GUEST network internet connectivity issues - ASUS RT-AX86U Pro

[JG46]

Ideally you need a printer connected to the guest network AND disable client isolation on the guest network.

I think this may be the compromise I go with, because VLANs seem like more complication than I want to get into.

The real priority is keeping the main and GUEST isolated from one another.

Client isolation on the GUEST network would be nice, but is contrary to having those devices all be able to reach a printer, so I guess I'll have to disable isolation if I'm unwilling to set up a VLAN.

 

[JG46]

I just checked my router syslog and learned that a wireless printer was CONSTANTLY going through a cycle of Auth, ReAssoc, Deauth. I don't know why the printer was doing this, and I don't know if this contributed to my GUEST network internet connectivity issues. The printer was on the main (not guest) network, BUT it was on the 2.4GHz WiFi band, which happens to be the only band that I activated for GUEST. Coincidence, perhaps? At any rate, I've removed the printer from the network.

Back to the original issue -- does anyone have a view on whether this cycling of Auth, ReAssoc, Deauth could be responsible for the issue I describe in post #1 above?

 

[pjd50]

I think this may be the compromise I go with, because VLANs seem like more complication than I want to get into.

The real priority is keeping the main and GUEST isolated from one another.

Client isolation on the GUEST network would be nice, but is contrary to having those devices all be able to reach a printer, so I guess I'll have to disable isolation if I'm unwilling to set up a VLAN.

Exactly. But to be clear, I believe if you enable intranet on the stock guest WiFi network then every client/device will be able to see each other - complete co-mingling like it’s just one network - so no need for even a second printer.

I think a VLAN is the only way to set up a guest and main network separate from one another and NOT have client isolation between devices on the guest network.

It’s easier for me to articulate with a drawing, but I’ll try with an analogy:

What you want is this:

Aquarium A - all the fish are swimming together in a glass bowl - they can only see other fish in the same bowl and can’t see or reach Aquarium B

Aquarium B - all the fish are swimming together in a glass bowl - they can only see other fish in the same bowl and can’t see or reach Aquarium A

^ I believe the above scenario can be achieved by VLANs


What stock guest WiFi does is this:

Aquarium A - all the fish are swimming together in a glass bowl - they can only see other fish in the same bowl and can’t see or reach Aquarium B

Aquarium B - houses several fish (same water throughout the bowl = World Wide Web internet access), but each fish in the bowl is inside of its own glass cage/container/partition. None of this fish inside of Aquarium B can see other fish in Aquarium B, and they can’t see aquarium A either.

If you enable intranet access on the guest WiFi, there’s just one bowl full of water that all the fish swim in - but there’s a lid on the aquarium jar top with two openings/holes - one hole is called “main” and the other is called “guest.” There’s no security with this method (a mean fish that entered through the “Guest” hole can attack an innocent fish that entered from the “Main” hole). The fish just use different entrances (and passwords to the gatekeeper) to enter the aquarium bowl.

So if you use the guest network without intranet, a printer fish in Aquarium B will be isolated in his own glass partition - he can’t see other fish in the bowl or fish in the other bowl. A “useless” network printer.

You probably knew all this already, but just sharing if helpful for you/others.

Take a leap and try VLAN - I bet the set up isn’t as hard as you might think.

 

[JG46]

Back to the original issue -- does anyone have a view on whether this cycling of Auth, ReAssoc, Deauth could be responsible for the issue I describe in post #1 above?

I've just answered my own question regarding the effect of removing the cycling (Auth, ReAssoc, Deauth) device from the network. I did so, and afterwards, the GUEST network again lost its connection to the Internet. So, it doesn't appear that my issue in post #1 was related to the "cycling" device that I removed. Importantly, 2 other devices are now doing that same cycling. In this case, it is 2 school-issued Chromebooks that are connected to GUEST.

I just added a 5G SSID to GUEST and the Internet connectivity was restored to the Chromebooks (the only devices on GUEST). However, I think that simply adding the 5G SSID caused a soft "restart" of sorts to the router, and it was probably the soft restart (of firewall, perhaps?) that restored the connectivity, as opposed to adding the 5G SSID itself.

So frustrating.

 

[L&LD]

It may still be the 'cycling'.

Remove those other two devices as well, and test further.

 

[JG46]

It may still be the 'cycling'.

Remove those other two devices as well, and test further.

From what I can tell, the devices attached to the GUEST network are NOT malfunctioning. Rather, they are repeatedly connecting to the GUEST SSID trying to get an internet connection ("auto-reconnect is enabled on the client devices).

If the devices DO get an internet connection, there is no cycling, and things are "normal" until the Internet connection suddenly fails (for some reason I don't understand).

If the devices DON'T get an Internet connection, then they keep trying -- they disconnect and re-connect repeatedly to the SSID, trying fruitlessly to get an Internet connection. The devices will continue in this manner until I reboot the router, at which point the devices will be able to connect with Internet. However, the problem is that eventually the Internet connection is again lost, and thus cycling begins again.

All of the above is on Guest Network #2.

So, the issue remains: why the sudden loss of Internet connection on Guest Network #2? At this point, I'm thinking either there's a specific bug in the firmware causing this issue, or the hardware is defective.