RT-AX88U/RT-AC86U B1 - Disable Guest Network LAN Access in AP Mode?

[Colin1234]

I have an RT-AX88U and RT-AC86U B1 both in AP Mode using AI Mesh. I'm using PfSense as the router. Is there a way to disable LAN access for WIFI clients connected to the Guest Network? I'm reading mixed things but can't find an option to disable it like you can in "Router Mode".

 

[drinkingbird]

I have an RT-AX88U and RT-AC86U B1 both in AP Mode using AI Mesh. I'm using PfSense as the router. Is there a way to disable LAN access for WIFI clients connected to the Guest Network? I'm reading mixed things but can't find an option to disable it like you can in "Router Mode".

From what I recall when in AP mode there is no routing or firewall, I believe you can prevent guest wireless from accessing main wireless, but not the rest of the LAN. Is the option there to disable intranet access for the guest SSIDs? If so what does/doesn't it block? You may be able to utilize ebtables (and possibly iptables if it is there in AP mode) to block the rest of the LAN, being cautious not to block traffic to the PFSENSE gateway destined for the internet.

If you are willing to get into scripting and the CLI then you should be able to make use of the guest VLANs created by AIMESH (or create your own VLANs), trunk those to your PFSENSE (assuming it has a NIC that supports trunk/vlans), and do your filtering there, that's basically the ultimate setup but requires a fair amount of work to get it set up and working right.

 

[Tech9]

RT-AC86U B1

There is no RT-AC86U B1 model. RT-AC66U B1 perhaps?

but can't find an option

No such option and it's a known limitation. You have to break AiMesh and use two different methods for each router for VLAN, then wire each to your pfSense box. If you look around, there is guidance available. Think about replacing the home routers with proper APs with VLAN support.

 

[zachska87]

Can this be accomplished in some way with a second physical connection to a router on a different network/VLAN? Can the primary wifi use one uplink, and the guest wifi use the second connection if I configure my router to have two different vlans on those ports?

 

[drinkingbird]

Can this be accomplished in some way with a second physical connection to a router on a different network/VLAN? Can the primary wifi use one uplink, and the guest wifi use the second connection if I configure my router to have two different vlans on those ports?

Yes however it requires manual script (via Merlin firmware) and depending on the router model you have, may be fairly easy or somewhat complex.

I'm not sure if the new 50x VLANs get created automatically when in AP mode but if they do, making use of one of those is probably easiest, just set one of the LAN ports (or even the WAN port) into that VLAN and send it to your upstream router. You'd probably want to set it to have both 2.4 and 5Ghz in the same 50x vlan. If your upstream router supports VLAN tagging/trunking then you can just use one cable and send both vlans over it.

 

[zachska87]

Yes however it requires manual script (via Merlin firmware) and depending on the router model you have, may be fairly easy or somewhat complex.

I'm not sure if the new 50x VLANs get created automatically when in AP mode but if they do, making use of one of those is probably easiest, just set one of the LAN ports (or even the WAN port) into that VLAN and send it to your upstream router. You'd probably want to set it to have both 2.4 and 5Ghz in the same 50x vlan. If your upstream router supports VLAN tagging/trunking then you can just use one cable and send both vlans over it.

I have the RT-AX82U on the most recent gnuton, ...do you know of an example script I could look at? I'm sorry for asking, I looked around and didn't find anything that looked useful. My router is TP-Link ER7206...It does seem to support multiple VLANS on the same port but either way would work for me, they're right next to each other.

 

[drinkingbird]

I have the RT-AX82U on the most recent gnuton, ...do you know of an example script I could look at? I'm sorry for asking, I looked around and didn't find anything that looked useful. My router is TP-Link ER7206...It does seem to support multiple VLANS on the same port but either way would work for me, they're right next to each other.

Someone here was posting recently about setting up VLANs on an HND based router. Try searching for "robocfg", that is actually the command that is NOT supported on the HND routers but it was discussed in that thread. If I find it I'll link it.

 

[zachska87]

Someone here was posting recently about setting up VLANs on an HND based router. Try searching for "robocfg", that is actually the command that is NOT supported on the HND routers but it was discussed in that thread. If I find it I'll link it.

Thank you, I'll check that out. This is the guide I'm looking at for the moment, haven't been able to try it yet because I can't risk bringing down the network until tonight. https://virtualize.link/asus-vlans/

 

[drinkingbird]

Thank you, I'll check that out. This is the guide I'm looking at for the moment, haven't been able to try it yet because I can't risk bringing down the network until tonight. https://virtualize.link/asus-vlans/

Yeah I believe the 58 is a different chipset with different commands but not positive.

@Pierre Nakashian mentioned in another thread that they set up VLANs on their 8x HND based router so maybe they can point you in the right direction.

 

[Pierre Nakashian]

This is the major link I used as my reference for setting up multiple vlans, the link starts with vlanctl command
later switches to linux ip command. The ip command did not work in my situation I have another dual WAN complexity that didn't play well with ip.
I also had some strange issues, it seems when I started creating vlan's below 100, they didn't have internet access. Maybe I overlooked something.

RT-86U - vlanctl & ethctl usage puzzle

All, While the search revealed several hits on the vlanctl and ethctl commands used in the new Broadcom chips, as in the RT-86U, there is not yet a definitive guide or howto on to properly use them to control the VLANs on these routers. Obviously in contrast to the more we’ll known robocfg...

www.snbforums.com

This is another Link I used to put together a VLAN that connects my LAN devices connected to managed switch assigned to a VLAN that
gets bundled together to the same vlan as guest wifi.

VLANs, Trunk interface, tagged and untagged traffic RT-AX86U and RT-AX88U

It took me a while to make this thing work. I could find some configs but nothing worked as provided. After combining information from several different posts I came to the working solution posted below. As it took me a while to get it to work I figured I'd share it here in case anyone else...

www.snbforums.com

You still have to use some iptables that was listed in the 1st link, 1st link also showed with the vlanctl how to create a vlan interface even for the
Native Vlan 1 that actually has no tag.
There are some strange quirks still I haven't figured out, it seems when I reboot my router, some of the WIFI IOT devices somehow are getting the IP assigned from the main network, not the subnet designated to the bridge interface that the guest wifi is part of. If i restart the IOT devices they than pick up the correct ip address from their respective vlan subnet.

 

[Tech9]

Yeah I believe the 58 is a different chipset with different commands but not positive.

RT-AX82U is one of the "gaming" versions of RT-AX58U hardware, if that helps.