confirmed ongoing bug 2+years in AC and AX-86u routers

[RAJ]

This is actually a pretty big deal of a bug if you don't know about it.

On all of my RT-AC86us, 66u, AX86u Pro with merlin of various versions (its probably not related to merlin) there is a bug in the guest wifi that allows guests to browse network shares even if access intranet is set to OFF.
You will never know it unless you try to look at your network shares using a phone app like cx file explorer on android.

How to invoke the bug
1. On the guest network if you set both the 2.4 and 5Ghz networks to ON using the same password using the first of the three available columns (one above the other with 2.4 at the top. You will be able to browse shares on that network.
How to fix it
2. Use only the 5gz or 2.4gz for the guest leaving the other disabled or
Use the left column for 2.4gz (bottom empty) and the middle column for 5Gz with the top empty. Access intranet OFF on both

Hope that makes some sense. Do I need to upload a screen shot of it?

Not sure why this occurs but it seems consistent with all my asus routers. I own 6 of them.

 

[bennor]

You will be able to browse shares on that network.

To clarify, are you indicating you can only browse the other Network Shares on that Guest WiFi Network? Or are you indicating you can browse Network Shares across ALL the networks, both Guest WiFi Networks and main wired LAN and main WiFi LAN?

Have you tried enabling Set AP Isolated under Wireless > Professional to see if that stops the network sharing you are seeing?

If not using AiMesh, have you tried using the YazFi addon for WiFi Guest Networks to see if that solves your (bug) issue?

GitHub - jackyaz/YazFi: Feature expansion of guest WiFi networks on AsusWRT-Merlin, including SSID -> VPN, separate subnets per guest network, pinhole access to LAN resources (e.g. DNS) and more!

Feature expansion of guest WiFi networks on AsusWRT-Merlin, including SSID -> VPN, separate subnets per guest network, pinhole access to LAN resources (e.g. DNS) and more! - jackyaz/YazFi

github.com

YazFi - YazFi v4.x - continued

v4.4.4 Updated 2023-11-26 Feature expansion of guest WiFi networks on AsusWRT-Merlin, including, but not limited to: * Dedicated VPN WiFi networks * Separate subnets for organisation of devices * Restrict guests to only contact router for ICMP, DHCP, DNS, NTP and NetBIOS * Allow guest networks...

www.snbforums.com

 

[RAJ]

To clarify, are you indicating you can only browse the other Network Shares on that Guest WiFi Network? Or are you indicating you can browse Network Shares across ALL the networks, both Guest WiFi Networks and main wired LAN and main WiFi LAN?

Have you tried enabling Set AP Isolated under Wireless > Professional to see if that stops the network sharing you are seeing?

If not using AiMesh, have you tried using the YazFi addon for WiFi Guest Networks to see if that solves your (bug) issue?

GitHub - jackyaz/YazFi: Feature expansion of guest WiFi networks on AsusWRT-Merlin, including SSID -> VPN, separate subnets per guest network, pinhole access to LAN resources (e.g. DNS) and more!

Feature expansion of guest WiFi networks on AsusWRT-Merlin, including SSID -> VPN, separate subnets per guest network, pinhole access to LAN resources (e.g. DNS) and more! - jackyaz/YazFi

github.com

YazFi - YazFi v4.x - continued

v4.4.4 Updated 2023-11-26 Feature expansion of guest WiFi networks on AsusWRT-Merlin, including, but not limited to: * Dedicated VPN WiFi networks * Separate subnets for organisation of devices * Restrict guests to only contact router for ICMP, DHCP, DNS, NTP and NetBIOS * Allow guest networks...

www.snbforums.com

I am saying the guest wifi should not allow any viewing of the network at all, just internet. The user will not be aware of this.
On the Private wifi of course I can browse shares, I want to be able to using that. But not on guest WiFi that is for internet only not for total network access.

Example: Office setting you turn on guest wifi for 5ghz and 2.4ghz so patrons can have free wi fi in the lobby. You think your network is invisible since its on Guest and intranet is set to OFF. Think again, its not.

I did not attempt SetAP isolated or other combinations of settings to fix it. I listed what I know to fix it. I was a buddies office and found his shares wide open, he had no idea that phones could see his shares. I checked my home network and sure enough my shares were also visible. The bug has been around at least 2 years, I was surprised to see it in my new AX-86u-PRO too. Might be in all asus routers for all I know I have not tested them all.

Most users do not realize this because they do not hook up to the wifi and test it. So its kind of a big deal for a small business owner thinking his network is hidden from guest wifi users.

 

[bennor]

As you indicated perhaps you should upload a screen shot of your settings. Both Guest Network and Wireless General. (ETA: redacting sensitive information)
Also spell out your network layout. Are you using AiMesh, AP nodes or anything like that? Or do you have have one single router active?
What is the IP address of the main LAN? (ETA: Are you using 192.168.101.x or 192.168.102.x for the main LAN?)

Don't recall my main LAN being accessible from the Guest Network in the past, particularly on a RT-AC68U running the latest Merlin firmware (386.14).

 

[bennor]

Did a very quick and dirty test with a RT-AC68U running 386.14. No AiMesh or AP nodes. Hard factory reset the router and did basic initial setup. No scripts installed. Used same password for Wireless Guest networks both main LAN WiFi and Guest Network Wifi. Setup Guest Network WiFi #1 both 2.4Ghz and 5Ghz. WiFi set to WPA2 with generic SSID's for WiFI (Asus, Asus_5G, ASUS_Guest1, ASUS_5G_Guest1). Main LAN configured for 192.168.1.1. All other settings at default.

The Guest Network #1 clients could not see each other (ping and SMB) and could not access a NAS (both ping and SMB) connected to the RT-AC68U's network LAN port. The Guest Network #1 clients appeared to be properly isolated and could access the Internet/WAN. Main LAN client (wired PC) could not see Guest Network client (ping and SMB)

 

[RAJ]

Did a very quick and dirty test with a RT-AC68U running 386.14. No AiMesh or AP nodes. Hard factory reset the router and did basic initial setup. No scripts installed. Used same password for Wireless Guest networks both main LAN WiFi and Guest Network Wifi. Setup Guest Network WiFi #1 both 2.4Ghz and 5Ghz. WiFi set to WPA2 with generic SSID's for WiFI (Asus, Asus_5G, ASUS_Guest1, ASUS_5G_Guest1). Main LAN configured for 192.168.1.1. All other settings at default.

The Guest Network #1 clients could not see each other (ping and SMB) and could not access a NAS (both ping and SMB) connected to the RT-AC68U's network LAN port. The Guest Network #1 clients appeared to be properly isolated and could access the Internet/WAN. Main LAN client (wired PC) could not see Guest Network client (ping and SMB)

Did you use a cell phone as a guest and use a app like Cx file explorer from a cell phone? Did you have any open shares set to "everyone" ? If tested properly it means not every model has the bug. Many combos to test. Just be aware and not assume its properly isolated until proven otherwise. I lost a bit of trust on that front.

 

[bennor]

Did you use a cell phone as a guest and use a app like Cx file explorer from a cell phone? Did you have any open shares set to "everyone" ?

Yes. One of the guest clients was a Android cellphone using File Manager+ and Ping apps. Another guest client was a Win 11 laptop PC using Windows File Explorer and command line ping. The main LAN connected NAS was a old WD My Cloud device that is not setup with any private password protected shares, it has just a couple of default public shares. It does respond to pings from other local main LAN connected clients.

As previously indicated, post more information about your configuration and network setup. What specific firmware versions are you running. How is your network setup? Are you using AiMesh or AP mode for any secondary routers? Are you running any add-on Asus-Merlin scripts? Post screen shots so others can review to see if there is something enabled causing what you are seeing. With the variety of network configurations and router options its entirely possible something could be enabled or opened to allow traffic to inadvertently pass from Guest to main LAN.

And to confirm; you said you are using Asus-Merlin firmware correct? You are not by chance using the KoolCenter firmware based on Asus-Merlin are you?

PS: The more I think about this, I'm begging to think that someone may have posted something similar here in the Asus router subforums a few years ago. If I remember right it was something about being able to bypass the no Intranet access option of the Guest Network and access main LAN from Guest Network. Cannot find that discussion(s) though in a quick snbforum search. Might have had to do with using Guest Network on AiMesh nodes or AP nodes.

 

[RAJ]

Yes. One of the guest clients was a Android cellphone using File Manager+ and Ping apps. Another guest client was a Win 11 laptop PC using Windows File Explorer and command line ping. The main LAN connected NAS was a old WD My Cloud device that is not setup with any private password protected shares, it has just a couple of default public shares. It does respond to pings from other local main LAN connected clients.

As previously indicated, post more information about your configuration and network setup. What specific firmware versions are you running. How is your network setup? Are you using AiMesh or AP mode for any secondary routers? Are you running any add-on Asus-Merlin scripts? Post screen shots so others can review to see if there is something enabled causing what you are seeing. With the variety of network configurations and router options its entirely possible something could be enabled or opened to allow traffic to inadvertently pass from Guest to main LAN.

And to confirm; you said you are using Asus-Merlin firmware correct? You are not by chance using the KoolCenter firmware based on Asus-Merlin are you?

Its been at least 2 years since I have dealt with this. I have seen it at least three times and also has been documented on the web a few years ago. The networks were a combination of windows server 2012, 2016 some with Xignmanas shares as well as windows shares. My current router with the issue is a
RT-AX86U Pro
3004.388.8_2 (merlin)
Windows server 16 with various VMs and shares
Xigmanas with SMB shares

I had same issue on a AC 86u with various versions of Merlin at the office and one other office in the past 2-3 years. I was not the one the found the original fix, it was another rare poster a few years back. Will have to try to find the original. I thought Asus fixed it and was surprised to see it in 2024. I do not know if it has anything to do with Merlin only that its on some routers by asus. The current fix works as it did in the past. Not sure how common it is or what combination of settings brings it on. Just a heads up for others to be aware to check the shares before you assume they are not visible on the guest network side.

sorry I don't have more information for you ATM. Mine is pretty much stock using DHCP server no mesh. Was 100 percent pure wired for weeks. In my case its a double nat behind a xfinity router. They can't see my other network. I use xfinty for the wifi unless I want to use pihole vpn etc then i will use the asus for wifi which I just turned on recently and is how I found the issue.

 

[bennor]

Digging through some search returns yields this discussion from last year involving AiMesh.

Solved - Guest Network on AiMesh Node has access to LAN on AiMesh Router

Solved: Downgrading Asus RT-AX88U from 3.0.0.4.388.22525 to 3.0.0.4.386.49674 fixed the issue. Solved: Option 2 is to enable firewall ------------------- Hardware: Using Asus RT-AX88U as AiMesh Router (3.0.0.4.388.22525, latest firmware), Using Asus RT-AX56U as AiMesh Node (3.0.0.4.386.49380...

www.snbforums.com

 

[ColinTaylor]

@RAJ I also cannot recreate your problem here. I've set the router up exactly as you describe and am using Cx File Explorer. The guest client is unable the see the private LAN resources.

I don't think the issue @bennor raised is the same as yours as that was specifically to do with AiMesh nodes and you said you're not using AiMesh.

 

[bennor]

I don't think the issue @bennor raised is the same as yours as that was specifically to do with AiMesh nodes and you said you're not using AiMesh.

Probably isn't related if one isn't using AiMesh. Threw it out anyway just in case something in that discussion tickles someone's memories into suggesting other possible causes or fixes.

To know if this is a real bug since others apparently cannot reproduce it; more testing would need to be done including performing a hard factory reset (if it hasn't been done) and flashing stock Asus firmware.

I suppose one could dump the IPTables to see if something there is indicating why one's Guest Network clients can access the main LAN clients.

 

[RAJ]

@RAJ I also cannot recreate your problem here. I've set the router up exactly as you describe and am using Cx File Explorer. The guest client is unable the see the private LAN resources.

I don't think the issue @bennor raised is the same as yours as that was specifically to do with AiMesh nodes and you said you're not using AiMesh.

What router do you own? I don't use AIMesh nodes. When I get more time I will try to recreate it and take some screen shots etc etc. Death in the family lots of things to do so this is low priority atm. Sorry.

 

[bennor]

What router do you own?

ColinTaylor's signature line indicates they have a RT-AX86U Asuswrt-Merlin

 

[ColinTaylor]

What router do you own?

RT-AC68U and RT-AX86U.