New AiMesh user with a few node management/access questions

[TheScotsman]

I just upgraded my primary router to a GT-AXE11000 (388.1), and will be using my old RT-AC5300 (386.9) as an AiMesh node. I did a temporary setup to test it out using ethernet backhaul (the permanent install has to wait until I can run ethernet & power to its new home), and everything worked great. However, it did leave me with a couple questions I'm hoping the community can help out with:

1. The node is picking up its IP address from the normal DHCP address space, even when I set a DHCP reservation for it. I'd like to give it a fixed address, is there a way to do this?
2. I'd like to access the node via SSH so I can run scripts on it directly; it appears that's possible (this post shows it, for instance), but I can't seem to get SSH access (connection refused). Is there a trick to enabling it? My main router is configured with SSH enabled, no passwords (only certs), and no WAN SSH access, so my first thought is that the node rejects the connection because I'm trying to get to it from the main network (i.e. to the node, I'm coming in via the WAN port) ... but I could be overthinking it.
3. It appears the node only provides the core wifi networks, not any of the guests - I believe I'd read that's the expected behavior, and largely that's fine for me. Is there any indication that might change at some point so the nodes can also provide guest network access (or any known tricks for doing that or some facsimile of it)? I have another use case that AiMesh might solve for me, but I'd need guest access in addition to the main network.

Thanks for any advice you can share! And thanks for the asuswrt-merlin and the community of support - I'm an old DD-WRT user who only recently moved to asuswrt-merlin (the RT-AC5300 wasn't fairing well on newer releases of DD-WRT) and it's been a great experience so far.

 

[jata]

1. I have tried dhcp reversations on nodes and got it working a while ago but it was not stable. I think better to not stuff around with this and leave them as originally setup.

2. be careful playing around with nodes. It’s fussy enough with standard config to be honest but you can update the node FW to Merlin and then run scripts but I don’t do this so can’t help with SSH access but others on the forum will help. You should be able to login to nodes with Merlin and then enable SSH through the node gui.

3. sorry. Not sure. I think I remember some posts on the forum saying not to use guest 1 and then it works but I’m not sure about this so you will need help from other forum folks to confirm/advise.

hope this helps a bit and good luck!

 

[glens]

... my first thought is that the node rejects the [ssh] connection because I'm trying to get to it from the main network (i.e. to the node, I'm coming in via the WAN port) ... but I could be overthinking it.

If your mesh master has ssh enabled, the slave should too. It's (ssh to node) always worked well for me, but then it's always been from within the network.

Attempts from without the network likely will fail even if you've got that ability configured on the master. Got an endpoint within the network you can tunnel to?

Edit: just reviewing my post and realized if you've got access to a console prompt on the master, from outside the network, that's your endpoint. From there merely ssh into the node!

 

[TheScotsman]

Right, so what we have here is PEBCAK ... SSH works fine to the node from any system on the network (including the master) now that I've remembered I'm running it on a non-default port!

Just for clarification should anyone else read this in the future:

• The mesh master (GT-AXE11000) has SSH enabled from inside the network only, using SSH keys only (no passwords). Which works fine - any client on the internal network (wired or wireless) can SSH into the master as long as they have the key. There is no SSH access allowed/enabled to the master from outside the network (yeah, there's a bastion host with a tunnel to it, and OpenVPN, but that's outside the scope of this discussion.
• The mesh node (RT-AC5300) is connected via ethernet backhaul; that is, ethernet line runs from a LAN port on the master to the WAN port on the node.
• SSH works to the node from any system on the network as long as they have the key; it's the same key used on the master, as well as the same non-default port that the master uses. Those must be inherited when AIMesh sets up the node.

Setting up stable SSH would be easier if the node could be given a fixed IP address (DHCP reservation doesn't seem to stick on it), but that's fairly easy to workaround, especially since I don't expect to have to access it often.

@jata I tried disabling the first guest network but that didn't help with access to other guests; I'll do some more digging and poking at it to see if I there's any hints it might actually work. It's not a critical thing for me here at home, but I could definitely make use of it elsewhere.

Thanks for the quick responses and help @jata and @glens , much appreciated!

 

[TheScotsman]

Ah, found some light on the guest network issue here - looks like it will work with ONLY the first guest network on each frequency band, and they have to be setup AFTER AiMesh is established to sync them correctly. I'll test and report back - if I do it now my wife (working diligently next to me and on one of those guest networks!) would be most unhappy.

 

[TheScotsman]

Hah, it works! You have to build the AiMesh first; then create your guest network entries, or at least go edit and resave them. The first guest network on each band (2.4/5/5.1 or 6) can be configured to run on the AiMesh nodes as well as the router. Seems to work very well from the limited testing I've been able to do.

In the course of playing with this, I also uncovered a security issue with wifi bands - more on that in the separate thread.

 

[TheScotsman]

Also solved #1 (my DHCP question) - the trick is that you have to set the reserved IP address in the main router's DHCP settings BEFORE you add the node as an AiMesh node; if you try to do it afterward it ignores it, but if you do it ahead of time it respects it. Or, you can remove the node and re-add it - although it will reset it to factory settings, it looks like it leaves Asuswrt-merlin on there, along with any scripts you may have added, etc. so this isn't too terrible an option.

Thanks, forum community, I got all my questions answered pretty quick, found some interesting things, and am a very happy user.