rt-ac68u Guest Wireless in AP not restricting access to LAN

[JustinDevelops]

I have been using ASUS-Merlin on my rt-ac68u for a few years with almost no issues. The past year I have been using Guest Wireless with 'intranet' access disabled. That has also been working great. Yesterday I implemented an PFSense firewall/router device in front of my ac68u (ac68u has dhcp/wan disabled) and my guest wireless access stopped working. You could see the SSID but could never connect to it. Everything else is working i.e. LAN access, regular wireless access. My ac68u was still in router mode at this point and I found that if I disabled the intranet restriction I could connect to the guest wireless and it worked but this was not optimal because intranet access was enabled.

After talking to someone that had a similar setup they said they used the ac68u device in AP mode while behind PFSense and it worked great, but have never ran guest wireless. I changed my ac68u to AP mode but I am still getting the same results from the guest wireless even though the admin screen explicitly states "The Guest Network provides Internet connection for guests but restricts access to your local network." Same results mean I can see all other devices on the network and even ssh into them.

Does anyone have any ideas or can I provide any more information that would help diagnose this issue?

 

[ColinTaylor]

What you are trying to do won't work. Think about it.

The guest network is a feature of the Asus (in router mode) that can isolate wireless clients from other clients attached to it. It can do this because it is the device doing the bridging/routing. Now your routing is being done by the pfSense. The pfSense has no knowledge or understanding of the guest network on the Asus. All it sees is traffic coming into one of it's LAN ports. It doesn't know whether one particular MAC address is coming from an Ethernet attached PC, a server, a wireless client or a guest client. It's all just data coming into one port of the pfSense. In AP mode it's impossible to isolate the guest network from the Asus' LAN ports because any one of those ports will be connected to your pfSense router. To do so would mean that the guest network is not connected to anything, which would be rather pointless.

 

[Ford Prefect]

...actually, Ubiquiti's UniFi AC APs can do that just fine.
I ran into the same problem a couple of weeks ago with my AC68U...it can be done, but you'll need to apply some manual VLAn tweaks.
Now I switched to an UniFi UAP AC-LR and the controller software lets you configure SSIDs with a guest profile, that make it work.
Don't know how they do it, but although the guests do get an IP from the same, default DHCP-Server and use the main Router for DNS queries, just like a normal non-guest client, the guests only can see Internet.

 

[ColinTaylor]

@Ford Prefect I thought about mentioning VLAN's but decided against it as it is not a supported feature in ASUSWRT. As you say, it can be done but it requires some fairly complicated "hacks". I'd assume that the Unifi's also use some sort of VLAN tagging to segregate their traffic, that's the way I'd do it.

 

[Ford Prefect]

actually I don't know, as I can't look inside...the AP only has a minimal UI.
But, although I have a VLAN capable Switch and Main Router, the guest setup in the UniFi APs involve nothing of the other components.
All you need to do is create the SSID and check the mark for it to be of a guest profile....that's about it.

 

[CaptainSTX]

What is your Internet speed from your ISP? If it isn't over 400 - 500 Mbps consider using your AC68 as the first Internet facing router and double NAT your Pfsense box behind it. Since it will be a 1000Mbps link between routers is will have little impact on your throughput assuming the AC68 can handle the speed of your Internet connection. Your AC68 will run your guest network and the Pfsense will be isolated.

I use this setup to isolate my Iot and guest network from my primary network. By using all six guest networks I can even isolate some Iot devices from each other. Not an elegant solution but because of my network's layout it works well for me. Things such as port forwarding and setting up a DNS server are however more difficult.

 

[Ford Prefect]

....I hate to say that, but I today sold my used AC68U for the price of the new UniFi UAP AC-LR

 

[JustinDevelops]

What you are trying to do won't work. Think about it.

The guest network is a feature of the Asus (in router mode) that can isolate wireless clients from other clients attached to it. It can do this because it is the device doing the bridging/routing. Now your routing is being done by the pfSense. The pfSense has no knowledge or understanding of the guest network on the Asus. All it sees is traffic coming into one of it's LAN ports. It doesn't know whether one particular MAC address is coming from an Ethernet attached PC, a server, a wireless client or a guest client. It's all just data coming into one port of the pfSense. In AP mode it's impossible to isolate the guest network from the Asus' LAN ports because any one of those ports will be connected to your pfSense router. To do so would mean that the guest network is not connected to anything, which would be rather pointless.

OK that make's sense. I am still pretty green at networking. That is actually one of the reasons I picked up PFSense in the first place was to learn more about networking in my own house etc.

@CaptainSTX My pfsense device only has 3 ports (WAN/LAN/OPT1) so without getting a switch or something in addition I would not have enough LAN ports for my other devices.

@Ford Prefect I did come across a few using UniFi AP's for this, I think that might be the route I go eventually. Good to hear you are using it the way I am thinking. Until I can pick up one I am going to setup OPT1 and hook up my old Apple wifi router to it for guest wifi. I should be able to restrict access from OPT1 to LAN that way.

Thank you everyone for the input.

 

[Ford Prefect]

...just be aware that UniFi APs are Enterprise stuff, not SoHo.
You need to run the separate controller software (the APs have no Web-UI, just a basic CLI) to set them up.
If you intend to employ more than one AP in your home and use some more advanced features (like "seamless handover"), then the controller SW must run 24/7 (it is java based, can be run from a NAS).

I also started with a pfsense Router/firewall with only 3xETH but have moved to a mikrotik hex (https://routerboard.com/RB750Gr3), which has a fully configurable 5-port switch.
The newest GR3 revision is a steal with HW AES support for less than 60USD.

 

[CaptainSTX]

OK that make's sense. I am still pretty green at networking. That is actually one of the reasons I picked up PFSense in the first place was to learn more about networking in my own house etc.

@CaptainSTX My pfsense device only has 3 ports (WAN/LAN/OPT1) so without getting a switch or something in addition I would not have enough LAN ports for my other devices.

The device that I was running Pfsense on then decided to run OpenWRT instead does have four ports. One which I used for the WAN and then the other three could be used as LAN ports. Just FYI you can purchase an unmanaged eight port switch for approximately $25 and if you want a managed switch which you can run VLANs on add another $20 - $25.