Unhappy with AiMesh? - Try traditional AP mode if wired backhaul available

[maxbraketorque]

I've had my two router setup at home operating in AP mode for about a year. When I first set it up, devices wouldn't readily switch from one AP to the next, so I had to use the Roaming Assist feature to encourage jumps. Merlin had mentioned in recent months that ASUS is now incorporating 802.11k and 802.11v protocols into their routers. These protocols provide information to wireless devices to allow them to more readily jump from one AP to the next. I had assumed that ASUS was only using these for AiMesh, but a few days ago, I found that these protocols are active for the traditional AP mode. Once I realized that, I disabled Roaming Assistant and moved several of my wireless devices through the house to see how well they transitioned between the two APs. My MacBookPro and Galaxy Note 8 both seamlessly transitioned back and forth between APs at the right time. My wife's W10 laptop wasn't transitioning well until I got into the advanced settings for the NIC where I adjusted the Roaming aggressiveness. Then it transitioned seamlessly as well.

AP mode has always been totally reliable, and now that wireless devices are seamlessly transitioning from one AP to the next due to ASUS's adoption of 802.11k and v, my suggestion is that if wired backhaul is available, there is no need to use AiMesh. Besides AP mode being rock-solid, another key advantage of AP mode is that its fully configurable. I have one AP set to UNI-I and the other set to UNI-III so there is no channel overlap. I have full control over all the advanced wireless setting. I can (and do) have separate 2.4 GHz and 5 GHz networks.

 

[#TY]

Can you provide screenshots of your configuration on both routers please?

 

[OzarkEdge]

I've never used AP mode... never had cables in place.

I've read here that guest WLANs enabled on APs are not isolated. So, a security concern.

If a guest WLAN is enabled on the router, is it also enabled on an AP? Or, does AP mode afford its own control over guest WLANs... such that you can keep them disabled on the AP to avoid the security concern?

OE (not unhappy with AiMesh since I need wireless)

 

[Grisu]

Aimesh doesnt support Guest-Wifi on nodes for the same reason (without additional security enhancements like VLAN).
In AP mode you can open guest-wifi, but master router cant see any differences wheter you are connected to main or guest SSID on the node, so you will have full access with either.

 

[maxbraketorque]

Can you provide screenshots of your configuration on both routers please?

Can do this evening.

Aimesh doesnt support Guest-Wifi on nodes for the same reason (without additional security enhancements like VLAN).
In AP mode you can open guest-wifi, but master router cant see any differences wheter you are connected to main or guest SSID on the node, so you will have full access with either.

I only have the 2.4 GHz radio enabled on the controlling router, and my guest network is on 2.4 GHz only. I'm pretty sure that takes care of any guest network security issues but limits potential range for the guest network.

 

[quadra2030]

macOS doesn't support 802.11k - just for your information.. btw, Apple Airport router is separating guest network to its own VLAN (so the guest network is isolated on other Airport APs too).

 

[Grisu]

yes sure. Guest is only available if corresponding wifi-band and main SSID are active on this router or node.

 

[OzarkEdge]

Aimesh doesnt support Guest-Wifi on nodes for the same reason (without additional security enhancements like VLAN).
In AP mode you can open guest-wifi, but master router cant see any differences wheter you are connected to main or guest SSID on the node, so you will have full access with either.

So then, AP mode offers insecure guest WLAN, while AiMesh offers secure guest WLAN on router only.

OE

 

[Grisu]

They both dont offer secure guest WLAN on nodes - point!
You can activate guest on nodes via command line on Aimesh nodes too, only not as easy as on AP GUI.

 

[Smokindog]

So then, AP mode offers insecure guest WLAN, while AiMesh offers secure guest WLAN on router only.

OE

Ummmm NO. Once again you've mis-stated what someone said. Each node when using Router/AP mode is individually configurable whereas each node in Router/AiMesh node is NOT.

Using AP mode you get to decide IF you want a guest WLAN per node. You get to avoid frequency overlap per node. You get to decide SSIDs per node. You get to decide MOST EVERY setting per node.

You get all the functionality without the detriments of AiMesh.

Again, on a 2 radio device, AiMesh without a wired backhaul is nothing more than using one of the radios for the backhaul as a bridge while sacrificing configuration and control. With a wired backhaul it gives you nothing over AP mode and takes away much of your ability to manage the network.

You can continue to refuse acceptance of this but you can't change the facts surrounding it.

 

[Grisu]

Ummmm NO.

Sorry but I have to disagree!
OE is correct if you read it correct, one by one.

AP mode offers insecure guest WLAN,

Correct, you can set guest SSID on AP node (easily via GUI), but there is no difference for guests over main SSID on this node or a LAN connection on it, you all can access just everything on master router.
Just test it if you dont believe.
Master router will get everything on it's LAN-port, either you are connected to AP's guest or main SSID or even LAN, there is no flag or other indicator to differentiate between any of them.

while AiMesh offers secure guest WLAN on router only.

Correct too!
Aimesh doesn't offer (on GUI) guest Wifi on its nodes, so it is secure because you can use guest wifi only on master router where it is secure (if set correct only for internet access).

 

[Smokindog]

Sorry but I have to disagree!
OE is correct if you read it correct, one by one.

The guest WLAN offered under AiMesh and on the router are the same. You don't have to enable the quest on the APs. Sorry but he's wrong. And as you pointed out, you can do the same thing under command line control with AiMesh.

His two unrelated assertions imply AiMesh is offering something you don't have without it and that's not true.

I'll say it again. If people believe they gain benefit from AiMesh than that's awesome.

 

[Grisu]

I think you have to read it in his mind, you dont understand him like he might think about it.

He says AP allows to set a guest Wifi and you will never read anywhere that it will open full access to your master router!
There is no warning or anything, so many (not to say most) people or average user will think all ok to activate guest-SSID on AP-nodes too.
But thats just wrong.

In Aimesh mode they are lazy and never developed guest-wifi on Aimesh nodes like other vendors did.
So it is secure but guests wont be covered in AP-areas.

I know you mean the same, but same words can be understood in different ways with different or even opposite meaning

 

[Smokindog]

That's a stretch IMO and what is "secure" about any of it. Another subjective statement.

As with any feature, if you don't understand it then you can muck it up

Again, the statements make a clear implication that AiMesh guest WLAN is "more secure" (whatever that means) than enabling the guest WLAN on the router in a router/AP network and it is NOT. It is identical.

And just for the record, are you aware (at least on my AC3100's and AC68's) that you have full control to set the authentication mode/passcode individually on each node when using APs??? On the AC3100 you have to click on the the guest SSID after adding it to get to the menu for the authentication management.

Images below are from 2 of my APs, an AC3100 and an AC68, I may even pull out an N66 and an AC66 and maybe even an N16 to see if they're the same as the other APs.

UPD1 - AC66 same as 68 for Guest Wlan "security" when added as AP
UPD2 - N66 same

I think you have to read it in his mind, you dont understand him like he might think about it.

He says AP allows to set a guest Wifi and you will never read anywhere that it will open full access to your master router!
There is no warning or anything, so many (not to say most) people or average user will think all ok to activate guest-SSID on AP-nodes too.
But thats just wrong.

In Aimesh mode they are lazy and never developed guest-wifi on Aimesh nodes like other vendors did.
So it is secure but guests wont be covered in AP-areas.

 

[OzarkEdge]

Thanks, I think I got my answer... guest WLANs are optional on APs, so as long you don't enable a guest WLAN on an AP, you remain secure. I wasn't sure if a guest WLAN enabled on the router also propagated to any APs... apparently not.

OE

 

[OzarkEdge]

Ummmm NO. Once again you've mis-stated what someone said.

Chill out... I'm only trying to discuss the matter in so many words. Get a different hobby besides picking apart forum posts to feel superior.

OE

 

[Smokindog]

Chill out... I'm only trying to discuss the matter in so many words. Get a different hobby besides picking apart forum posts to feel superior.

OE

I'm not. You said something that wasn't true and I'm simply straightening out the record.

I'm glad you're happy with AiMesh. And if you recall, I wasn't the one casting personal insults and name calling on any of these issues. I've stuck with the facts.

What is your exact "you remain secure" all about. What is your specific security issue with the guest WLAN on the AP? Is it simply the lack of isolation?

 

[OzarkEdge]

I'm glad you're happy with AiMesh.

Instead of carping all over every thread here that wants to discuss using AiMesh, an Asus router feature, you should start your own topic on why AiMesh is so terrible. Explain it however you want for anyone who wants to read it.

OE

 

[thiggins]

@OzarkEdge , @Smokindog : Refrain from personal attacks and stick to the topic.

 

[maxbraketorque]

macOS doesn't support 802.11k - just for your information.. btw, Apple Airport router is separating guest network to its own VLAN (so the guest network is isolated on other Airport APs too).

I wasn't aware of that, but not sure it matters. My MacBookPro is definitely jumping from AP to AP more readily than a year ago. Perhaps is because of the 802.11v protocol.

Thanks, I think I got my answer... guest WLANs are optional on APs, so as long you don't enable a guest WLAN on an AP, you remain secure. I wasn't sure if a guest WLAN enabled on the router also propagated to any APs... apparently not.

OE

This is what I believe to be true, but I have yet to try it. I won't be back home until Friday to try, but it sounds like Smokindog has tried this and verified it.