AsusWRT and guest network with no intranet access on AP mode

[robca]

I have 2 RT-AC68U running AsusWRT 384.13. One is the main router, connected to the internet via a cable modem. The other is configured as AP mode and connected to the main router via ethernet. The primary router provides 2 SSID, let's call them SSID1_24 and SSID1_5. The secondary AP uses SSID2_24 and SSID2_5.

Due to the house configuration, the main router is in a place with poor signal propagation, so most devices connect to the secondary AP. Since I have a few IoT devices connecting to the AP, I want to create a guest network with no intranet access, to isolate potentially unsafe devices from the main network (too many IoT devices have very weak security)

I just realized that the AP device cannot enable Guest network with "intraness access = disabled", given that it has no routing ability.

Is there a way to set up a guest network on the AP and limit devices connected there from accessing the intranet? Can I use MAC filtering to do so (on the main router)? Any clever way to isolate a few IoT devices to ensure those cannot put the rest of the network at risk?

 

[Ronald Schwerer]

Since all my IoT stuff (about 24 of them) are only 2.4GHz, I bought a couple cheap (< $20) 2.4GHz TPLink repeaters to propagate the main router's Guest SSID.

 

[robca]

Good suggestion, but unfortunately I have an Android TV streaming (4k) on 5GHz and multiple cameras on 2.4GHz. A wireless repeater will be too slow for the traffic

Any other suggestion on how to isolate IoT devices on a configuration like mine?

 

[route]

If a repeater is too slow, get an extender.

 

[robca]

How would an extender work differently from my current setup (an AC-RT68U used as AP, basically a repeater), if connected via ethernet? If connected wirelessly, it will still halve the bandwidth

 

[Salles]

I have 2 RT-AC68U running AsusWRT 384.13. One is the main router, connected to the internet via a cable modem. The other is configured as AP mode and connected to the main router via ethernet. The primary router provides 2 SSID, let's call them SSID1_24 and SSID1_5. The secondary AP uses SSID2_24 and SSID2_5.

Due to the house configuration, the main router is in a place with poor signal propagation, so most devices connect to the secondary AP. Since I have a few IoT devices connecting to the AP, I want to create a guest network with no intranet access, to isolate potentially unsafe devices from the main network (too many IoT devices have very weak security)

I just realized that the AP device cannot enable Guest network with "intraness access = disabled", given that it has no routing ability.

Is there a way to set up a guest network on the AP and limit devices connected there from accessing the intranet? Can I use MAC filtering to do so (on the main router)? Any clever way to isolate a few IoT devices to ensure those cannot put the rest of the network at risk?

I do not believe guest networks works accordingly on AP or nodes.
https://www.snbforums.com/threads/guest-network-on-aimesh-node.54832/

You could look into Yazfi and see if that can help you in anyway, though I am not sure.
https://www.snbforums.com/threads/y...-merlin-guest-wifi-inc-ssid-vpn-client.45924/

Your could create a Vlan to isolate your Iot. However, this is not supported by the firmware so you need to use a script. Look into this thread.
https://www.snbforums.com/threads/help-setting-up-vlan-on-asus-rt-ac68u.49312/

 

[route]

How would an extender work differently from my current setup (an AC-RT68U used as AP, basically a repeater), if connected via ethernet? If connected wirelessly, it will still halve the bandwidth

If it repeats or extends the first ap wifi signals than that should include its guest network.

 

[robca]

If it repeats or extends the first ap wifi signals than that should include its guest network.

In that case, it also halves the speed. The only way to truly repeat wifi signals is to receive the signal wirelessly, and repeat it back wirelessly, which means you only have half as much available bandwidth, and cause problems with 4k streaming while also dealing with other multiple devices.

If connected via Ethernet, then it's identical to my configuration, and it doesn't allow for guest networks.

 

[robca]

I do not believe guest networks works accordingly on AP or nodes.
https://www.snbforums.com/threads/guest-network-on-aimesh-node.54832/

You could look into Yazfi and see if that can help you in anyway, though I am not sure.
https://www.snbforums.com/threads/y...-merlin-guest-wifi-inc-ssid-vpn-client.45924/

Your could create a Vlan to isolate your Iot. However, this is not supported by the firmware so you need to use a script. Look into this thread.
https://www.snbforums.com/threads/help-setting-up-vlan-on-asus-rt-ac68u.49312/

Thanks for the suggestions.

I'm positive that AP or nodes will not do what I need (I tried). You can definitely set up a guest network in an AP, which means a separate WiFi SSID with its own password, but no way to prevent those clients from fully accessing all network resources. Definitely useful if you need to give access to friends without sharing your real password, but not to isolate potentially compromised clients

I have not done extensive YazFi tests, but I'm relatively sure it won't work either, since it also relies on core functionality not enabled on an AP. Happy to be proven wrong, though. Edit: no, as expected it doesn't work https://www.snbforums.com/threads/y...inc-ssid-vpn-client.45924/page-45#post-518439

I like the Vlan suggestion a lot, didn't think about it. Will do some tests and report out. Thanks!

 

[route]

In that case, it also halves the speed. The only way to truly repeat wifi signals is to receive the signal wirelessly, and repeat it back wirelessly, which means you only have half as much available bandwidth, and cause problems with 4k streaming while also dealing with other multiple devices.

If connected via Ethernet, then it's identical to my configuration, and it doesn't allow for guest networks.

4k only needs about 10 to 20 Mbps. Otherwise do extenders/repeaters include the guest network? Does aimesh include the guest network?

 

[robca]

4k only needs about 10 to 20 Mbps. Otherwise do extenders/repeaters include the guest network? Does aimesh include the guest network?

Netflix own requirements are for 25Mbps, actually... and I know that on paper there should be enough bandwidth, but I live in a condo with horrendous wifi congestion and poor signal quality (one of the perks of living in a Seattle area full of geeks). I actually had to use 2 devices in an otherwise small space, because of poor signal coverage due to interference

I had to connect the AP via ethernet because it was too slow for the number of devices (cameras, 4k streaming, etc) on that AP. I started with wireless, but wasn't reliable enough: it worked most of the times, but stuttered frequently enough to be annoying. With a tri-band 5Ghz router I guess Aimesh could be made fast enough, but the AC-RT68U is single band on 5Ghz, so that link will perform double duty, and perform much worse than an ethernet connection in my current situation. In an isolated single home it might be different

 

[Klueless]

Due to the house configuration, the main router is in a place with poor signal propagation, so most devices connect to the secondary AP

Intriguing. Since you were able to able to run a wire for an AP why not run a wire to relocate your router to a more advantageous location? How big is the house? Is it possible if the router was in a better location it might actually cover the whole house?

Since all my IoT stuff (about 24 of them) are only 2.4GHz, I bought a couple cheap (< $20) 2.4GHz TPLink repeaters to propagate the main router's Guest SSID.

Great idea.

Good suggestion, but unfortunately I have an Android TV streaming (4k) on 5GHz and multiple cameras on 2.4GHz. A wireless repeater will be too slow for the traffic

Elsewhere you talk about repeaters "halving" speed. That happens when the client uses the same radio that the repeater uses to talk with the router. (Essentially the radio is "turned off" to clients while it's busy relaying the data to the router.) Some repeaters, Linksys for example, have "cross connect", which means, it detects which radio the client used (e.g., 2.4 GHz) and uses the other radio (e.g. 5 GHz) to talk with the router.

... with horrendous wifi congestion and poor signal quality ... I actually had to use 2 devices in an otherwise small space, because of poor signal coverage due to interference

Have you used a WiFi analyzer (e.g., Acrylic for Windows) to verify your suspicions and/or adjust for accordingly.?

As an aside I wound up with a wired Ruckus AP at one of my sites. Crazy expensive (compared to Asus) but with the push of a button I was able to set up a "guest" SSID with no access to my intranet.

 

[robca]

Intriguing. Since you were able to able to run a wire for an AP why not run a wire to relocate your router to a more advantageous location? How big is the house? Is it possible if the router was in a better location it might actually cover the whole house?

I'm renting a multistory condo (horrible layout: the apartment itself is spread over 5 stories, it's like living in a bell tower or a lighthouse ), so I can't make changes. There was an ethernet run from where the cable modem be situated to a location where I could get better coverage for the rest of the place not covered from the cable modem location. So the main router must be connected to the cable modem, and that location only covers a portion of the place. If I move the main router to the location I now have the AP, I can use the existing ethernet connection to connect modem and router... but then I don't have another ethernet to connect to the AP

Elsewhere you talk about repeaters "halving" speed. That happens when the client uses the same radio that the repeater uses to talk with the router. (Essentially the radio is "turned off" to clients while it's busy relaying the data to the router.) Some repeaters, Linksys for example, have "cross connect", which means, it detects which radio the client used (e.g., 2.4 GHz) and uses the other radio (e.g. 5 GHz) to talk with the router.

Have you used a WiFi analyzer (e.g., Acrylic for Windows) to verify your suspicions and/or adjust for accordingly.?

I have IoT devices connected at the same time on 2.4GHz and 5GHz, so both radios are always in use. And, as I said, I don't need to perform deep analysis: using the AP on ethernet, everything works 100% reliably. Using Aimesh or the other RT-AC68U as a wireless repeater, there are reliability problems. Moreover the AP needs to repeat both the main SSID and guest SSID, and as far as I can tell, there is no provision for that as repeater, Aimesh might work, but still too slow. I did use a wifi analyzer to monitor wireless traffic, and it's insane, with multiple neighbors wifi providers having much stronger signal than mine in quite a few places in the condo. I see an average of 12 2.4GHz SSIDs plus 9 5GHz SSIDs in most locations. The Asus site survey sees 59 separate networks, granted some with too low of a signal strength to be usable. It looks as if this building started a wifi race some time ago, with each person installing a minimum of 2 APs each, some 3, judging from the names. And unfortunately the AP location is the one where most devices connect to, due to layout and signal strength, so I end up having >80% of the traffic on the AP

This is not a long term home for me, so I don't want to spend much extra to achieve what I want. I think that there is a way using VLANs to make it work, I just need to find the magic recipe. This seems to be a good starting point https://www.snbforums.com/threads/guest-network-in-access-point-mode.7021/#post-360410

 

[Klueless]

it's like living in a bell tower or a lighthouse

<lol> I love it! Definitely challenging : -)

Moreover the AP needs to repeat both the main SSID and guest SSID

As per @Ronald Schwerer you would keep the wired AP (for main in-house access) and add a repeater connecting to the router's guest SSID for IoT. But, as per you, try and find a "free" band.

I have IoT devices connected at the same time on 2.4GHz and 5GHz, so both radios are always in use

That doesn't mean "cross connect" wouldn't work. Yes, both radios are "in use" but they're not always "talking". Traffic comes in bursts. Let's say a camera sends 16 frames per second. It sends a frame, then there's about 60 ms of idle time before it has to send another frame. Plenty of time for another device to do something. Yes, with "cross connect" you will collide sometimes but ... not all the time.

There was an ethernet run from where the cable modem be situated to a location where I could get better coverage for the rest of the place not covered from the cable modem location. So the main router must be connected to the cable modem, and that location only covers a portion of the place. If I move the main router to the location I now have the AP, I can use the existing ethernet connection to connect modem and router... but then I don't have another ethernet to connect to the AP

But if you did relocate the router it would handle, as per you, 80% of the traffic. Perhaps the wireless repeater/extender would be able to handle the remaining 20%?

Because there's already an Ethernet run, sometimes you can push/force another wire through alongside the existing wire?

This is not a long term home for me, so I don't want to spend much extra to achieve what I want.

Yeah, I hear ya. At 2 to 3 hundred the Ruckus ain't cheap (but could be useful at your new mansion).

 

[robca]

Thanks for the additional comments @Klueless. There's really no way to run another ethernet cable, there are no conduits in place and the cable is stapled to the studs for the portion I can see, so I assume it's also stapled every few feet, as per local code. Usually you can connect two wires on one end, and pull the existing cale, hoping it pulls both (if not, you can always revert, as long as the connection you use is strong enough). But not in this case, not to mention that if anything goes wrong, I have now made a mess that the landlord won't be happy about.

And, yes, the other potential solution is to move the router to the current AP location, then wirelessly connect the AP. Bandwidth-wise, should be ok. The issue there is that the current location of the AP is in a bad spot, and I also have a NAS connected to it, basically using the Asus as a low end file server, too. So now the NAS would be in a location where it can be damaged. I could obviously connect the NAS back to the AP, but I risk recreating a wireless bottleneck in some cases), not to mention more configuration changes

As I said, if the VLAN works (and the more I look at it, the more I believe it will), I don't need to rearrange anything and I can have all I want in a neat way. So that's my current plan A, then I'll revert to something else if that doesn't work

Many thanks to @Salles for pointing me in the right direction (and everyone else who chimed in)

 

[Grisu]

Does aimesh include the guest network?

Simply no, maybe sometimes in future.

 

[guho]

Is there a way to set up a guest network on the AP and limit devices connected there from accessing the intranet? Can I use MAC filtering to do so (on the main router)? Any clever way to isolate a few IoT devices to ensure those cannot put the rest of the network at risk?

Yes it is possible. I am in the same situation where the internet-facing router is in the basement and the Asus is centrally located serving wireless to the house. But instead of AP mode you will need to run the Asus in Router mode. Then just connect the wire coming from the main router to one of the LAN ports. Hardcode the IP address of the asus to be in the subnet. Turn off DHCP on the Asus as presumably the main router has a DHCP server. My main router is 192.168.0.1 whereas my asus is 192.168.0.2. I have ebtables rules in place to kill any traffic from the guest wireless to 192.168.0.x with exceptions in place for 192.168.0.1 plus a range filled with IP printers and Chromecasts, so guests can use these devices.

Having the Asus in router mode opens up all the other features as well. My Asus not only gives Guest network but also VPN servers (IPSec, OpenVPN and PPTP) & Asus AiCloud for file access. This also requires careful forwarding rules from/to main router.

If you are interested in going this route, I can provide more details. You will need the /jffs/scripts enabled to set up the ebtables for the guest WLAN.

 

[robca]

Yes it is possible. I am in the same situation where the internet-facing router is in the basement and the Asus is centrally located serving wireless to the house. But instead of AP mode you will need to run the Asus in Router mode. Then just connect the wire coming from the main router to one of the LAN ports. Hardcode the IP address of the asus to be in the subnet. My main router is 192.168.0.1 whereas my asus is 192.168.0.2. I have ebtables rules in place to kill any traffic from the guest wireless to 192.168.0.x with exceptions in place for 192.168.0.1 plus a range filled with IP printers and chromecasts, so guests can use these devices.

If you are interested in going this route I can provide more details. You will need the /jffs/scripts enabled to set up the ebtables for the guest WLAN.

Definitely interested, but to be clear I also need the AP to have both a guest network and main network provided by the AP (4 SSIDs in total, main for 2.4 and 5, guest for 2.4 and 5). I cannot dedicate the AP just to guest networks (I call it "AP" just to indicate it's not the primary router)

Wouldn't having the "AP" set up as router cause a double NAT situation?

Anyways, interested in learning more about your solution, thanks!

 

[guho]

Definitely interested, but to be clear I also need the AP to have both a guest network and main network provided by the AP (4 SSIDs in total, main for 2.4 and 5, guest for 2.4 and 5). I cannot dedicate the AP just to guest networks (I call it "AP" just to indicate it's not the primary router)

Wouldn't having the "AP" set up as router cause a double NAT situation?

Anyways, interested in learning more about your solution, thanks!

No double NAT to worry about, because on the Asus in Router Mode, you can disable NAT and run the wire from one of the LAN ports of the ASUS to the main router, not the WAN port. I think I hardcoded my Asus WAN IP to something nonsensical.
Correct, on my Asus I run my main 2.4 and 5GHz WLANs as well as guest 2.4 and 5GHz SSIDs. I think you can add even more guest SSIDs. Do a google search to find the correct wlX.Y to use in the ebtables to deny guest LAN access.

On the older Asus routers it was even possible in router mode to turn the WAN port into a 5th LAN port using a special command but I have not yet found an equivalent command for my current AC86U.

 

[robca]

No double NAT to worry about, because on the Asus in Router Mode, you can disable NAT and run the wire from one of the LAN ports of the ASUS to the main router, not the WAN port. I think I hardcoded my Asus WAN IP to something nonsensical.
Correct, on my Asus I run my main 2.4 and 5GHz WLANs as well as guest 2.4 and 5GHz SSIDs. I think you can add even more guest SSIDs. Do a google search to find the correct wlX.Y to use in the ebtables to deny guest LAN access.

On the older Asus routers it was even possible in router mode to turn the WAN port into a 5th LAN port using a special command but I have not yet found an equivalent command for my current AC86U.

Sounds like exactly what I need, then. Do you have a script I can look at? Or any additional info? in any case, thanks for providing an additional way to achieve this

Otherwise I will use the script in this post as a way to get started on ebtables https://www.snbforums.com/threads/guest-network-in-access-point-mode.7021/#post-360410. I know I can add up to 4 guest SSID per band, wl0.1 and wl1.1 are the first one for 2.4 and 5, respectively

I'm still a bit confused on where the scripts run... is it just on the primary router or both (and, if both, is it the same script?). I need to read more on all the commands and figure out better how vlan and ebtables work