What's new

Guest network (IoT) and network time

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

croldan72

New Around Here
I have an RT-AX86U running Asuswrt-Merlin as my primary router, with a few other mesh routers. I created a 2.4G Guest network (index 1 to allow on AiMesh Nodes) for my IoT devices (like cameras), predominately due to threads that suggest to keep these devices separate. While I can access these devices over the internet, I've noticed that the times and dates are way off. The only way that I could correct this, was to enable the "Access Intranet" setting on the guest network. Doesn't this setting negate the separation of the networks and should be disabled? My assumption is that enabling this setting is no different than having those devices on the same network as all of my other wireless clients. If I disable it, how can I get my cameras to be able to sync time with the router?

I briefly tried YazFi, but had some trouble getting it to work for my devices. I turned it off for now, since I'm not familiar enough with it yet to be comfortable. I don't think that it supports having the guest network on AiMesh nodes yet and I have a few nodes for those devices outside on the edge of my property. It also changed the IP range from what the AX86U had given those guests, so I had devices not visible, etc.
 
A fix for NTP redirection in Guest Network is coming with next Asuswrt-Merlin release:

 
More about the issue here with some workarounds:

 
So the guest network will work in AI Mesh node as long we don't run YazFi?

The only way that I could correct this, was to enable the "Access Intranet" setting on the guest network. Doesn't this setting negate the separation of the networks and should be disabled? My assumption is that enabling this setting is no different than having those devices on the same network as all of my other wireless clients.

I was under the assumption that this setting would allow the clients on the guest network to talk to each other on the guest net and not give them access to the non-guest LAN. That would be how I'd prefer it. I would appreciate some clarity on that setting.

If I can disable YazFi and have the guest network functional through AI-mesh, that would save me a lot of hastle and time to research how to implement the proper IPtables rules for clients that I would prefer to be on the guest network, but I had to connect them to the LAN so they could use the AI mesh network because they are too far away from the main router and signal is very weak.
 
So the guest network will work in AI Mesh node as long we don't run YazFi?
Yes, for Guest Network index #1. That is why it has the "Sync to AiMesh Node" option.

I was under the assumption that this setting would allow the clients on the guest network to talk to each other on the guest net and not give them access to the non-guest LAN. That would be how I'd prefer it. I would appreciate some clarity on that setting.
You are confusing that with AP client isolation.
 
I have an RT-AX86U running Asuswrt-Merlin as my primary router, with a few other mesh routers. I created a 2.4G Guest network (index 1 to allow on AiMesh Nodes) for my IoT devices (like cameras), predominately due to threads that suggest to keep these devices separate. While I can access these devices over the internet, I've noticed that the times and dates are way off. The only way that I could correct this, was to enable the "Access Intranet" setting on the guest network. Doesn't this setting negate the separation of the networks and should be disabled? My assumption is that enabling this setting is no different than having those devices on the same network as all of my other wireless clients. If I disable it, how can I get my cameras to be able to sync time with the router?

I briefly tried YazFi, but had some trouble getting it to work for my devices. I turned it off for now, since I'm not familiar enough with it yet to be comfortable. I don't think that it supports having the guest network on AiMesh nodes yet and I have a few nodes for those devices outside on the edge of my property. It also changed the IP range from what the AX86U had given those guests, so I had devices not visible, etc.

Access intranet enables two things:
AP Isolation which prevents devices on that SSID from seeing each other.
Firewall rules to block communication to main LAN and other guest networks.

I believe Yazfi lets you configure the two independently (not sure). If you want to have AP isolation disabled but access LAN also disabled without Yazfi, you'd have to do it via a script.
 
Access intranet enables two things:
AP Isolation which prevents devices on that SSID from seeing each other.
Firewall rules to block communication to main LAN and other guest networks.

I believe Yazfi lets you configure the two independently (not sure). If you want to have AP isolation disabled but access LAN also disabled without Yazfi, you'd have to do it via a script.
You mean that disabling the "access intranet" setting enables AP Isolation and blocks guest to LAN communication? I just uninstalled YazFi, and disabled "Access Intranet" on the Guest Network slot #1. Is there a way to allow the clients on the guest network to talk to each other? But not access the LAN? I have a Simplisafe Base station that needs to talk to Wifi-connected cameras around the house. Perhaps the iptables rule that disallows this communication can be removed and then firewall restart via a startup script?
 
Well I've broken something. I uninstalled YazFi and have had problems ever since. I enabled guest network 1, disabled access to the intranet, and rebooted the router. Devices on the guest network couldn't even get out to the Internet. I connected a laptop to it, and tried connecting my security cameras, and neither could get out to the Internet. I disabled the guest network with the intention of fooling with it later, but I'm experiencing other issues. My unbound + AGH seems like it broke somehow. Opening apps on my phone, I see ads that are normally blocked, and testing websites in browsers where I have no extensions installed.

I went to the AGH GUI and it looks broken. It does this indefinitely.

1683900205654.png


I logged into the router via SSH to access amtm. In the AGH menu, there is no option to reboot agh.

Taking a look at the unbound menu, it looks like the router is resetting connections to/from itself (127.0.0.1).



Code:
 Enter option  7

+======================================================================+
|  Welcome to the unbound Manager/Installation script (Asuswrt-Merlin) |
|                                                                      |
|                      Version 3.22 by Martineau                       |
|                                                                      |
+======================================================================+[1683899339] unbound-control[680106:0] error: connect: Connection refused for 127.0.0.1 port 8953
[: bad number
[1683899339] unbound-control[680157:0] error: connect: Connection refused for 127.0.0.1 port 8953


[1683899339] unbound-control[680495:0] error: connect: Connection refused for 127.0.0.1 port 8953

        ***ERROR unbound-control - failed'?

unbound is stopped

1  = Update unbound files and configuration                                             5  = Install Ad and Tracker blocker (Ad Block)
2  = Remove unbound/unbound_manager                                                     6  = Install Graphical Statistics GUI Add-on TAB
3  = Stop unbound                                                                       7  = Enable    DNS Firewall
4  = Show unbound statistics                                                            8  = Install YouTube Ad blocker
                                                                                        9  = Install Safe Search e.g. google.com->forcesafesearch.google.com

?  = About Configuration
v  = View ('/opt/var/lib/unbound/'unbound.conf)

e  = Exit Script [?]

E:Option ==> 3

[1683899459] unbound-control[682629:0] error: connect: Connection refused for 127.0.0.1 port 8953
[1683899459] unbound-control[682632:0] error: connect: Connection refused for 127.0.0.1 port 8953
[1683899459] unbound-control[682636:0] error: connect: Connection refused for 127.0.0.1 port 8953
09:50:59 Saving unbound cache to '/opt/share/unbound/configs/cache.txt' msg.cache=/0 rrset.cache=/0
 Checking unbound...              alive.
 Shutting down unbound...              done.

Restarting dnsmasq.....
Done.

unbound STOPPED.


Warning unbound not running!! - Config last loaded info:

1  = Update unbound files and configuration                                             5  = Install Ad and Tracker blocker (Ad Block)
2  = Remove unbound/unbound_manager                                                     6  = n/a Install Graphical Statistics GUI Add-on TAB
3  = Start unbound                                                                      7  = n/a Enable DNS Firewall
4  = n/a Show unbound statistics                                                                8  = n/a Install YouTube Ad blocker
                                                                                        8  = n/a Install Safe Search

?  = About Configuration
v  = View ('/opt/var/lib/unbound/'unbound.conf)

e  = Exit Script [?]

E:Option ==> 3

09:51:12 Checking 'unbound.conf' for valid Syntax.....
09:51:12 Requesting unbound (S61unbound) restart.....
 Starting unbound...              done.
09:51:12 Checking status, please wait.....
09:51:14 unbound OK


[1683899474] unbound-control[684080:0] error: connect: Connection refused for 127.0.0.1 port 8953

        ***ERROR unbound-control - failed'?

unbound is stopped

1  = Update unbound files and configuration                                             5  = Install Ad and Tracker blocker (Ad Block)
2  = Remove unbound/unbound_manager                                                     6  = Install Graphical Statistics GUI Add-on TAB
3  = Stop unbound                                                                       7  = Enable    DNS Firewall
4  = Show unbound statistics                                                            8  = Install YouTube Ad blocker
                                                                                        9  = Install Safe Search e.g. google.com->forcesafesearch.google.com

?  = About Configuration
v  = View ('/opt/var/lib/unbound/'unbound.conf)

e  = Exit Script [?]

E:Option ==> 1
[1683899615] unbound-control[686149:0] error: connect: Connection refused for 127.0.0.1 port 8953
[1683899615] unbound-control[686152:0] error: connect: Connection refused for 127.0.0.1 port 8953
[1683899615] unbound-control[686156:0] error: connect: Connection refused for 127.0.0.1 port 8953
09:53:35 Saving unbound cache to '/opt/share/unbound/configs/cache.txt' msg.cache=/0 rrset.cache=/0

        Router Configuration recommended pre-reqs status:

        [✔] Swapfile=2097148 kB
        [✔] DNS Filter=ON
        [✔] DNS Filter=ROUTER
        [✔] WAN: Use local caching DNS server as system resolver=NO
        [✖] ***ERROR Enable local NTP server=NO                                         see https://192.168.50.1:8443/Advanced_System_Content.asp ->Basic Config
        [✔] Enable DNS Rebind protection=NO
        [✖] Warning Enable DNSSEC support=YES                                           see https://192.168.50.1:8443/Advanced_WAN_Content.asp ->WAN DNS Setting

        Options:

[: bad number
[1683899616] unbound-control[686253:0] error: connect: Connection refused for 127.0.0.1 port 8953
        [✔] unbound Logging (Warning; DNS Queries/Replies logging is DISABLED)
        [✔] unbound CPU/Memory Performance tweaks
        [✔] unbound-control FAST response ENABLED

        The router does not currently meet ALL of the recommended pre-reqs as shown above.
        However, whilst they are recommended, you may proceed with the unbound UPDATE
        as the recommendations are NOT usually FATAL if they are NOT strictly followed.

        Press Y to continue unbound UPDATE  or press [Enter] to ABORT
 
You mean that disabling the "access intranet" setting enables AP Isolation and blocks guest to LAN communication? I just uninstalled YazFi, and disabled "Access Intranet" on the Guest Network slot #1. Is there a way to allow the clients on the guest network to talk to each other? But not access the LAN? I have a Simplisafe Base station that needs to talk to Wifi-connected cameras around the house. Perhaps the iptables rule that disallows this communication can be removed and then firewall restart via a startup script?

Yes, stock asus, when you "disable" access intranet, also isolates all guests so they cannot talk to each other. It has been confirmed in another thread that Yazfi does let you choose these two features independently of each other.

If you don't want to use Yazfi, you will need to run a script to disable AP isolation. You can do it via SSH and NVRAM and it will stick, but if you make any changes to wireless it can get reset and you'll have to re-apply it, so finding a way to do it with a script is a more permanent solution.

There are a few ways to disable it, one via NVRAM variable and one by issuing a command to the interface itself. I don't recall if simply restarting wireless after is enough, rebooting the router definitely makes it take effect (but that's going to make scripting harder, you'll need to have it check if the variable has been changed, and if so, change it back and reboot, and if not, do not reboot obviously, or you'll be in a loop).

Yazfi is the simpler solution by far.
 
Well I've broken something. I uninstalled YazFi and have had problems ever since. I enabled guest network 1, disabled access to the intranet, and rebooted the router. Devices on the guest network couldn't even get out to the Internet. I connected a laptop to it, and tried connecting my security cameras, and neither could get out to the Internet. I disabled the guest network with the intention of fooling with it later, but I'm experiencing other issues. My unbound + AGH seems like it broke somehow. Opening apps on my phone, I see ads that are normally blocked, and testing websites in browsers where I have no extensions installed.

I went to the AGH GUI and it looks broken. It does this indefinitely.

View attachment 50057

I logged into the router via SSH to access amtm. In the AGH menu, there is no option to reboot agh.

Taking a look at the unbound menu, it looks like the router is resetting connections to/from itself (127.0.0.1).



Code:
 Enter option  7

+======================================================================+
|  Welcome to the unbound Manager/Installation script (Asuswrt-Merlin) |
|                                                                      |
|                      Version 3.22 by Martineau                       |
|                                                                      |
+======================================================================+[1683899339] unbound-control[680106:0] error: connect: Connection refused for 127.0.0.1 port 8953
[: bad number
[1683899339] unbound-control[680157:0] error: connect: Connection refused for 127.0.0.1 port 8953


[1683899339] unbound-control[680495:0] error: connect: Connection refused for 127.0.0.1 port 8953

        ***ERROR unbound-control - failed'?

unbound is stopped

1  = Update unbound files and configuration                                             5  = Install Ad and Tracker blocker (Ad Block)
2  = Remove unbound/unbound_manager                                                     6  = Install Graphical Statistics GUI Add-on TAB
3  = Stop unbound                                                                       7  = Enable    DNS Firewall
4  = Show unbound statistics                                                            8  = Install YouTube Ad blocker
                                                                                        9  = Install Safe Search e.g. google.com->forcesafesearch.google.com

?  = About Configuration
v  = View ('/opt/var/lib/unbound/'unbound.conf)

e  = Exit Script [?]

E:Option ==> 3

[1683899459] unbound-control[682629:0] error: connect: Connection refused for 127.0.0.1 port 8953
[1683899459] unbound-control[682632:0] error: connect: Connection refused for 127.0.0.1 port 8953
[1683899459] unbound-control[682636:0] error: connect: Connection refused for 127.0.0.1 port 8953
09:50:59 Saving unbound cache to '/opt/share/unbound/configs/cache.txt' msg.cache=/0 rrset.cache=/0
 Checking unbound...              alive.
 Shutting down unbound...              done.

Restarting dnsmasq.....
Done.

unbound STOPPED.


Warning unbound not running!! - Config last loaded info:

1  = Update unbound files and configuration                                             5  = Install Ad and Tracker blocker (Ad Block)
2  = Remove unbound/unbound_manager                                                     6  = n/a Install Graphical Statistics GUI Add-on TAB
3  = Start unbound                                                                      7  = n/a Enable DNS Firewall
4  = n/a Show unbound statistics                                                                8  = n/a Install YouTube Ad blocker
                                                                                        8  = n/a Install Safe Search

?  = About Configuration
v  = View ('/opt/var/lib/unbound/'unbound.conf)

e  = Exit Script [?]

E:Option ==> 3

09:51:12 Checking 'unbound.conf' for valid Syntax.....
09:51:12 Requesting unbound (S61unbound) restart.....
 Starting unbound...              done.
09:51:12 Checking status, please wait.....
09:51:14 unbound OK


[1683899474] unbound-control[684080:0] error: connect: Connection refused for 127.0.0.1 port 8953

        ***ERROR unbound-control - failed'?

unbound is stopped

1  = Update unbound files and configuration                                             5  = Install Ad and Tracker blocker (Ad Block)
2  = Remove unbound/unbound_manager                                                     6  = Install Graphical Statistics GUI Add-on TAB
3  = Stop unbound                                                                       7  = Enable    DNS Firewall
4  = Show unbound statistics                                                            8  = Install YouTube Ad blocker
                                                                                        9  = Install Safe Search e.g. google.com->forcesafesearch.google.com

?  = About Configuration
v  = View ('/opt/var/lib/unbound/'unbound.conf)

e  = Exit Script [?]

E:Option ==> 1
[1683899615] unbound-control[686149:0] error: connect: Connection refused for 127.0.0.1 port 8953
[1683899615] unbound-control[686152:0] error: connect: Connection refused for 127.0.0.1 port 8953
[1683899615] unbound-control[686156:0] error: connect: Connection refused for 127.0.0.1 port 8953
09:53:35 Saving unbound cache to '/opt/share/unbound/configs/cache.txt' msg.cache=/0 rrset.cache=/0

        Router Configuration recommended pre-reqs status:

        [✔] Swapfile=2097148 kB
        [✔] DNS Filter=ON
        [✔] DNS Filter=ROUTER
        [✔] WAN: Use local caching DNS server as system resolver=NO
        [✖] ***ERROR Enable local NTP server=NO                                         see https://192.168.50.1:8443/Advanced_System_Content.asp ->Basic Config
        [✔] Enable DNS Rebind protection=NO
        [✖] Warning Enable DNSSEC support=YES                                           see https://192.168.50.1:8443/Advanced_WAN_Content.asp ->WAN DNS Setting

        Options:

[: bad number
[1683899616] unbound-control[686253:0] error: connect: Connection refused for 127.0.0.1 port 8953
        [✔] unbound Logging (Warning; DNS Queries/Replies logging is DISABLED)
        [✔] unbound CPU/Memory Performance tweaks
        [✔] unbound-control FAST response ENABLED

        The router does not currently meet ALL of the recommended pre-reqs as shown above.
        However, whilst they are recommended, you may proceed with the unbound UPDATE
        as the recommendations are NOT usually FATAL if they are NOT strictly followed.

        Press Y to continue unbound UPDATE  or press [Enter] to ABORT

Unfortunately these 3rd party addons are not all tested with each other, especially what happens when you remove one. You may need to factory reset and reinstall stuff. Or try just reinstalling Yazfi and see if that fixes it. Uninstalling it may have reverted some settings to factory which needed to be left modified for other apps you're running.

Considering you want to disable intranet access but allow guests to communicate to each other, yazfi is probably what you're looking for. It also seems to let you configure it so that you can initiate connections to guests from the main LAN, which also isn't something Asus allows (without firewall scripts), and some other handy features.
 
After disabling the guest network I ran the unbound update config through amtm and that was able to fix it. Now unbound + AGH is working. Just don't have a guest network for IoT devices. It does sound like YazFi is the easiest solution but I am using AI mesh. Which means in YazFi I need the guest network to only come from my main router and not the mesh nodes. Unfortuantely, a lot of my IoT devices are far away from my main router. Main router is in the basement, and some IoT devices are on the other side of the house in the garage. I'm no good at scripting without a guide lol.
 
After disabling the guest network I ran the unbound update config through amtm and that was able to fix it. Now unbound + AGH is working. Just don't have a guest network for IoT devices. It does sound like YazFi is the easiest solution but I am using AI mesh. Which means in YazFi I need the guest network to only come from my main router and not the mesh nodes. Unfortuantely, a lot of my IoT devices are far away from my main router. Main router is in the basement, and some IoT devices are on the other side of the house in the garage. I'm no good at scripting without a guide lol.

Yeah, you could still potentially run Yazfi but I have a feeling it would conflict with Aimesh. You'd need to install it on both nodes, then add some firewall rules with a script to extend the LAN access blocking from one to the other. And then aimesh could very well mess it up, so probably not the way to go (unless you want to ditch aimesh and just do router and AP yourself). So I guess you're back to the easiest solution being a script to disable AP isolation on both main and node.

You could try just doing it manually for now and see how long it lasts, maybe if you don't change wireless settings much it will stay in place.

first method is
nvram set wl0.1_ap_isolate=0 ###2.4ghz guest wireless 1
nvram set wl1.1_ap_isolate=0 ###5ghz guest wireless 1
nvram commit
try "service restart-wireless" and see if it takes effect. If not, you need to reboot

This is off my router, do a "nvram show " grep -i isolate" on your master and node to make sure they are the same interface names, but I believe they will be.

The other method is
wl -i wl0.1 ap_isolate 0
wl -i wl1.1 ap_isolate 0
See if that takes effect immediately. If not, again try service restart-wireless and if that doesn't work, reboot
This one likely will not survive a reboot unless you also change the NVRAM variables above. Not positive though.

So my guess is that method 1 will be better if you just want to set it manually from time to time as needed, and method 2 will probably be better for use in a script. However you'll have to test yourself and see if the setting gets reset frequently by aimesh/other process or if it seems to last.

If you can find one method that does not require a reboot, then adding that method to either a services-start or service-event script should work well. If you use services-start just know that you'll have to reboot the router any time you make changes to wireless, especially guest.

Obviously to test you just try pinging between two guest devices after trying each, make sure those devices allow ping of course (try them pinging between them on main network first).

If you want to see the current status of AP isolation, just run the same commands with no value at the end, for example here is mine:
wl -i wl0.1 ap_isolate
1
wl -i wl1.1 ap_isolate
1

Meaning isolation is currently enabled on both frequencies for my Guest #1 (which I want).
 
Yeah, you could still potentially run Yazfi but I have a feeling it would conflict with Aimesh. You'd need to install it on both nodes, then add some firewall rules with a script to extend the LAN access blocking from one to the other. And then aimesh could very well mess it up, so probably not the way to go (unless you want to ditch aimesh and just do router and AP yourself). So I guess you're back to the easiest solution being a script to disable AP isolation on both main and node.

You could try just doing it manually for now and see how long it lasts, maybe if you don't change wireless settings much it will stay in place.

first method is
nvram set wl0.1_ap_isolate=0 ###2.4ghz guest wireless 1
nvram set wl1.1_ap_isolate=0 ###5ghz guest wireless 1
nvram commit
try "service restart-wireless" and see if it takes effect. If not, you need to reboot

This is off my router, do a "nvram show " grep -i isolate" on your master and node to make sure they are the same interface names, but I believe they will be.

The other method is
wl -i wl0.1 ap_isolate 0
wl -i wl1.1 ap_isolate 0
See if that takes effect immediately. If not, again try service restart-wireless and if that doesn't work, reboot
This one likely will not survive a reboot unless you also change the NVRAM variables above. Not positive though.

So my guess is that method 1 will be better if you just want to set it manually from time to time as needed, and method 2 will probably be better for use in a script. However you'll have to test yourself and see if the setting gets reset frequently by aimesh/other process or if it seems to last.

If you can find one method that does not require a reboot, then adding that method to either a services-start or service-event script should work well. If you use services-start just know that you'll have to reboot the router any time you make changes to wireless, especially guest.

Obviously to test you just try pinging between two guest devices after trying each, make sure those devices allow ping of course (try them pinging between them on main network first).

If you want to see the current status of AP isolation, just run the same commands with no value at the end, for example here is mine:
wl -i wl0.1 ap_isolate
1
wl -i wl1.1 ap_isolate
1

Meaning isolation is currently enabled on both frequencies for my Guest #1 (which I want).
I will give this a shot but I have some questions first:

1. I need to turn guest network 1 back on. I only plan to use 2.4 GHz as most IoT devices only support 2.4 anyway. When I turn it back on, am I setting "Access to Intranet" to disabled, and also so that I can use my AI Mesh system, I am setting "Sync to AI Mesh Nodes" to "All" ?

2. Since my AX58U is set up as an AI mesh node, I have never logged into it on it's own except when I update the firmware throught the main router's GUI. It will pop up another window where I log in but it just shows the firmware update upload page. The main router (AX88U) I thought managed all the settings. You're saying I need to log in to each and run these scripts on both?

3. I did a preliminary test via SSH on main router:

Code:
# nvram show | grep -i isolate
size: 87356 bytes (43716 left)
wl0.1_ap_isolate=1
wl0.2_ap_isolate=0
wl0.3_ap_isolate=0
wl0.4_ap_isolate=0
wl0_ap_isolate=0
wl1.1_ap_isolate=0
wl1.2_ap_isolate=0
wl1.3_ap_isolate=0
wl1_ap_isolate=0
wl_ap_isolate=0
jorg@RT-AX88U-F610:/jffs/addons/YazDHCP.d#

This is with guest network currently off. Why are there so many of these? And one of them is configured with ap_isolate set to 1 alredy.


Thanks for your help! Enabling guest net 1 2.4 GHz now.
 
Alright I've got the guest network 1 2.4 GHz up and running with the following settings:

1683920617796.png



I have 3 devices connected to it:

A Macbook Laptop for testing
A Ring Doorbell
A smart (but also stupid) thermostat

I confirmed I cannot ping the other two devices from the Mac. I can access the Internet from the Mac. I can view the Ring doorbell live feed through the app. I cannot, however, access the thermostat through the app. I might need to go reboot it.

Here is the output of your command now:

Code:
/jffs/addons/YazDHCP.d# nvram show | grep -i isolate
size: 87658 bytes (43414 left)
wl0.1_ap_isolate=1
wl0.2_ap_isolate=0
wl0.3_ap_isolate=0
wl0.4_ap_isolate=0
wl0_ap_isolate=0
wl1.1_ap_isolate=0
wl1.2_ap_isolate=0
wl1.3_ap_isolate=0
wl1_ap_isolate=0
wl_ap_isolate=1
jorg@RT-AX88U-F610:/jffs/addons/YazDHCP.d#


So "wl0.1_ap_isolate=1" was already set even with the guest network disabled. And now, "wl_ap_isolate=1" is set to 1 with guest network on. It was 0 before.
 

Attachments

  • 1683920585106.png
    1683920585106.png
    47.4 KB · Views: 41
I will give this a shot but I have some questions first:

1. I need to turn guest network 1 back on. I only plan to use 2.4 GHz as most IoT devices only support 2.4 anyway. When I turn it back on, am I setting "Access to Intranet" to disabled, and also so that I can use my AI Mesh system, I am setting "Sync to AI Mesh Nodes" to "All" ?

Yes, turn it on and synch to nodes with intranet disabled. Then reboot all devices.

2. Since my AX58U is set up as an AI mesh node, I have never logged into it on it's own except when I update the firmware throught the main router's GUI. It will pop up another window where I log in but it just shows the firmware update upload page. The main router (AX88U) I thought managed all the settings. You're saying I need to log in to each and run these scripts on both?

Scripts are not supported by asus so you won't be able to deploy them via aimesh or the GUI. This is done via SSH direct to each device. You will need merlin on both in order to run scripts (if you just want to do the NVRAM change, you do not need to run merlin, you can do that with stock.

3. I did a preliminary test via SSH on main router:

Code:
# nvram show | grep -i isolate
size: 87356 bytes (43716 left)
wl0.1_ap_isolate=1
wl0.2_ap_isolate=0
wl0.3_ap_isolate=0
wl0.4_ap_isolate=0
wl0_ap_isolate=0
wl1.1_ap_isolate=0
wl1.2_ap_isolate=0
wl1.3_ap_isolate=0
wl1_ap_isolate=0
wl_ap_isolate=0
jorg@RT-AX88U-F610:/jffs/addons/YazDHCP.d#

This is with guest network currently off. Why are there so many of these? And one of them is configured with ap_isolate set to 1 alredy.


Thanks for your help! Enabling guest net 1 2.4 GHz now.

It is probably enabled from when you previously had the guest set up. wl0.1 is your 2.4ghz guest #1. x.2 and x.3 are guest wireless 2 and 3 (one for each band). WL0 and WL1 are your main wireless, that one is changed via the GUI, and should be left at 0 unless you want your main LAN to be isolated from each other too. The other one I'm not sure, probably left over from old code bases, mine has it too. Or it may be related to the main LAN also. For guest, you're only concerned with the 0.x and 1.x ones. Mine has 0.4 and 1.4 also, that guest wireless is only available on certain routers so not used on yours (or mine).
 
Last edited:
Alright I've got the guest network 1 2.4 GHz up and running with the following settings:

View attachment 50061


I have 3 devices connected to it:

A Macbook Laptop for testing
A Ring Doorbell
A smart (but also stupid) thermostat

I confirmed I cannot ping the other two devices from the Mac. I can access the Internet from the Mac. I can view the Ring doorbell live feed through the app. I cannot, however, access the thermostat through the app. I might need to go reboot it.

Here is the output of your command now:

Code:
/jffs/addons/YazDHCP.d# nvram show | grep -i isolate
size: 87658 bytes (43414 left)
wl0.1_ap_isolate=1
wl0.2_ap_isolate=0
wl0.3_ap_isolate=0
wl0.4_ap_isolate=0
wl0_ap_isolate=0
wl1.1_ap_isolate=0
wl1.2_ap_isolate=0
wl1.3_ap_isolate=0
wl1_ap_isolate=0
wl_ap_isolate=1
jorg@RT-AX88U-F610:/jffs/addons/YazDHCP.d#


So "wl0.1_ap_isolate=1" was already set even with the guest network disabled. And now, "wl_ap_isolate=1" is set to 1 with guest network on. It was 0 before.

You want it set to 0 to disable it. 1 is what asus will set it to when you have access intranet disabled, you need to override that with one of the sets of commands I gave.

You can access the ring because that goes via the cloud, not direct. Thermostat probably goes direct thus you need to disable isolation before it will be able to connect (just a guess).

One other thing I'm not sure on, if you have one device on the node and another on the master, whether disabling isolation will allow them to see each other. It should, but you'll have to try and see. If they can't see each other, then you'll probably need a firewall script to modify EBTABLES regardless. But, 1 step at a time.
 
Scripts are not supported by asus so you won't be able to deploy them via aimesh or the GUI. This is done via SSH direct to each device. You will need merlin on both in order to run scripts (if you just want to do the NVRAM change, you do not need to run merlin, you can do that with stock.

I'm running Merlin on both. But I didn't know I needed to make changes on the node. I just access it via SSH?
It is probably enabled from when you previously had the guest set up. wl0.1 is your 2.4ghz guest #1. x.2 and x.3 are guest wireless 2 and 3 (one for each band). WL0 and WL1 are your main wireless, that one is changed via the GUI, and should be left at 0 unless you want your main LAN to be isolated from each other too. The other one I'm not sure, probably left over from old code bases, mine has it too. Or it may be related to the main LAN also. For guest, you're only concerned with the 0.x and 1.x ones. Mine has 0.4 and 1.4 also, that guest wireless is only available on certain routers so not used on yours (or mine).

Odd. Because when guest net was disabled "wl_ap_isolate=0" was set to 0. Now, with guest net enabled, I have "wl_ap_isolate=1"

This is neither my main WLAN because I can still get to my router GUI on the main wifi, and it doesn't match up with wl0.1
 
So "wl0.1_ap_isolate=1" was already set even with the guest network disabled. And now, "wl_ap_isolate=1" is set to 1 with guest network on. It was 0 before.

Odd, that value on mine is 0 even though I have 2 guest networks all with isolation enabled. Honestly don't know what that one does.

this is mine
nvram show | grep isolate
wl0.1_ap_isolate=1
wl0.2_ap_isolate=1
wl0.3_ap_isolate=0
wl0.4_ap_isolate=0
wl0_ap_isolate=0
wl1.1_ap_isolate=1
wl1.2_ap_isolate=1
wl1.3_ap_isolate=0
wl1.4_ap_isolate=0
wl1_ap_isolate=0
wl_ap_isolate=0
 
I'm running Merlin on both. But I didn't know I needed to make changes on the node. I just access it via SSH?


Odd. Because when guest net was disabled "wl_ap_isolate=0" was set to 0. Now, with guest net enabled, I have "wl_ap_isolate=1"

This is neither my main WLAN because I can still get to my router GUI on the main wifi, and it doesn't match up with wl0.1

Never tried but you should be able to access it via SSH I would assume.

Not sure why that value changed for you and not me. I don't know what uses it. Maybe it turns back to 0 after a reboot. For now I'd ignore it and try changing wl0.1 to 0 and see if you can now ping between devices.
 

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top