into 3 VLANs total), and a Synology NAS. Ports 4 and 5 are currently open. No mesh network.

Does your router have any option for creating custom firewall rules ?

Yes, same as the older FW versions.

Is that first network without VLAN still isolated but the old way ?

It seems to be. There is a field in the details are that allow or disallow this condition.

Special Note:
I am still a novice and purchased this router to ease myself into the VLAN world. I also knew this new router had a new "Guest WiFi Pro" GUI that seemed (on paper) to solve the guest WiFi issues of prior FW versions. So I took a gamble.

Now, I have a configuration that seems stable: All stock settings except for 160Mhz ON and Control Channel=40 (not auto) with about 19 manual DHCP assignments and a handful of devices in a MAC address filter. Things seem to be stable now. But I want to give this config some time before further tweaking.

 

[sfx2000]

I'm looking for a new router besides Asus where you can use multiple guest networks for a network isolation.

Synology SRM 1.3 supports this...

 

[TikingAlien007]

Most Asus routers have 3 or 4 guest networks (double that if you consider that 2.4 and 5ghz can be configured separately). The Yazfi addon gives you more flexibility too if you want it.

The new Asus Pro routers have the pro guest networks too with VLAN segmentation for all etc.

I keep hearing about that Yazfi script but what does it actually do or introduces ?
How would you setup the VLAN segmentation on the ASUS router ? Do you still need a managed switch for that ?

 

[drinkingbird]

I keep hearing about that Yazfi script but what does it actually do or introduces ?
How would you setup the VLAN segmentation on the ASUS router ? Do you still need a managed switch for that ?

On the pro routers it is in the GUi and no separate switch needed.

Yazfi (addon, not a script) just adds some additional flexibility to the Asus guest networks in the GUI. It does not enable VLANs, it uses the firewall for isolation like Asus does.

There are ways to get VLANs working on the non pro routers, but what it involves depends on the router model and what you want to do.

 

[coxhaus]

Why do you even need isolation per client? I never felt like I needed it. I just created a vlan for guest and restrict the whole vlan. Is it just because you can't create a vlan? My thinking is it is just more overhead.

 

[drinkingbird]

Why do you even need isolation per client? I never felt like I needed it. I just created a vlan for guest and restrict the whole vlan. Is it just because you can't create a vlan? My thinking is it is just more overhead.

The thought is if you don't trust the devices they should not trust each other. Public hotspots always were/are set up this way so most of the guest network designs are based on that.

Technically AP isolation is less load on the AP, it no longer has to handle all the broadcast traffic the devices would normally send between each other since there is no shared GTK connection. That's one of the benefits of using a guest network is you can cut down on a lot of the MDNS and other broadcast garbage that can really big stuff down when it gets excessive.

 

[sfx2000]

Technically AP isolation is less load on the AP, it no longer has to handle all the broadcast traffic the devices would normally send between each other since there is no shared GTK connection.

Hmm - I don't think so - the Guest Network still needs to manage the groupwise key if WPA/WPA2/3 is in use...

Anyways, this is handled on the Wifi transceiver directly, so no overhead other that airtime - each SSID does exact a toll there...

 

[drinkingbird]

Hmm - I don't think so - the Guest Network still needs to manage the groupwise key if WPA/WPA2/3 is in use...

Anyways, this is handled on the Wifi transceiver directly, so no overhead other that airtime - each SSID does exact a toll there...

I've seen different implementations, but usually it simply does not establish the shared key connection to each client, only the unique key direct one. Or it may negotiate/establish and maintain the key but no traffic ever passes over that shared connection. Plenty of ways to skin the cat in the AP chipset, blocking the shared connection (however they choose to block/filter/remove it) is just the simplest. Could of course do MAC filtering, broadcast/ARP filters, etc too. Each vendor can choose, there is no "standard" that I've seen.

When toying around with the Asus I found that putting a static ARP on two clients allowed them to communicate with each other so it appears to be some form of broadcast/ARP filtering and not MAC based etc. I didn't try to dive deeper to see if it was a complete block of the GTK connection or not. I recall Ubiquiti saying that was how they implemented it so seemed sensible that Broadcom and other major ones would be using the same method (since they all tend to just copy each other anyway).

 

[sfx2000]

I've seen different implementations, but usually it simply does not establish the shared key connection to each client, only the unique key direct one. Or it may negotiate/establish and maintain the key but no traffic ever passes over that shared connection. Plenty of ways to skin the cat in the AP chipset, blocking the shared connection (however they choose to block/filter/remove it) is just the simplest. Could of course do MAC filtering, broadcast/ARP filters, etc too. Each vendor can choose, there is no "standard" that I've seen.

Not really - WPA/WPA2/WPA3 have specs here - so each SSID needs to be handled accordingly...

Each SSID represently a unique BSS and network to the client supplicant - so things need to be handled there for both the groupwise and pairwise keying...

Group Keys are not shared across SSID's/BSS's...

 

[drinkingbird]

Not really - WPA/WPA2/WPA3 have specs here - so each SSID needs to be handled accordingly...

Each SSID represently a unique BSS and network to the client supplicant - so things need to be handled there for both the groupwise and pairwise keying...

Group Keys are not shared across SSID's/BSS's...

Yeah, AP isolation can be set on the SSID level by using VIFs, that's how Asus does it. Not claiming to be an expert on it, just how it was explained to me by a couple vendors (granted it was a while ago). And I've seen others where they're simply filtering the broadcast traffic either based on the traffic type, or filtering communication between MACs on the same SSID etc.

 

[coxhaus]

I think it is simpler to have 1 guess vlan at my home. They can fend for themselves. My guests are not going to be hacking at each other. And if they are I don't care. Most of them are only here for a little while. I have had several guests need to print. So, I can share a printer with them. I use ACLs for access to the printer. So, my network at home is pretty tame. I don't need security like at an airport. This is at my home with my friends.

My worst thing is if one of my friends brings over a laptop with a virus on it. It happen to me and it infected my music server. After that I installed vlans. I built a guest vlan.