Devices in guest network...

[Cr00zng]

Device: RT-AX86U
Asuswrt-Merlin version: 386.3_2
Issue: Neither Screen sharing, nor Airplay work between guess network devices

Both devices, iPhone and Roku stick get their IPs in the the 5G guess network (IP 192.168.102.xxx)
From the router both devices can be accessed via ping.
The devices cannot ping the router, nor can they ping each other.
Both devices can access the Internet without issues, they are blocked from accessing the internal network.

This is the closest discussion I found, that might be related to this issue:

Alternatives to Guest Network for iot devices

First: My apologies if this has already been discussed. I honestly searched the threads. Like many, I created a guest network for all of my iot devices, with the access intranet disabled. However, I'm wondering if this is more trouble than it's worth. Several of my iot devices need to...

www.snbforums.com

Based on the discussion in the link above, it seems that there's no way to control the IP address in the guess network and allow connectivity between them.

I do have a working Asus RT-66R router in the junk-pile, but I am not certain, if this could suitable for Screen sharing, or Airplay. I could probably set this up without the mash network, but would it work?

TIA...

 

[ColinTaylor]

"guest" not "guess".

Try using guest network #2 rather than #1.

 

[Cr00zng]

"guest" not "guess".

Try using guest network #2 rather than #1.

Thanks Colin for correcting my spelling..

I'll try network #2, or 3 tomorrow. I didn't think that the network #s would make a difference.....

 

[ColinTaylor]

I'll try network #2, or 3 tomorrow. I didn't think that the network #s would make a difference.....

Network #1 on each band is implemented slightly differently to the other two. It might make a difference to your problem.

 

[Cr00zng]

Network #1 on each band is implemented slightly differently to the other two. It might make a difference to your problem.

I had set up both #2 and 3 guest networks, the results were pretty much the same. Neither Screen sharing, nor Airplay works.

The assigned IP addresses in #2 and #3 guest networks are in the internal network address range.. Both devices in the guest network can ping the gateway, but not each other. Trying to ping from the internal network to the device in the guest network also fails. The chances are that enabling access to the intranet would remediate this issue, but that's not an option in my case. The intranet is a small business network, exposing it to the guest network is not something that will be considered.

Setting up another router seems like the only option at this point, just for the purpose of Screen sharing/Airplay. My routers, Asus RT-N66R and RT-AX86U, are not in the list of supported devices for FreshTomato firmware. Although, the difference between the Asus RT-N66R and the Asus RT-N66U isn't much, the "R" indicates the store where it had been puchased to my recollection. I'll need to check with FreshTomato forum, if the firmware works with my router on hand. If not, get a relatively new router that on the supported list and replace my AX86U router. The question is, will the freshTomato firmware allow full separation of the guest network from the intranet and access between the devices for Screen sharing/Airplay?

Connecting a laptop to the TV via an HDMI cable is probably the best option until that point...

 

[ColinTaylor]

Are all the devices in question connected to the same guest network? IIRC when "access intranet" is disabled it also enables WiFi isolation. So to disable isolation for the #2 guest network on 5GHz you would do this:

nvram set wl1.2_ap_isolate=0
nvram commit
reboot

 

[eibgrad]

What the OP needs to understand is there is a fundamental weakness in how guest networks are implemented on ASUS. Guests always share the same IP network as the private network. What prevents access to the private network by guests is an ethernet (layer2) firewall called ebtables, which is enabled whenever you disable Access Intranet on the guest network. And obviously that's what you want as your default. But you can NOT then decide to allow access between selective devices on the guest network for the benefit of AirPlay or any other purposes. It's an ALL or NOTHING setting. And it has to be this way because there's no easy/practical means to determine which devices on the private network are actually private vs. guests! They all share the *same* IP network (e.g., 192.168.1.0/24)! That's why I say guest networks as implemented on ASUS have a fundamental weakness. In the case of FT (FreshTomato), things are much different. You place the guest network on its own IP network (e.g., 192.168.2.0/24), and provide isolation from the private network via the ip (layer3) firewall. But devices on the guest network are still able to communicate w/ each other (unless, of course, you enable AP isolation). You can also configure FT to support wired devices on the guest network, unlike ASUS.

 

[ColinTaylor]

@eibgrad What you are describing is not the issue reported by the OP. His problem is not about selective communication between the private network and the guest network.

 

[eibgrad]

@eibgrad What you are describing is not the issue reported by the OP. His problem is not about selective communication between the private network and the guest network.

Well then I don't understand the OP's problem. I was under the impression he wants access between guests for the purposes of AirPlay and screen sharing, which requires Access Intranet be enabled, but that obviously means guests have access to private resources too, NOT just other guests.

 

[ColinTaylor]

Well then I don't understand the OP's problem. I was under the impression he wants access between guests for the purposes of AirPlay and screen sharing, which requires Access Intranet be enabled, but that obviously means guests have access to private resources too, NOT just other guests.

He appears to be talking about two devices connected to the same guest VAP. As such there is no requirement for these devices to be able access the private intranet. They can talk directly to each other over the guest wireless interface provided client isolation has been disabled. This isolation is a feature of the WiFi chipset and not the same the router's ebtables-based intranet isolation.

 

[eibgrad]

He appears to be talking about two devices connected to the same guest VAP. As such there is no requirement for these devices to be able access the private intranet. They can talk directly to each other over the guest wireless interface provided client isolation has been disabled. This isolation is a feature of the WiFi chipset and not the same the router's ebtables-based intranet isolation.

Well I guess then it comes down to whether wireless users that have Access Intranet disabled and AP isolation disabled can talk directly to each other *without* being prevented from doing so by the ethernet firewall. I'm assuming this is NOT possible. I'm assuming that for any given wireless user, the wireless driver will prevent access to some other KNOWN wireless user w/ AP isolation enabled, but if disabled, just let's the traffic pass through, where the ethernet firewall will then prevent access to the private and guest networks.

What YOU seem to be suggesting is that w/ AP isolation disabled, and even Access Intranet disabled, that that traffic will bypass the ethernet firewall, as if they are communicating directly w/ each other, quite literally. Frankly, I never considered it. Again, I'm assuming that traffic always transits the ethernet firewall.

 

[ColinTaylor]

Yes, WiFi clients can bypass the router's Ethernet firewall by talking directly to each other via the wireless interface, similar to how wired clients talk directly to each other via the LAN switch. The problem is there is no fine-grained control of this setting for guest networks in the GUI. The "AP Isolated" option only applies to the primary WiFi networks. For guest networks the isolation mirrors what is set for "Access Intranet". So it has to be overridden from the command line. Of course both clients have to be connected to the same VAP.

Side note: John added an extra option in his firmware to each of the guest network settings to individually control the isolation.

 

[eibgrad]

Yes, WiFi clients can bypass the router's Ethernet firewall by talking directly to each other via the wireless interface, similar to how wired clients talk directly to each other via the LAN switch. The problem is there is no fine-grained control of this setting for guest networks in the GUI. The "AP Isolated" option only applies to the primary WiFi networks. For guest networks the isolation mirrors what is set for "Access Intranet". So it has to be overridden from the command line. Of course both clients have to be connected to the same VAP.

Side note: John added an extra option in his firmware to each of the guest network settings to individually control the isolation.

Hmm, wonder if YazFi might be better for the OP. IIRC, it's able to manage AP isolation at the guest level, and control access between the private and guest networks.

 

[ColinTaylor]

Hmm, wonder if YazFi might be better for the OP. IIRC, it's able to manage AP isolation at the guest level, and control access between the private and guest networks.

Yes that's probably a better idea. The problem with just "hacking it" from the command line is that if the user subsequently makes any changes to the guest WiFi settings the isolation change is undone.

 

[Cr00zng]

Thak you both for all of the information and suggested resolutions, much appreciated. Admittedly, it took me some time to understand the relation between different netwoks and the implication for my issue.

It took me some time to find an "AP Isolation" setting in the router, just to test if it would be applied to the guest network as well:

Well, it does not...

Both the Roku stick and my iPhone are connected to the same guest nework on the same router, I have only one. Question about the commandline unlocking of the isolation in the guest network, thanks @ColinTaylor:

nvram set wl1.2_ap_isolate=0
nvram commit
reboot

The "wl1.2" identifies guest network #2, "wl1.3" the guest network #3, etc., correct?

This option seems tempting, since it seems just a minor change to router setting. The aren't many changes to this router, so, if the setting disappears just add it again.

Maybe Iooked at the wrong supported devices list, but neither of my Asus broadband routers are in the list for YazFi, plus looks more complicated to install than running couple of commands...

 

[ColinTaylor]

The "wl1.2" identifies guest network #2, "wl1.3" the guest network #3, etc., correct?

That is correct for the 5GHz networks. For the 2.4GHz networks it would be wl0.1, wl0.2 and wl0.3.

 

[L&LD]

I don't believe the setting for AP Isolation in the main wireless network applies to the Guest Network(s) (by design).

 

[Cr00zng]

That is correct for the 5GHz networks. For the 2.4GHz networks it would be wl0.1, wl0.2 and wl0.3.

Thanks Colin... I don't use the 2.4GHz network, but it's good to know...

I don't believe the setting for AP Isolation in the main wireless network applies to the Guest Network(s) (by design).

No it does not, but it was worth trying it.

Albeit, it makes me wonder, how the commandline option will work? It's worth for trying tomorrow; watching streaming sport events via HDMI connection between the MacBook Pro and the TV works just fine. Interestingly, the Windows 10 crashed after couple of minutes viewing the same event, when connected to the TV via HDMI cable...

I just want to use streaming between the iPhone and the Roku stick within the same guest network, be that screen sharing or airplay, instead of wires.

 

[L&LD]

If you didn't reboot both the router and the tested devices (simultaneously), I'd assume it wasn't tested properly.

But as I mention, I don't think the main wireless networks should affect what the Guest Networks do with regard to these types of settings.

 

[Cr00zng]

Even if the devices and the router rebooted at the same time, or just shut off the devices, the change may not be applied to the devices. Both, my iPhone and the Roku stick remembered the guest network #1 settings, after #2 and 3 guest networks had been disabled and #1 enabled. In another word they saved the settings and may not update after the commandline change.

Besides...

What stops the devices to communicate with each other within the same guess network? In layman view, it seems that these devices still communicate through the router. If that's case, they still won't be able to connect to each other, until the intranet access is disabled for the guest network. Well, I am looking forward to the test tomorrow...