What's new

GT BE98 Pro Guest Network Cannot Disable Intranet Access

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

TeleCrowd

New Around Here
New Asus GT-BE98 Pro, Firmware:3006.102.2. Fresh install and setup, no import of settings. After configuration there was a default wifi network named "Default IoT Network" that I did not have to configure, and has very few configuration options. Only SSID and password. I used this wifi network and discovered that I can still access all hardwired devices on the network.


I then configured a "customized network" for IOT devices that I want internet access only, no intranet access. I have configured and disabled "access intranet" and also tried the setting "Set AP Isolated"option. No matter what I try, if I connect to this wifi network I can still access all devices on the network, not just the created wifi network. I am new to Guest Network Pro and am unsure if it is a bug or if I am missing something like creating VLans first or something. I was using YazFi on a previous router and everything worked wonderfully. Ive read through Asus documentation and it seems like it should be as easy as using the slider to disable or enable "access intranet".
 
On Asus stock firmware for BE98, if you used the Asus network profile 'IoT network' it puts it in a VLAN if you don't use your main network DHCP range, it doesn't have Intranet Access anyway, but you are able to toggle Set AP Isolated to prevent wireless clients communicating with each other..

In general, Set AP Isolated means wireless devices cannot connect to each other, but still see wired Intranet devices; unless the secondary option "Access Intranet" is disabled. Now on the BE98, for an IoT network this "Access Intranet" is not exposed on an IoT guest network as it's already done as part of VLAN. On other models such as RT-AX86U, until a few Merlin firmware's ago, was available in main WIFI networks and Guest WIFI networks. On Merlin's firmware 'Access Intranet' is now only available in Guest WIFI networks as an option. Access Intranet is effectively access to wired devices.

Back to the stock Asus firmware, and "Access Intranet" is also not available as a setting for a main WIFI network; only certain Guest WIFI network profiles such as "Custom", "Guest Portal", "Kid's Network" and "VPN Network". These are WIFI profiles found under 'Guest Network Pro'. Main WIFI networks do not offer the VPN option for clients either, it's only on Guest Networks as setting.

I don't really like Asus SSID Network profiles. I'd like to pick whether SSID has a portal, access Intranet or assign different DHCP, VLAN or bandwidth limit as I please for any SSID. They think they have got it right though!. A network profile can also only have 16 devices in its MAC list too and you can't create two IoT SSID with same names - one for 2.4ghz devices with WPA2 but going through VPN via Surfshark, and one for 5ghz/6ghz with WPA3. You could create two custom Guest networks though to do this but you then couldn't VLAN them off in the WIFI SSID setup GUI. So I find their whole idea frustrating and configured a few times before settling on near what I wanted. I mean JUST 16 MAC addresses for MAC Filtering on a premium router is laughable.

I'm waiting for GNUTON's firmware at the moment, hence on stock, but I think it will be the same as discussed (?)
 
Last edited:
I have not tried out the stock firmware, only the most recent Merlin. The Default IoT Network does not have any options to adjust the DHCP range, unless the options for configuration are somewhere other than the Guest Network Pro tab. Under the guest network tab the only options for the default IoT network are to change the SSID and password. Regardless, if I use this default IoT network I can still see and access all intranet devices. The default IoT Network or a "IoT Network" created under the guest network Pro tab to not create VLANs if the use same subnet as main network is configured during the initial setup (cannot be changed later with the default IoT network) and can access intranet which is not the expected or desired behavior.

Creating my own custom network opens up the additional basic and advanced settings such as access intranet and Set AP Isolated. You can only configure "use same subnet as main network" during the initial setup of the network, and cannot change it once it is created. If do not use the same subnet as the main network it creates a VLan ID which can be seen under LAN/VLAN/Profile. With a custom network configured to use a different subnet from the main network the toggles for access intranet and set AP isolated seem to work better. Strangely I can still see some devices on the main network but not all of them. Im trying to troubleshoot why that is

If you create a custom wifi network under the Guest network Pro section it will provide more options such as bandwidth limiter and scheduling. If you create a VLAN profile under the LAN/VLAN/profiles section it will create a wifi guest network but the options are slightly more limited than a customized Network created with a different subnet from the main network.

For whatever reason it appears that the current Merlin firmware with the default IoT network it still allows intranet access, and if you create a custom network but attempt to place it on the same subnet as the main network, the configuration options for access intranet and set AP isolated to not function as expected.

So I guess the big question is, is it possible to create a network on the same subnet as the main network and have the toggles for access intranet and set AP isolated work as intended?
 
The default IoT Network or a "IoT Network" created under the guest network Pro tab to not create VLANs if the use same subnet as main network is configured during the initial setup (cannot be changed later with the default IoT network) and can access intranet which is not the expected or desired behavior.
While I don't have a GT BE98 Pro, I am getting frustrated by the same Guest Network Pro behavior that you and others in this thread are experiencing/witnessing. Made some similar observations about an hour ago in another thread post on the latest stock Asus 3006.x firmware for the RT-AX86U Pro:
https://www.snbforums.com/threads/rt-ax86u_pro-3-0-0-6-102_34334-2024-11-06.92777/#post-932720

There are several elements of Guest Network Pro that do not operate as one would think. Haven't really found a good way around it. It seems to be an "either or" kind of thing. If you want Guest Network Pro clients on the main LAN subnet (for assigning manual IP reservations for example) then you cannot block Intranet access. Same goes if you use the Custom Network option and set Access Intranet to disable. That Access Intranet setting appears to be essentially useless so long as Use same subnet as main network is enabled. Bottom line appears to be that if you want to block intranet access you must set Use same subnet as main network to disable (at least in my testing) as one of the setting changes.

Asus really needs to rethink and rework the entire Guest Network Pro section. Or at the very least get the Access Intranet option to, first be available for the predefined choices like IoT, second have that disable Intranet Access actually work and disable Intranet access when a user wants to use the main LAN IP subnet range. And it is frustrating to have to remove/delete the entire VLAN or present Guest Network Pro group and start a new one in order to make some changes (like others mentioned above).
 
Last edited:

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Top