Guest Network and AP Mode

[Jong]

Hey guys! First post...be gentle .

I have just acquired two RT-AC87Us and have setup one as the main router and the 2nd as an AP, wired into the router via its WAN port. The AP is needed to get good WiFi coverage through a big old house! I'm currently running the standard Asus "4608" latest firmware.

I setup a guest network on both the router and AP and only discovered today that the APs guest network is really just an alternate "login" for the same vlan - all devices connected to the LAN are visible to devices on the AP's guest network (but not on the router's).

Having read around this it seems this is very typical, not just of Asus. This thread seems to discuss the issue pretty well: http://www.snbforums.com/threads/guest-network-not-restricting-local-network-access.22659/

Not that anyone here can do anything about this, of course, but I'm very surprised that the AP's Guest Network page does not warn you of this issue. It implies that the guest network keeps your LAN out of bounds, but that really is not the case. It should be pretty obvious that if you set up an AP you are likely to have devices hanging off the main router and a warning that these would be visible is in order, I would think! Not that it's a big deal, but I had the AP's guest network up for 3 days before I thought I'd "just do a quick check"! It seems even having a guest network on the AP is pretty pointless and should probably be disabled.

One question though - I am sure this is just my ignorance, but I'm curious: Why is this so hard? It would seem the AP knows very well what subnet it is on. Why can it not just drop all traffic sent to/from the guest network that is not going from/to the gateway (ie. the main router)?

 

[L&LD]

Just set up the router as a router with a fixed IP. Now, Guest Networks should work as expected (isolated, with the appropriate setting).

 

[Jong]

Yeah, I read that, thanks. Trouble with this is it will almost certainly break Chromecast and other similar devices.

What I don't get is what guest mode does for anyone in AP mode and why, in it's current state, it is not just entirely disabled. It occurred to me that the current implementation means retransmitting every packet from every device to the main network and all the guest networks. While I'm sure it's not quite this simple, as we are not using MU-MIMO, one guest network would halve the WiFi capacity as each packet is repeated onto the guest network. With 2 guest networks the capacity would be cut to a third and with all three it would be cut to a quarter, all for no benefit whatsoever, as far as I can see, as everyone on all 4 Wifi networks are all effectively on the same vlan! I feel I must be missing something here!

 

[coldwizard]

...
Having read around this it seems this is very typical, not just of Asus. This thread seems to discuss the issue pretty well: http://www.snbforums.com/threads/guest-network-not-restricting-local-network-access.22659/

...

And the link you quote has a partial fix for AP mode restricting Guest LAN access with Merlin's firmware.

 

[coldwizard]

Just set up the router as a router with a fixed IP. Now, Guest Networks should work as expected (isolated, with the appropriate setting).

Sorry, but this will not work completely. Your guests will still have access to everything on the original network. You have just restricted access to the LAN directly connected to the second router.

And to avoid doing a double NAT for a router to router configuration, you will need to disable NAT on the second router and add a static route on the gateway router to the second router.

To clarify
ISP - <Gateway router, 192.168.1.x> --- <Second router, 172.16.x.x>

The gateway router needs a static route for the network 172.16.x x to the ip address in 192.168.1.x of the second router.

The second router needs NAT disabled to avoid the double NAT.
Everyone on the 172.16.x.x network can access devices on the 192.168.1.x network.
If you attempt to put in a firewall restriction to prevent access to the network 192.168.x.x, it will apply to all users, not just the guests.

 

[L&LD]

It will work if the only criteria is to have an isolated Guest network.

Main router IP is 192.168.53.1.

AP in router mode has WAN port connected to Main router and has it's IP range lower than the Main router's IP range. For example; 192.168.1.1.

The isolated Guest network works like this, but I agree it may break or disable other functionality for specific devices.

 

[Jong]

So we're all agreed then? Guest Network in AP Mode is just borked and pointless? Can anyone see a reason to use it at all or is it just a security threat (because it leads the unwary to believe in it) and useless destroyer of network capacity?!

And does anyone know why? Naively, it would seem easy (low down the network stack) for routers of this power to drop all packets from/to the guest network not aimed to/from the gateway, but I'll admit my knowledge here is somewhat rudamentary!

 

[Nullity]

Guest networks can still be used as a way of keeping your primary wifi password private, right?


I assumed there would be a fix for this too but my past searches found that it was a common problem on tomato and openwrt too. I think ddwrt sorted it out though.

 

[Jong]

But as the guest network sees all on your main network it's a bit moot! It's true you could change your guest password very often while keeping your main one, for some measure of protection, but given using the guest network is halving or worse your network capacity for such a minor benefit I'd say it's a bad idea. At least the main router's guest network is fine!

 

[L&LD]

But as the guest network sees all on your main network it's a bit moot! It's true you could change your guest password very often while keeping your main one for some measure of protection, but given using the guest network is halving or worse your network capacity for such a minor benefit I'd say it's a bad idea. At least the main router's guest network is fine!

Your assumptions are wrong. Each additional ssid your router broadcasts does decrease the maximum rates possible, but nowhere close to halving your speeds.

Also, guest network does work when not in AP mode. Not a real solution, but workable.

 

[Jong]

Can you explain why? It seems to me the AP needs to broadcast each packet arriving twice on the network - once to the main SSID and once to the guest SSID, thus using (approximately) twice the available "bandwidth" (assuming MU-MIMO is not being used). Very different to a real guest network, where packets not for the guest network are not sent to it. The two networks are secured separately, so there is no way I can see that the packet can be shared. I'm quite happy, in fact really interested, to be proved wrong, but that is how it seems to me ATM.

As you say it works in non-AP mode, but as APs are often/mostly used to extend range it is barely workable to have a guest network that only covers the range of the main router.

 

[L&LD]

http://www.revolutionwifi.net/revolutionwifi/p/ssid-overhead-calculator.html

It works for me and my customers for isolating certain devices or people from the main network. But like I said, that is when it is running as a Wireless Router and not in any other mode.

 

[Jong]

Yeah, my comment about halving the capacity was specifically in AP mode when all packets have to be duplicated (or tripled or quadrupled!). I was never suggesting this applied with a real guest network.

 

[L&LD]

Yeah, my comment about halving the capacity was specifically in AP mode when all packets have to be duplicated (or tripled or quadrupled!). I was never suggesting this applied with a real guest network.

And that is why none of my customers are using AP mode. No benefit to a real guest network.

If dealing with VLANs to properly separate and segregate networks (main and guest) is too much in terms of hardware, programming or budget (products and service time), then the next cheapest way to achieve this is by simply buying additional routers as needed (these do not have to be top end) and segregating the network as I mentioned previously.

 

[Jong]

And that is why none of my customers are using AP mode. No benefit to a real guest network.

If dealing with VLANs to properly separate and segregate networks (main and guest) is too much in terms of hardware, programming or budget (products and service time), then the next cheapest way to achieve this is by simply buying additional routers as needed (these do not have to be top end) and segregating the network as I mentioned previously.

OK, great, so we are agreed. I'm just surprised so many vendors (not just Asus) get away with offering such a clearly broken option, with clear performance and security implications. I thought I must be missing something, but it seems not!

I respect that what you suggest may work in many environments but there are some, as discussed earlier, where separate subnets just aren't going to work.

 

[coxhaus]

I think what is missing for a guest network if you are not going to use VLANs is an access control list or ACLs. If you want to divide a subnet you need to apply ACLs to restrict access. I lot of home routers do not have this feature which I think is mandatory for a router. With ACLs an example would be you could restrict the top half of the subnet to private IP addresses and allow the public to use the bottom half or any combination you would like. Having a guest network on the same network accomplishes nothing other than a marketing scheme. The traffic needs to be isolated somehow.

 

[Nullity]

I always assumed the Guest network isolation failed in AP-mode becasuse the wireless "router" was now only acting as a layer-2 switch, having no control over the network layer (layer 3).

Perhaps network isolation depends on the wireless router having layer-3 control.

This is just an assumption, as I am still learning about computer networks.

 

[coxhaus]

I always assumed the Guest network isolation failed in AP-mode becasuse the wireless "router" was now only acting as a layer-2 switch, having no control over the network layer (layer 3).

Perhaps network isolation depends on the wireless router having layer-3 control.

This is just an assumption, as I am still learning about computer networks.

Routers work at layer 3. Switches work at layer 2 but all this is getting mixed up as routers are doing some layer 2 and switches are doing some layer 3. If you want to run a guest network at layer 2 then VLANs work at layer 2. So you could isolate at layer 2. 2 networks can coexist at layer 2 but they are not isolated.

 

[Jong]

I always assumed the Guest network isolation failed in AP-mode becasuse the wireless "router" was now only acting as a layer-2 switch, having no control over the network layer (layer 3).

Perhaps network isolation depends on the wireless router having layer-3 control.

This is just an assumption, as I am still learning about computer networks.

My knowledge of networks was once reasonable but has now substantially downgraded! But I'd say this should be handled at L2 anyway. The two networks should be isolated and unable to see each other, therefore there is no possibility of them trying to establish communication across the divide. Although things like encryption muddy the water slightly, WiFi is essentially a data link level technology, i.e. L1/L2.

 

[coxhaus]

The guest network should be handled in layer 2 but I like for each vlan to have a separate layer 3 IP network. To me this gives you more control. I am probably old school.