Need some help with my home network

akirru

Occasional Visitor
Hi all,

I need some advice and help with my home network.

Previously I had an AC68u as my main router with some older routers as access points. I recently acquired some more ac68u's to use in ai-mesh mode. But there was a catch I found. Ai-mesh mode wouldn't allow me to properly use guest networks. I just couldn't get it to work and so I thought ap-mode would be a better option for me. It would give me more control.

So with the latest merlin firmware on every router I can't seem to setup up the guest network on the nodes/ap-points without intranet access. So guests can still access my local lan. With the router in AP point mode it doesn't allow me to select no intranet access. I normally hide the ssid of my main wireless and only show the guest networks. But I can't use yazfi on a non main router. Which was a great little app for more control of your guest network.

Also is there much of a difference between the 800Mhz and 1000Mhz revisions?

Does anyone have any advice?

Many thanks
 

OzarkEdge

Part of the Furniture
Hi all,

I need some advice and help with my home network.

Previously I had an AC68u as my main router with some older routers as access points. I recently acquired some more ac68u's to use in ai-mesh mode. But there was a catch I found. Ai-mesh mode wouldn't allow me to properly use guest networks. I just couldn't get it to work and so I thought ap-mode would be a better option for me. It would give me more control.

So with the latest merlin firmware on every router I can't seem to setup up the guest network on the nodes/ap-points without intranet access. So guests can still access my local lan. With the router in AP point mode it doesn't allow me to select no intranet access. I normally hide the ssid of my main wireless and only show the guest networks. But I can't use yazfi on a non main router. Which was a great little app for more control of your guest network.

Also is there much of a difference between the 800Mhz and 1000Mhz revisions?

Does anyone have any advice?

Many thanks

I understand the newer AC68U has updated specs, but otherwise should operate the same(?).

I understand that guest WLANs on AP Mode are NOT isolated from the intranet, so not useful in that regard.

Asus has been introducing guest1 2.4/5.0 WLANs on AiMesh that sync to all nodes, use IPs 192.168.101/102.*, and are suppose to be isolated from the intranet. Guest2,3 WLANs do not sync.

AiMesh code is closed and the same on Asuswrt and Asuswrt-Merlin.

Me, I would try to setup AiMesh with the higher spec AC68U as the router/root node and with guest1 WLANs across all nodes and confirm they are isolated from the intranet.

So, what was the issue with AiMesh that you encountered?

OE
 

akirru

Occasional Visitor
I understand the newer AC68U has updated specs, but otherwise should operate the same(?).

I understand that guest WLANs on AP Mode are NOT isolated from the intranet, so not useful in that regard.

Asus has been introducing guest1 2.4/5.0 WLANs on AiMesh that sync to all nodes, use IPs 192.168.101/102.*, and are suppose to be isolated from the intranet. Guest2,3 WLANs do not sync.

AiMesh code is closed and the same on Asuswrt and Asuswrt-Merlin.

Me, I would try to setup AiMesh with the higher spec AC68U as the router/root node and with guest1 WLANs across all nodes and confirm they are isolated from the intranet.

So, what was the issue with AiMesh that you encountered?

OE
Ai-mesh was working fine, but the guest network wouldn't show on the ai mesh nodes. I only had guest network access on the main router. I even had sync to ai-mesh activated. So I would have used it if I could get guest network access.
 

Tech9

Part of the Furniture
Ai-mesh was working fine, but the guest network wouldn't show on the ai mesh nodes.

What firmware version? If it doesn't work well on 45934, roll back to 43129 and test again. All routers on the same firmware, WPS reset. Wireless AiMesh is not very stable, but wired is okay. I remember Guest Network to nodes working on 43129.
 

OzarkEdge

Part of the Furniture

OzarkEdge

Part of the Furniture
Should I use the official asus firmware or merlin?

Use stock Asuswrt firmware to keep it simple unless you need or want a feature added by Asuswrt-Merlin, imo.

OE
 

akirru

Occasional Visitor
So I have been messing around with things for the last few days when I got back from work. I got it kind of working how I want with the latest merlin firmware (alpha). Basically I can get the node working with all my networks apart from guest. The only way I can get guest work is router only. If I have it on the ai-mesh node I have to allow access to the intranet for it to work. That kind of defeats the purpose of a guest network. I guess I'll just have to wait for a firmware update.
 

Tech9

Part of the Furniture

akirru

Occasional Visitor
If you want to mess around some more, you can get everything you want now by using FreshTomato firmware. Your routers are compatible and supported. This firmware supports VLAN's with configuration in GUI. You just need to read some documentation how to set it up:

Thanks for the reply Tech9

I was wondering if there were any disadvantages that you know of using tomato? How well does hardware acceleration work for example? And should I use it on every router or just the nodes/ap-points?

Andy
 

Tech9

Part of the Furniture
FreshTomato works best with no NAT acceleration. It is available, but disabled by default. Your routers can do 300Mbps WAN-LAN without it. I would use the one with 1GHz CPU as router, 800MHz versions as AP's. Cake QoS is available on AC68U with FreshTomato, it's incompatible with NAT acceleration anyway. There is IP traffic, adblock, DoT, DNS/NTP requests re-direction, OpenVPN, captive portal, web server, samba shares. Very feature rich firmware with modern GUI (about 20 different themes available). Wi-Fi performance is surprisingly the same as Asuswrt. Try it and see if it works for you.
 

akirru

Occasional Visitor
FreshTomato works best with no NAT acceleration. It is available, but disabled by default. Your routers can do 300Mbps WAN-LAN without it. I would use the one with 1GHz CPU as router, 800MHz versions as AP's. Cake QoS is available on AC68U with FreshTomato, it's incompatible with NAT acceleration anyway. There is IP traffic, adblock, DoT, DNS/NTP requests re-direction, OpenVPN, captive portal, web server, samba shares. Very feature rich firmware with modern GUI (about 20 different themes available). Wi-Fi performance is surprisingly the same as Asuswrt. Try it and see if it works for you.

So I installed Tomato on the access point.

Ac68u primary router (latest merlin firmware with guest network enabled and working)

Ac68u Access point ( using latest freshtomato firmware )

So I have the access point working with internet access, but when I tried to add a guest network with virtual wireless I don't have any internet access. I have setup a second bridge with its own dhcp etc as per this guide.

Any help appreciated :)
 

follower

Senior Member
Hi all,

I need some advice and help with my home network.

Previously I had an AC68u as my main router with some older routers as access points. I recently acquired some more ac68u's to use in ai-mesh mode. But there was a catch I found. Ai-mesh mode wouldn't allow me to properly use guest networks. I just couldn't get it to work and so I thought ap-mode would be a better option for me. It would give me more control.

So with the latest merlin firmware on every router I can't seem to setup up the guest network on the nodes/ap-points without intranet access. So guests can still access my local lan. With the router in AP point mode it doesn't allow me to select no intranet access. I normally hide the ssid of my main wireless and only show the guest networks. But I can't use yazfi on a non main router. Which was a great little app for more control of your guest network.

Also is there much of a difference between the 800Mhz and 1000Mhz revisions?

Does anyone have any advice?

Many thanks
Why do you hide SSID?
Disadvantage of hiding SSID:
1. insecure.
2. makes a lot of issues.
 

Tech9

Part of the Furniture
Any help appreciated

I was thinking about Guest VLAN set on the router or SSID on the AP with restricted access to private IP's. I need time to experiment and find what works properly on AC68U. Last time I had Tomato router in use it was Linksys running Tomato Shibby. I had FreshTomato 2021.7 running on AC68U just a week ago, but it was re-flashed to Asuswrt. @eibgrad uses FT on AC68U, he can help you faster.
 

eibgrad

Part of the Furniture
So I installed Tomato on the access point.

Ac68u primary router (latest merlin firmware with guest network enabled and working)

Ac68u Access point ( using latest freshtomato firmware )

So I have the access point working with internet access, but when I tried to add a guest network with virtual wireless I don't have any internet access. I have setup a second bridge with its own dhcp etc as per this guide.

Any help appreciated :)

I've seen that link before. There's no need to create a new VLAN unless you intend to move one or more *wired* ports from the default vlan (typically vlan1) to the new vlan. It's just an unnecessary step by the author given he's not assigning ports to the new bridge (br1).

Also, those instructions assume a routed config, where the WAN is directly accessible from either the private (br0) or guest (br1) networks. But when configured on an AP only, there is NO WAN. The only way for guests to reach the WAN of the primary router is to be routed over the private network. So you have to allow access by guests from br1 to br0 (which is denied by default), while still denying them access to specific resources on the private network. Finally, you need to NAT the guest network over the private network as well.

Code:
iptables -I FORWARD -i br1 -o br0 -j ACCEPT
iptables -I FORWARD -i br1 -o br0 -d $(nvram get lan_ipaddr)/$(nvram get lan_netmask) -j REJECT
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to $(nvram get lan_ipaddr)

P.S. Instead of NAT'ing, you could alternatively add a static route to the primary router that points to the LAN ip of the AP as the gateway to the guest network. But sometimes that isn't possible because the primary router doesn't support static routes, or it's the ISP's router and they've locked it down. The use of NAT then becomes necessary.
 
Last edited:

akirru

Occasional Visitor
I've seen that link before. There's no need to create a new VLAN unless you intend to move one or more *wired* ports from the default vlan (typically vlan1) to the new vlan. It's just an unnecessary step by the author given he's not assigning ports to the new bridge (br1).

Also, those instructions assume a routed config, where the WAN is directly accessible from either the private (br0) or guest (br1) networks. But when configured on an AP only, there is NO WAN. The only way for guests to reach the WAN of the primary router is to be routed over the private network. So you have to allow access by guests from br1 to br0 (which is denied by default), while still denying them access to specific resources on the private network. Finally, you need to NAT the guest network over the private network as well.

Code:
iptables -I FORWARD -i br1 -o br0 -j ACCEPT
iptables -I FORWARD -i br1 -o br1 -d $(nvram get lan_ipaddr)/$(nvram get lan_netmask) -j REJECT
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to $(nvram get lan_ipaddr)

P.S. Instead of NAT'ing, you could alternatively add a static route to the primary router that points to the LAN ip of the AP as the gateway to the guest network. But sometimes that isn't possible because the primary router doesn't support static routes, or it's the ISP's router and they've locked it down. The use of NAT then becomes necessary.
So I got it working with a static router and your firewall script. I can connect now with the access points dhcp. I can't see lan shares when I search for them on my phone. But I can still access my router homepage and NAS etc. Is there a way to prevent that?

Thanks for all your input :)
 

eibgrad

Part of the Furniture
So I got it working with a static router and your firewall script. I can connect now with the access points dhcp. I can't see lan shares when I search for them on my phone. But I can still access my router homepage and NAS etc. Is there a way to prevent that?

Thanks for all your input :)

The firewall rules I provided should prevent access to anything on the private network (br0) from the guest network (br1). So when you say the router or NAS is still accessible, are you referring to the AP? You would need additional firewall rules to limit the guest network's access to the AP itself.

The following limits guests to only dhcp, dns, and icmp (ping) on the AP.

Code:
iptables -I INPUT -i br1 -j REJECT
iptables -I INPUT -i br1 -p icmp -j ACCEPT
iptables -I INPUT -i br1 -p tcp --dport 53 -j ACCEPT
iptables -I INPUT -i br1 -p udp --dport 53 -j ACCEPT
iptables -I INPUT -i br1 -p udp --dport 67 -j ACCEPT

icmp is obviously optional, but I like to offer it for diagnostic purposes. And you could eliminate DNS if you chose to configure the guests w/ public DNS servers (I usually do) in the DHCP/DNS custom config field.

Code:
dhcp-option=br1,option:dns-server,8.8.8.8,8.8.4.4

As far as searching for LAN shares, if you're referring to network discovery, it typically doesn't work across different ethernet/IP networks. Not without the aid of a mDNS reflector (e.g., Avahi). But again, the firewall rules I provided would NOT allow access to anything on the private network anyway, even if you could "discover" resources there. So I don't know if your comment is just an observation or a complaint.
 
Last edited:

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top