AiMesh with Guest WiFi and a Switch - Configuration and Best Practices

[sandiegoboy]

My Setup - looking for some advice on configuration and best practices. Apologize for long post and my obvious lack of knowledge

• AiMesh
  • I have an ASUS RT-AX86U (regular not the pro) on latest stock asus firmware. This is the main node
  • I have aimesh node ASUS RT-AX58U
  • I have aimesh node ASUS RT-AC68U
• Networking
  • FiberOptic Terminal connected to AX86U directly
  • AX86U connects to a GS108Ev3 - 8-Port Gigabit Ethernet Smart Managed Plus Switch
    • Switch settings are 100% default.
      • VLAN port based = Disabled
      • 802.1Q is disabled
  • RT-AX58U, AC68U, some other wired devices connected to this Switch via ethernet
• Devices
  • Personal Devices
    • I have several laptops via wifi and also ETH. Also several smartphones
    • I have a Windows 10 homeserver as well via ETH. This is properly secured
  • Smart/IOT Devices on ETH
    • Smartthings Hub via ETH (only option)
    • 2 Brother printers via ETH (only option)
    • Obi200 voip box via ETH (only option)
    • One laptop in enterntainment center normally unlocked - via ETH (could be WiFi)
  • Smart/IOT Devices Wifi
    • Aqara Hub
    • Meross Switch, MyQ garage door, Wyze doorbell and cameras
    • nVidia Shield, Onn media player, MiBox media player, Smart TV
    • Sonos Speakers

I was looking at guests at home, I realized that they in the past normally access the main WiFi which allows them to see everything. Also recently, I thought that some of those IOT devices may not be trustworty. Those media players, cameras, switches, etc
I started reading that maybe I should leverage/enforce the guest network feature. Some comments that some folks leverate then for IOT as well

• Guest-1 at 2G and Guest-1 at 5G are suported via vlan and get IP on 192.168.101.x and 192.168.102.x range
• Guest-2 anf Guest-3 are supported via Firewall rules and get IP on "regular" 192.168.1.x and 192.168.1.x range

So based on my concerns to more properly/securely configure my network. The questions I have

1. I am not clear whether I should leverage only Guest-1 or only Guest-2 / 3 or combined ? Sounds like Guest-1 is more secured but I am not sure if I should split guests visiting with my own IOT devices ? And which goes where ?
2. I am questioning now my configuration AiMesh with ethernet backhaul through the switch since I have more than one VLAN? The switch (not configured for 2 VLANs) is between ai mesh nodes which support 2 VLANs
   
   1. I moved two of the media players to the guest network-1 and they seem to work fine even although the switch does not have any configuration other than default. Is this expected ? I had the sense that the devices were a tad slower than normal to start a youtube video for example
3. How to deal with some of the ETH connected smart devices I rather move out of the network. The WiFi connected smart devices can move to one of the guest networks
   
   1. Some need to stay (printers/scanner) since they need direct access from PC
   2. Some can move to WiFi and deal with them via Guest network
   3. Some best to move to other VLAN via settings on Netgear Switch - port based ??
      
      1. Unfortunately one of those (Shared open PC) is connected via ETH to the AC68U and not to the switch. Worst case maybe can force this to WiFi

 

[ColinTaylor]

Two things to bear in mind which may dictate other aspects of your network design;

1) Guest networks only apply to wireless devices, not ethernet connected devices. *
2) Only the first guest network on each band (2.4GHz and 5GHz) can be propagated to AiMesh nodes as isolated networks. The other two guest networks (on each band) on AiMesh nodes will just be regular access points connected to the main LAN network.

* Theoretically you could use your smart switch's port based VLAN to connect ethernet devices to one of the isolated wireless guest networks.

 

[sandiegoboy]

Kind of answering my own quetions

1. I was able to get my guest wifi network to work on all the nodes through the smart switch (leverage 802.1Q settings)
2. I started to move all IOT / smart devices to the guest network. Moved some media devices and all is good
3. Some iot/smart devices that only support ETH are more tricky/error prone. You can set port based. Althought if I move the device in the fugure and "forget" the problem exists.