TheScotsman
Occasional Visitor
Found a bit of an oddity with guest networks on Asuswrt-merlin 388.1 on my GT-AXE11000, and while I'm not sure it's a problem per se would appreciate if anyone has thoughts on what's happening here.
On my 2.4Ghz and 5Ghz bands, I have AP isolation OFF, because devices on the main (non-guest) network do need to communicate with each other. The base LAN address is 192.168.56.1, and the guest network setup is as follows:
Azkaban works as expected - it assigns IP addresses in the 192.168.101.x range, and nothing there can talk to anything on the intranet. BarnWFH-5G also works as I'd expect - it's assigning an address in the 192.168.56.x range - I think normally it would be 192.168.102.x for that guest, but since it has intranet access (bridged?) getting an intranet address doesn't surprise me, and it's got working access to intranet devices as intended. Both of those are in slot 1 in their frequency bands so they're available via AiMesh, although at the moment my second router is not connected. So for slot 1, all working fine.
However, the slot 2 guests are a surprise - they're assigning IPs in the intranet address range, i.e. 192.168.56.x! I would've expected those to have their own unique ranges, since they're set with intranet access disabled. Oddly, though, the intranet access DOES seem blocked! I can't ping any devices on 192.168.56.x from those guest networks, or vice versa; and I can't reach intranet devices from those guest networks via any other protocols. So - guest devices on BarnIoT and BarnIoT-5G get intranet IP addresses (weird, concerning); but as intended can't communicate with other intranet devices.
I'm just not sure how that's working, exactly - why don't those guests get dedicated non-intranet ranges like the slot 1 guests typically do? And given the addresses are issued in the intranet subnet, what's (correctly!) blocking access to other intranet devices from these guests?
On my 2.4Ghz and 5Ghz bands, I have AP isolation OFF, because devices on the main (non-guest) network do need to communicate with each other. The base LAN address is 192.168.56.1, and the guest network setup is as follows:
2.4Ghz
Slot 1 / SSID Azkaban / Access intranet DISABLED
Slot 2 / SSID BarnIoT / Access intranet DISABLED
5Ghz
Slot 1 / SSID BarnWFH-5G / Access intranet ENABLED
Slot 2 / SSID BarnIoT-5G / Access intranet DISABLED
Azkaban works as expected - it assigns IP addresses in the 192.168.101.x range, and nothing there can talk to anything on the intranet. BarnWFH-5G also works as I'd expect - it's assigning an address in the 192.168.56.x range - I think normally it would be 192.168.102.x for that guest, but since it has intranet access (bridged?) getting an intranet address doesn't surprise me, and it's got working access to intranet devices as intended. Both of those are in slot 1 in their frequency bands so they're available via AiMesh, although at the moment my second router is not connected. So for slot 1, all working fine.
However, the slot 2 guests are a surprise - they're assigning IPs in the intranet address range, i.e. 192.168.56.x! I would've expected those to have their own unique ranges, since they're set with intranet access disabled. Oddly, though, the intranet access DOES seem blocked! I can't ping any devices on 192.168.56.x from those guest networks, or vice versa; and I can't reach intranet devices from those guest networks via any other protocols. So - guest devices on BarnIoT and BarnIoT-5G get intranet IP addresses (weird, concerning); but as intended can't communicate with other intranet devices.
I'm just not sure how that's working, exactly - why don't those guests get dedicated non-intranet ranges like the slot 1 guests typically do? And given the addresses are issued in the intranet subnet, what's (correctly!) blocking access to other intranet devices from these guests?