1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

Topology/setup help - Mostly Asus-merlin devices

Discussion in 'Asuswrt-Merlin' started by Michel, Feb 21, 2020.

  1. Michel

    Michel New Around Here

    Nov 24, 2017
    Hi guys, guru, network and problem-solving lovers!
    I am requesting your help and wisdom here :)

    I know this question is mostly about topology but my devices are mostly using Asus-merlin and I believe the solution to my questions could be solved using the firmware.

    My situation is as follows: due to our ISP inability (or unwillingness) to connect our house to their service, I have to share my Internet connection with my in-laws (house next door).

    1. Current topology


    2. Current equipment:

    - Virgin Media router -> set in modem mode
    - AC86U (Asus merlin) -> set in router mode
    - AC68U (Asus merlin) -> set in AP mode
    - Netgear JGS524Ev2
    - TP-Link TL-SG1005P PoE
    - 2 houses connected with a CAT6A cable.

    3. We have a mix of devices:

    - laptops using WiFi
    - desktops using Ethernet connections
    - phones
    - cameras using PoE connections
    - IoT devices using both WiFi and Ethernet connections
    - cheap Android TV box


    1. The yellow area is a catastrophe waiting to happen and cannot be truly managed.
    My in-laws are your regular old internet users. They won't an antivirus, use cheap dodgy Chinese IoT devices, a cheap Chinese Android TV box (that was blocked by Skynet) and they share the WiFi password with anyone visiting the house.

    2. The blue area is my area.
    The AC86U is connected to the Netgear JGS524Ev2 (smart-managed switch).
    One of the port is connected to my AC68U router set in AP mode to provide WiFi in my house and one of the port is connected to the TP-Link TL-SG1005P PoE (used for the security cameras).

    There are 2 main WiFi network, and 2 guests networks (one for the kid and one for the guests visiting my house).

    Hopes and dreams:

    1. To isolate the yellow and blue area.
    There is no need to ever have any interaction between both areas.
    Unfortunately. the cheap Android TV box is connected to the AC86U so I cannot isolate the yellow area by creating a WiFi guest network using YazFi.

    2. The blue area has some IoT devices that does not/should not be interacting with the other devices of the network so let's isolate them.
    Unfortunately, these devices are using a mix of WiFi and Ethernet connection so I cannot rely on YazFi.

    3. Using FreshJRQoS to handle the QoS.
    I thought about using IP ranges or subnets to set the rules there such as IoT with lower priority for example.

    Current situation:

    I am stuck :)
    - I thought about using virtual LANs.
    The Netgear JGS524Ev2 handle them but it looks like the AC86U does not.
    I could have created:
    - one VLAN for the yellow area
    - one for the IoT in the blue area
    - one for some more secured devices on my network
    - and one for the kid devices

    - I thought about creating subnets:
    - one yellow area (default one)
    - one for each of the guest WiFi on the AC68U
    - one for the devices of the TP-Link TL-SG1005P

    Unfortunately, I realised that I didn't know how to do that one with the AC86U being the DHCP server. :-(

    - Is another option to use IPTables after manually assigning an IP with the DHCP server?
    I don't believe this is possible for traffic on the same network interface.

    I know it is a long post and there are many solutions but I am looking for solutions with the devices I already own if possible!
    Any ideas? suggestions?
    Last edited: Feb 22, 2020
    Luizlp10 likes this.
  2. Smokindog

    Smokindog Senior Member

    Jun 30, 2016
    The Great State of Texas
    Thoughts off the top of my head. Hope I understood your goals!

    1) To my knowledge the guest network can only be isolated from the rest of the network on the main router node. On an AP node it is nothing more than an alias to the wireless that can have a differing passcode. So you can isolate the yellow in that respect.

    2) If I understand your use cases correctly, why not just move that AC68 between the AC86 and the Netgear switch and change it to router mode (e.g. AC86 LAN t0 AC68 WAN and NAT yet again) and create another independent network for the Blue area. This will allow you to completely isolate Blue from Yellow, now allow an isolated guest network in the Blue as well as the Yellow and give you the divisions I think you asked for without a lot of configuration and management.

    If I misunderstood your desires I apologize in advance!
  3. Michel

    Michel New Around Here

    Nov 24, 2017
    Thank you for the quick reply!

    1. The issue is that yellow area is not only WiFi but also has one device connected via Ethernet :-(

    2. moving the AC68U between the AC86U and the switch could be a solution but the AC68U would end up being in a location with a low signal. So realistically I would need to buy another access point. But it is definitely a consideration if there are no other ways to deal with it with setting up the ac86u
  4. Smokindog

    Smokindog Senior Member

    Jun 30, 2016
    The Great State of Texas
    OK but I thought you said there was no need for communications between devices so I don't see the issue? NOTHING in the Yellow HAS to change in what I proposed. Also, you need not move the location of the Blue devices if you have a second wire available between the switch and the router. Use one TO the AC68 WAN and one BACK to the Netgear switch from an AC68 LAN port.

    That said, for under $100 you can pick up another AC68 class router for an AP OR take this as an opportunity to upgrade and re-purpose other equipment (that's how I normally "grow").
  5. Michel

    Michel New Around Here

    Nov 24, 2017
    There is no need for devices between the blue area and yellow area to communicate, or the IoT devices with the other devices of the network.

    I guess I am not very clear about what you meant in

    What do you mean by the guest network? (every reference to guest network I've mentioned was about Wifi Guest network). So I guess I could create a guest network using YazFi on the AC86U for the yellow area, but then there is this other wired device that is part of the yellow area that I need to isolate from the blue area.
  6. EmeraldDeer

    EmeraldDeer Very Senior Member

    Dec 22, 2017
    Wireless - I have 2.4 GHz set to not allow communication to other devices on the AP. I have a guest network on 2.4 GHz without LAN access, just Internet. All of my IoT devices are connected wirelessly to this guest network.

    Wired - I have an RT-AC3200 in AP mode connected to a Cisco SG300-10 in layer 3 mode. Anything connected to the AP is isolated from the LAN, just Internet. But I do not recommend this:
    • A layer 3 switch is expensive
    • Setting this up was difficult without templates to follow
    • The ruleset to protect my LAN is of my own invention rather than tested by thousands of users