Asus AIMesh Guest network issues

[natewin]

Another data point.

AX86U router and a second AX86U as node, both running merlin 386.4. Directly connected Ethernet backhaul (no switches) on 2.5gbps ports. Guest network 1 @ 2.4ghz with IoT devices connecting just fine on both router and node and getting 101.x IP addresses.

I have experienced the issue of failing to connect to the guest network and get an IP (unless the allow intranet access was enabled) on some prior alpha (386.2 alpha 2) version and concluded the iptables entries had been hosed by one of those earlier firmware builds and was blocking the dhcp flow. There was a fix for broken firewall rules in 386.2 beta 2, so after updating I ended up completely resetting and re-configuring the router and node and guest network with intranet access disabled worked again.

Some comments on the topic here: http://www.snbforums.com/threads/new-ax86u-node-and-iot-devices.71002/post-671422. Notice this also occurred on my AC5300 that I was in the process of replacing with AX86U's so was not device specific but rather firmware.

Figured out how to fix this (again) today. RT-AX86U main and RT-AC86U node.

The 2.5G ports break something with the guest network and INTRANET DISABLED, they lose internet access. If you backhaul on the regular port the issue resolves. Guest network devices can connect to internet with INTRANET DISABLED.

This post: https://www.snbforums.com/threads/rt-ac68p-fios-wan-dropouts-on-386-x.73214/post-727742
Clued me in that it might be port and vlan related. As I didn't have this issue with a AC86U (merlin) as the main router and an AC88U (stock) as a node. (I had to use stock on node as merlin there had this issue, at that point anyway)

I think whatever VLAN options Asus implements via GUI that was at some point fixed for nodes hasn't made its way to the 2.5G port yet.

 

[OzarkEdge]

Figured out how to fix this (again) today. RT-AX86U main and RT-AC86U node.

The 2.5G ports break something with the guest network and INTRANET DISABLED, they lose internet access. If you backhaul on the regular port the issue resolves. Guest network devices can connect to internet with INTRANET DISABLED.

This post: https://www.snbforums.com/threads/rt-ac68p-fios-wan-dropouts-on-386-x.73214/post-727742
Clued me in that it might be port and vlan related. As I didn't have this issue with a AC86U (merlin) as the main router and an AC88U (stock) as a node. (I had to use stock on node as merlin there had this issue, at that point anyway)

I think whatever VLAN options Asus implements via GUI that was at some point fixed for nodes hasn't made its way to the 2.5G port yet.

I had this issue on my AX86U using the 2.5GbE port for WAN... guest1 WLAN (no intranet access) clients lose Internet access. I have since updated to the June 2022, firmware 49447 and stopped using the 2.5G WAN port... and the issue is gone. HOWEVER, I also have the issue at two other sites NOT using the 2.5GbE port (standalone routers, not yet updated). I'm inclined to conclude that the issue is unrelated to the 2.5GbE port and that it is fixed in the current firmware... I consider it a now-fixed defect in the new guest1 implementation.

I also switched to not using Smart Connect and not using Wireless Mode Auto.

OE

 

[HHawk]

Thank you all guys! With the main router (RT-AC86U) on MerlinWRT 386.4 and the node (RT-AC86U) running on Asus 3.0.0.4.386_45956-g23134c9 I confirm it now works as it should!
Meaning I can connect to the guest network, without intranet access and still get an IP and use the internet without browsing the intranet!

Thank you all so much! Finally it's safe! ;-) #happy

Well it broke again... Grrrrr....

I had a notice (for quite some while) that there was an update for my main RT-AC86U (which was running on version 386.4). So I finally decided to update the router to the latest version: 386.7_2 (MerlinWRT).
The node, also a RT-AC86U, is still running on the offcial Asus version: 3.0.0.4.386_48260-gd4c241c (unfortunately no new updates available from Asus).

So after the upgrade of the firmware of the main router all same problems are back. E.g. when you select the "Guest Network" (with "Access Intranet" set to "Disabled") you will not be aple to connect (stuck on getting IP-address). The exact same issue as before. The only way to get the "Guest Network" running again, like before, is by changing "Access Intranet" to "Enabled" (something which you really do not want on a guest network obviously).

So is there a (new) solution for this in general? Unfortunately there is no update for the node firmware from Asus...
If there is no solution, can I downgrade the main router back to version MerlinWRT 386.4? Than I can get the guest network to work properly again, unless there is a different solution for it ofcourse.

Extra information; for guest network I only use the 5.0 Ghz. network and the first option, see screenshot. In the screenshot it shows "Access Intranet" being "Enabled", otherwise the guest network wouldn't work at all (see above).

 

[tsanga]

Well it broke again... Grrrrr....

I had a notice (for quite some while) that there was an update for my main RT-AC86U (which was running on version 386.4). So I finally decided to update the router to the latest version: 386.7_2 (MerlinWRT).
The node, also a RT-AC86U, is still running on the offcial Asus version: 3.0.0.4.386_48260-gd4c241c (unfortunately no new updates available from Asus).

So after the upgrade of the firmware of the main router all same problems are back. E.g. when you select the "Guest Network" (with "Access Intranet" set to "Disabled") you will not be aple to connect (stuck on getting IP-address). The exact same issue as before. The only way to get the "Guest Network" running again, like before, is by changing "Access Intranet" to "Enabled" (something which you really do not want on a guest network obviously).

So is there a (new) solution for this in general? Unfortunately there is no update for the node firmware from Asus...
If there is no solution, can I downgrade the main router back to version MerlinWRT 386.4? Than I can get the guest network to work properly again, unless there is a different solution for it ofcourse.

Extra information; for guest network I only use the 5.0 Ghz. network and the first option, see screenshot. In the screenshot it shows "Access Intranet" being "Enabled", otherwise the guest network wouldn't work at all (see above).

Sorry to hear it’s not working for you.

FWIW, I have:
RT-AC1750 B1 on Merlin 386.7_2 AC68U firmware as AiMesh router
RT-AC66U B1 on Stock 386_49703 as AiMesh node with wired backhaul

Guest is set up very much like yours, 5 GHz only. Access Intranet is set to disable.

Guest network is working as well as ever.

So perhaps there’re differences between AC68U and AC86U builds of 386.7… Did you try 386.7_0?

 

[JohnBull]

Well it broke again... Grrrrr....

I had a notice (for quite some while) that there was an update for my main RT-AC86U (which was running on version 386.4). So I finally decided to update the router to the latest version: 386.7_2 (MerlinWRT).
The node, also a RT-AC86U, is still running on the offcial Asus version: 3.0.0.4.386_48260-gd4c241c (unfortunately no new updates available from Asus).

So after the upgrade of the firmware of the main router all same problems are back. E.g. when you select the "Guest Network" (with "Access Intranet" set to "Disabled") you will not be aple to connect (stuck on getting IP-address). The exact same issue as before. The only way to get the "Guest Network" running again, like before, is by changing "Access Intranet" to "Enabled" (something which you really do not want on a guest network obviously).

So is there a (new) solution for this in general? Unfortunately there is no update for the node firmware from Asus...
If there is no solution, can I downgrade the main router back to version MerlinWRT 386.4? Than I can get the guest network to work properly again, unless there is a different solution for it ofcourse.

Extra information; for guest network I only use the 5.0 Ghz. network and the first option, see screenshot. In the screenshot it shows "Access Intranet" being "Enabled", otherwise the guest network wouldn't work at all (see above).

What kind of backbone are you using?
Any switch between routers and node?

 

[Prowler_gr]

I have found that NAT acceleration causes the problem with the guest network not connecting with 'access intranet' disabled

Switching NAT Acceleration to "disable" under http://router.asus.com/Advanced_SwitchCtrl_Content.asp solved the problem at least for me

 

[HHawk]

Sorry guys, didn't receive a notice of the new posts...

Yeah it's weird, as it was working before without issues, until I updated from 386.4 to 386.7_2 on the main node/router.
After that the issues started to pop again; the only way to make the guest network to work, is setting "Intranet Access" to "Enabled", otherwise it will not assign an IP.

Backbone as in? Using a glass fiber modem along with a switch under my desk.
It's connected like this; glass fiber modem > Main router (RT-AC86U with MerlinWRT) > Switch > Various other stuff and Asus node (RT-AC86U with original Asus FW).

The above setup was working until I upgraded the firmware on the main router. Guess I will go back to the previous version and leave it like that.
Or try a different version of MerlinWRT first...

Disable NAT Acceleration is not really my cup of thea to be honest. Especially since I am on a 1 Gbit/s up/down connection.

I did read something, somewhere on this forum, that the first profile for guest network was bugged. Cannot seem to find the post though, but I will give that a go as well.
In the meantime I found a different (similar) post here about using the 2nd profile/slot. Oh and here was the other post.

Will give it a new go later this week or next week. Busy days currently, so not really to test it all unfortunately.

 

[JohnBull]

Sorry guys, didn't receive a notice of the new posts...

Yeah it's weird, as it was working before without issues, until I updated from 386.4 to 386.7_2 on the main node/router.
After that the issues started to pop again; the only way to make the guest network to work, is setting "Intranet Access" to "Enabled", otherwise it will not assign an IP.

Backbone as in? Using a glass fiber modem along with a switch under my desk.
It's connected like this; glass fiber modem > Main router (RT-AC86U with MerlinWRT) > Switch > Various other stuff and Asus node (RT-AC86U with original Asus FW).

The above setup was working until I upgraded the firmware on the main router. Guess I will go back to the previous version and leave it like that.
Or try a different version of MerlinWRT first...

Disable NAT Acceleration is not really my cup of thea to be honest. Especially since I am on a 1 Gbit/s up/down connection.

I did read something, somewhere on this forum, that the first profile for guest network was bugged. Cannot seem to find the post though, but I will give that a go as well.
In the meantime I found a different (similar) post here about using the 2nd profile/slot. Oh and here was the other post.

Will give it a new go later this week or next week. Busy days currently, so not really to test it all unfortunately.

have you tried to patch the node directly to the main router with no switch in between?

 

[HHawk]

have you tried to patch the node directly to the main router with no switch in between?

That's not an easy job, given the locations, power connections and so on. It's easier to test the different profiles or downgrade, as it has worked before upgrading the firmware (as mentioned).

 

[JohnBull]

That's not an easy job, given the locations, power connections and so on. It's easier to test the different profiles or downgrade, as it has worked before upgrading the firmware (as mentioned).

I meant primarily for troubleshooting. Looks like ASUS is using VLAN to isolate guest network (Intranet=Disabled) and if so, it might never work again with new firmware.
If it works by connecting it directly to the router, the solution could be to swap the switch for a configurable one that can pass the VLAN to the node.

 

[HHawk]

When using guest networks across a mesh the Sync to AiMesh Node needs to be set to All. This is a setting in each guest network setting.

Ah okay. Well moving everything around is a lot of work in my situation. But perhaps some added cleaning would justify it...

I have a pretty decent switch I think: Cisco SG200-26.

 

[JohnBull]

Ah okay. Well moving everything around is a lot of work in my situation. But perhaps some added cleaning would justify it...

I have a pretty decent switch I think: Cisco SG200-26.

that switch is manageable... have you tried to pass VLAN 501 and 502 for guest network through that? If you don't configure it to handle them it will not pass the trafficked and/or untagg it and then it doesn't work...

It's discussed here:

VLAN tagging of Guest Network

I bought an Asus RT-AX86U to replace my Apple Time Capsule (TC). I have a home office and enough extra requirements that I have a separate router and network switch, so I was using the TC in bridge mode. One of the things I liked about the Apple device is that the guest network was tagged with...

www.snbforums.com

 

[HHawk]

that switch is manageable... have you tried to pass VLAN 501 and 502 for guest network through that? If you don't configure it to handle them it will not pass the trafficked and/or untagg it and then it doesn't work...

It's discussed here:

VLAN tagging of Guest Network

I bought an Asus RT-AX86U to replace my Apple Time Capsule (TC). I have a home office and enough extra requirements that I have a separate router and network switch, so I was using the TC in bridge mode. One of the things I liked about the Apple device is that the guest network was tagged with...

www.snbforums.com

Uhmz.... I will give that a go! Many thanks.
Maybe I can use finally MerlinWRT on both routers as well then!

Thanks again, will report back when I have given it a go. Probably next week.

 

[OzarkEdge]

that switch is manageable... have you tried to pass VLAN 501 and 502 for guest network through that? If you don't configure it to handle them it will not pass the trafficked and/or untagg it and then it doesn't work...

Have you tried it yet?

OE

 

[JohnBull]

Uhmz.... I will give that a go! Many thanks.
Maybe I can use finally MerlinWRT on both routers as well then!

Thanks again, will report back when I have given it a go. Probably next week.

Have you tried it yet?

OE

no, as it works with nodes connected directly to router, I don't really need to go via the switch. Hope I get time to try it out during the autumn, just for curiosity...

 

[mocamaster]

I have found that NAT acceleration causes the problem with the guest network not connecting with 'access intranet' disabled

Switching NAT Acceleration to "disable" under http://router.asus.com/Advanced_SwitchCtrl_Content.asp solved the problem at least for me

@Prowler_gr I just wanted to thank you. I was having the issue where my aimesh guest wifi clients couldn't get out to the internet. Once I disabled NAT Acceleration the guest wifi endpoints could access the internet. THANK YOU!!!

 

[ScottAA]

@Prowler_gr I just wanted to thank you. I was having the issue where my aimesh guest wifi clients couldn't get out to the internet. Once I disabled NAT Acceleration the guest wifi endpoints could access the internet. THANK YOU!!!

That did the trick for me as well, thank you!

 

[KidJoe]

so I'm a little late to this thread, but this seems to be talking about the issue I'm encountering now, where clients connected to the guest network of the AI Mesh Nodes are not connecting when "Access Intranet" is set disabled.

GT-AX6000 (3.0.0.4.388_21617-g1288c22) as main router
RT-AX88U (3.0.0.4.388_20558-g9ebe4e1) as AI Mesh node connected via wired
TUF-AX5400 ( 3.0.0.4.388_21224-g702a50f ) as AI Mesh node connected via wired

For my setup, because almost every room in the house has a ethernet wall jack, which runs to patch panel in the basement, I have an unmanaged multiport gigabit switch down there that each port on the patch panel connects to. In other words, each room's wired wall jack is run down to the basement and connected via the basement switch.

That means the GX-Ax6000, which is upstairs, is connected to the patch panel in the basement. From there, it goes to the unmanaged gigabit switch in the basement to which the rooms with the AX88U and AX5400 are connected, as are the other rooms with wired devices.

If I'm reading this thread right, that switch "in the middle" might be the cause of the issue? Removing the switch, meaning the AX88U and TUF-AX5400 are plugged directly into ports on the GT-AX6000, might be the solution? Is that correct?

So as a test *IF* I remove the switch from the basement and connect the GT-AX6000 and RT-AX88U directly (I should be able to connect the upstairs port and the RT-AX88U port on the patch panel temporarily to test), and I connect a device to the Guest Network on the RT-AX88U and it works (access intranet=disabled, and device can connect and hit the internet), then its the unmanaged switch causing the issue?

Is there any way to possibly make this work while having switches in between? I mean, I need to have at least least 1 switch in between the GT-AX6000 and TUF-AX5400. The TUF-AX5400 resides in my son's room which doesn't have wired ethernet jack, and has poor wifi without the AP being in there, so currently I tap off a switch in the playroom (which has several wired devices) then run a wire along the baseboard to the AX5400 in my son's room.

 

[L&LD]

Do you have a detailed diagram of your setup to share? It may help.

 

[KidJoe]

Do you have a detailed diagram of your setup to share? It may help.

Not the best or most detailed (don't have every item listed in every room), but hopefully works. I circled the 2 switches in red.

As I said, while I could potentially bypass the basement switch by jumpering the patch panel from the GT-AX6000 to the RT-AX88U for testing, even if that works, I will not be able to bypass the play room switch the TUF-AX5400 is connected to. Unfortunately the roof design above my son's room (2 joining slopes) makes it near impossible to get up and into the crawl space above his room to fish a new wire down his wall.