What's new

Need some help with my home network

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

akirru

Occasional Visitor
Hi all,

I need some advice and help with my home network.

Previously I had an AC68u as my main router with some older routers as access points. I recently acquired some more ac68u's to use in ai-mesh mode. But there was a catch I found. Ai-mesh mode wouldn't allow me to properly use guest networks. I just couldn't get it to work and so I thought ap-mode would be a better option for me. It would give me more control.

So with the latest merlin firmware on every router I can't seem to setup up the guest network on the nodes/ap-points without intranet access. So guests can still access my local lan. With the router in AP point mode it doesn't allow me to select no intranet access. I normally hide the ssid of my main wireless and only show the guest networks. But I can't use yazfi on a non main router. Which was a great little app for more control of your guest network.

Also is there much of a difference between the 800Mhz and 1000Mhz revisions?

Does anyone have any advice?

Many thanks
 
Hi all,

I need some advice and help with my home network.

Previously I had an AC68u as my main router with some older routers as access points. I recently acquired some more ac68u's to use in ai-mesh mode. But there was a catch I found. Ai-mesh mode wouldn't allow me to properly use guest networks. I just couldn't get it to work and so I thought ap-mode would be a better option for me. It would give me more control.

So with the latest merlin firmware on every router I can't seem to setup up the guest network on the nodes/ap-points without intranet access. So guests can still access my local lan. With the router in AP point mode it doesn't allow me to select no intranet access. I normally hide the ssid of my main wireless and only show the guest networks. But I can't use yazfi on a non main router. Which was a great little app for more control of your guest network.

Also is there much of a difference between the 800Mhz and 1000Mhz revisions?

Does anyone have any advice?

Many thanks

I understand the newer AC68U has updated specs, but otherwise should operate the same(?).

I understand that guest WLANs on AP Mode are NOT isolated from the intranet, so not useful in that regard.

Asus has been introducing guest1 2.4/5.0 WLANs on AiMesh that sync to all nodes, use IPs 192.168.101/102.*, and are suppose to be isolated from the intranet. Guest2,3 WLANs do not sync.

AiMesh code is closed and the same on Asuswrt and Asuswrt-Merlin.

Me, I would try to setup AiMesh with the higher spec AC68U as the router/root node and with guest1 WLANs across all nodes and confirm they are isolated from the intranet.

So, what was the issue with AiMesh that you encountered?

OE
 
I understand the newer AC68U has updated specs, but otherwise should operate the same(?).

I understand that guest WLANs on AP Mode are NOT isolated from the intranet, so not useful in that regard.

Asus has been introducing guest1 2.4/5.0 WLANs on AiMesh that sync to all nodes, use IPs 192.168.101/102.*, and are suppose to be isolated from the intranet. Guest2,3 WLANs do not sync.

AiMesh code is closed and the same on Asuswrt and Asuswrt-Merlin.

Me, I would try to setup AiMesh with the higher spec AC68U as the router/root node and with guest1 WLANs across all nodes and confirm they are isolated from the intranet.

So, what was the issue with AiMesh that you encountered?

OE
Ai-mesh was working fine, but the guest network wouldn't show on the ai mesh nodes. I only had guest network access on the main router. I even had sync to ai-mesh activated. So I would have used it if I could get guest network access.
 
Ai-mesh was working fine, but the guest network wouldn't show on the ai mesh nodes.

What firmware version? If it doesn't work well on 45934, roll back to 43129 and test again. All routers on the same firmware, WPS reset. Wireless AiMesh is not very stable, but wired is okay. I remember Guest Network to nodes working on 43129.
 
Should I use the official asus firmware or merlin?

Use stock Asuswrt firmware to keep it simple unless you need or want a feature added by Asuswrt-Merlin, imo.

OE
 
So I have been messing around with things for the last few days when I got back from work. I got it kind of working how I want with the latest merlin firmware (alpha). Basically I can get the node working with all my networks apart from guest. The only way I can get guest work is router only. If I have it on the ai-mesh node I have to allow access to the intranet for it to work. That kind of defeats the purpose of a guest network. I guess I'll just have to wait for a firmware update.
 
If you want to mess around some more, you can get everything you want now by using FreshTomato firmware. Your routers are compatible and supported. This firmware supports VLAN's with configuration in GUI. You just need to read some documentation how to set it up:

Thanks for the reply Tech9

I was wondering if there were any disadvantages that you know of using tomato? How well does hardware acceleration work for example? And should I use it on every router or just the nodes/ap-points?

Andy
 
FreshTomato works best with no NAT acceleration. It is available, but disabled by default. Your routers can do 300Mbps WAN-LAN without it. I would use the one with 1GHz CPU as router, 800MHz versions as AP's. Cake QoS is available on AC68U with FreshTomato, it's incompatible with NAT acceleration anyway. There is IP traffic, adblock, DoT, DNS/NTP requests re-direction, OpenVPN, captive portal, web server, samba shares. Very feature rich firmware with modern GUI (about 20 different themes available). Wi-Fi performance is surprisingly the same as Asuswrt. Try it and see if it works for you.
 
FreshTomato works best with no NAT acceleration. It is available, but disabled by default. Your routers can do 300Mbps WAN-LAN without it. I would use the one with 1GHz CPU as router, 800MHz versions as AP's. Cake QoS is available on AC68U with FreshTomato, it's incompatible with NAT acceleration anyway. There is IP traffic, adblock, DoT, DNS/NTP requests re-direction, OpenVPN, captive portal, web server, samba shares. Very feature rich firmware with modern GUI (about 20 different themes available). Wi-Fi performance is surprisingly the same as Asuswrt. Try it and see if it works for you.

So I installed Tomato on the access point.

Ac68u primary router (latest merlin firmware with guest network enabled and working)

Ac68u Access point ( using latest freshtomato firmware )

So I have the access point working with internet access, but when I tried to add a guest network with virtual wireless I don't have any internet access. I have setup a second bridge with its own dhcp etc as per this guide.

Any help appreciated :)
 
Hi all,

I need some advice and help with my home network.

Previously I had an AC68u as my main router with some older routers as access points. I recently acquired some more ac68u's to use in ai-mesh mode. But there was a catch I found. Ai-mesh mode wouldn't allow me to properly use guest networks. I just couldn't get it to work and so I thought ap-mode would be a better option for me. It would give me more control.

So with the latest merlin firmware on every router I can't seem to setup up the guest network on the nodes/ap-points without intranet access. So guests can still access my local lan. With the router in AP point mode it doesn't allow me to select no intranet access. I normally hide the ssid of my main wireless and only show the guest networks. But I can't use yazfi on a non main router. Which was a great little app for more control of your guest network.

Also is there much of a difference between the 800Mhz and 1000Mhz revisions?

Does anyone have any advice?

Many thanks
Why do you hide SSID?
Disadvantage of hiding SSID:
1. insecure.
2. makes a lot of issues.
 
Any help appreciated

I was thinking about Guest VLAN set on the router or SSID on the AP with restricted access to private IP's. I need time to experiment and find what works properly on AC68U. Last time I had Tomato router in use it was Linksys running Tomato Shibby. I had FreshTomato 2021.7 running on AC68U just a week ago, but it was re-flashed to Asuswrt. @eibgrad uses FT on AC68U, he can help you faster.
 
So I installed Tomato on the access point.

Ac68u primary router (latest merlin firmware with guest network enabled and working)

Ac68u Access point ( using latest freshtomato firmware )

So I have the access point working with internet access, but when I tried to add a guest network with virtual wireless I don't have any internet access. I have setup a second bridge with its own dhcp etc as per this guide.

Any help appreciated :)

I've seen that link before. There's no need to create a new VLAN unless you intend to move one or more *wired* ports from the default vlan (typically vlan1) to the new vlan. It's just an unnecessary step by the author given he's not assigning ports to the new bridge (br1).

Also, those instructions assume a routed config, where the WAN is directly accessible from either the private (br0) or guest (br1) networks. But when configured on an AP only, there is NO WAN. The only way for guests to reach the WAN of the primary router is to be routed over the private network. So you have to allow access by guests from br1 to br0 (which is denied by default), while still denying them access to specific resources on the private network. Finally, you need to NAT the guest network over the private network as well.

Code:
iptables -I FORWARD -i br1 -o br0 -j ACCEPT
iptables -I FORWARD -i br1 -o br0 -d $(nvram get lan_ipaddr)/$(nvram get lan_netmask) -j REJECT
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to $(nvram get lan_ipaddr)

P.S. Instead of NAT'ing, you could alternatively add a static route to the primary router that points to the LAN ip of the AP as the gateway to the guest network. But sometimes that isn't possible because the primary router doesn't support static routes, or it's the ISP's router and they've locked it down. The use of NAT then becomes necessary.
 
Last edited:
I've seen that link before. There's no need to create a new VLAN unless you intend to move one or more *wired* ports from the default vlan (typically vlan1) to the new vlan. It's just an unnecessary step by the author given he's not assigning ports to the new bridge (br1).

Also, those instructions assume a routed config, where the WAN is directly accessible from either the private (br0) or guest (br1) networks. But when configured on an AP only, there is NO WAN. The only way for guests to reach the WAN of the primary router is to be routed over the private network. So you have to allow access by guests from br1 to br0 (which is denied by default), while still denying them access to specific resources on the private network. Finally, you need to NAT the guest network over the private network as well.

Code:
iptables -I FORWARD -i br1 -o br0 -j ACCEPT
iptables -I FORWARD -i br1 -o br1 -d $(nvram get lan_ipaddr)/$(nvram get lan_netmask) -j REJECT
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to $(nvram get lan_ipaddr)

P.S. Instead of NAT'ing, you could alternatively add a static route to the primary router that points to the LAN ip of the AP as the gateway to the guest network. But sometimes that isn't possible because the primary router doesn't support static routes, or it's the ISP's router and they've locked it down. The use of NAT then becomes necessary.
So I got it working with a static router and your firewall script. I can connect now with the access points dhcp. I can't see lan shares when I search for them on my phone. But I can still access my router homepage and NAS etc. Is there a way to prevent that?

Thanks for all your input :)
 
So I got it working with a static router and your firewall script. I can connect now with the access points dhcp. I can't see lan shares when I search for them on my phone. But I can still access my router homepage and NAS etc. Is there a way to prevent that?

Thanks for all your input :)

The firewall rules I provided should prevent access to anything on the private network (br0) from the guest network (br1). So when you say the router or NAS is still accessible, are you referring to the AP? You would need additional firewall rules to limit the guest network's access to the AP itself.

The following limits guests to only dhcp, dns, and icmp (ping) on the AP.

Code:
iptables -I INPUT -i br1 -j REJECT
iptables -I INPUT -i br1 -p icmp -j ACCEPT
iptables -I INPUT -i br1 -p tcp --dport 53 -j ACCEPT
iptables -I INPUT -i br1 -p udp --dport 53 -j ACCEPT
iptables -I INPUT -i br1 -p udp --dport 67 -j ACCEPT

icmp is obviously optional, but I like to offer it for diagnostic purposes. And you could eliminate DNS if you chose to configure the guests w/ public DNS servers (I usually do) in the DHCP/DNS custom config field.

Code:
dhcp-option=br1,option:dns-server,8.8.8.8,8.8.4.4

As far as searching for LAN shares, if you're referring to network discovery, it typically doesn't work across different ethernet/IP networks. Not without the aid of a mDNS reflector (e.g., Avahi). But again, the firewall rules I provided would NOT allow access to anything on the private network anyway, even if you could "discover" resources there. So I don't know if your comment is just an observation or a complaint.
 
Last edited:

Similar threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top