Guest Network Pro on RT-AX88U Pro IoT VLAN Setup with TP-Link TL-SG1008 Unmanaged Switch

[jksmurf]

Hi,

I thought I would document my experience setting Guest Network Pro up, so other folks at my (basic) level of technical expertise can see what it looks like and the various gotchas. I'm happy for feedback on what I should have done or changes (but please say why and what it is for)…

I was essentially trying to make an IoT Network for my Home Assistant (HA) setup and after reading (a LOT) whether to put the HA Server on the same LAN or not, I eventually did so, due to (inter-alia) 'Matter' and simply ease of device management. It's probably not as secure as it could be but for me this is less about security (not that it isn't important!) and more about being able to manage the growing system. So:

Part I: Guest Network Pro

Network

• I added an IoT network from the list of options under the Guest Network Pro Tab, because well, that what's most of the devices are; and HA runs it.
• The SSID, Band, Authentication are all self-explanatory.
• I selected the 2.4GHz band 'only' because 99% of IoT devices use that band; PLUS if (like me) you have a 3004-based AIMesh node (RT-AX3000) to a 3006 Primary Router, then ASUS have deemed to 'allow' you one Wi-Fi Interface per band (on top of the Primary network). I documented this elsewhere so I will not expand on it here, but by only using 2.4GHz on that I freed up the 5GHz for my Guest Wi-Fi, on that AIMesh Node.
• I selected 'WPA2/WPA3 Personal' but have read of a few folks with issues with that setting, that have dropped to just WPA2. YMMV.
• I left Access Intranet on MAIN only (the default) for IoT Networks.
• In advanced settings I left the subnet at what GNP selected automatically (53, the first one selected after Guest took 52). You can change it to what you like later.
• I changed the DNS Server to Cloudflare (put in the DNS manually). Apparently Default does not (currently) work (I cannot find the post(s) on this sorry).

Advanced settings

• I selected the AIMesh Node (as well as Main).
• I went into "Manually Assigned" and assigned all my IoT Device IPs and Names, including Ethernet Devices.
• When you add manual profiles, you can drop down from a list of names, but you need to add the IP address manually (use the VLAN subnet) and the Name. I did not fill in any DNS Server. Do not forget to click OK, then APPLY (or you will be putting them ALL in again...).
• One observation, a quirk of ASUS, is that after it was all set up, the ASUS Client List showed an IoT device (update, now a few devices) with the correctly assigned IP address, but it turned up in the table in the Primary Router SSID Section; very odd. A point to note these were all IoT devices connected to the AIMesh Node, not the main network, the latter which all displayed correctly. Odder still.

VPN

• My IoT Network does not need one.

Clients

• Only for viewing after it is working.

Part 2: LAN, VLAN Tab

• This section is for Ethernet-attached devices only, associated with your VLAN, no Wifi component here (that is in the Part I above).
• Note that when you create your VLAN in Part I, it automatically populates this Tab.
• In here I selected the Ethernet Port which goes to an 8 Port Unmanaged Switch in a Cabinet downstairs.
• It is a TP-Link (TL-SG1008P) 8 Port (4 PoE) UN-managed switch. @visortgw kindly gave us many, many, many, many pointers that you can use such an ainmal (from TP-link but not some others) that work as passthrough and I found evidence of that in various websites, for this model. See attachments in imgur.
• The Router (LAN Port 2) connects to the switch and the in turn feeds the HA Server (an RPi4), two Xiaomi Gateway Hubs and the TV.
• So, in LAN/VLAN I chose "Access" as I only have one VLAN (and read that was appropriate for that reason).
• The first time, I selected my newly-created IoT Network (SmurfIoT), clicked apply and ... nothing ... no Wired devices joined the IoT Network (wireless was fine).
• Well I tried All (Default) (NG), I tried Trunk (NG), I looked at the Profile Tab (don't need to and will not touch it), I pulled cables in and out of all the Ports thinking maybe the PoE ones were being nasty, but nothing.
• Eventually I simply powered off the switch and then back on again after a minute or so and lo and behold, success! So I strongly suggest this last step...

So HA is running as before, I just had to change (Configure) a couple of fixed IPs in HA to match the new VLAN subnet but other than that I am up and running. Very Happy with the new Router and RMerlins amazing FW, 3006.101.4_alpha2 at the time of writing.

https://imgur.com/a/sdsgzZR

 

[Ellenswamy]

I thought the point of an IoT network is bc you can do things like setting 2.4 only for better compatibility with iot devices. Not to separate the devices from your main network. Why and what would be the benefit of doing it this way instead of creating an iot network but keeping it on the same vlan as your main?

 

[jksmurf]

I thought the point of an IoT network is bc you can do things like setting 2.4 only for better compatibility with iot devices. Not to separate the devices from your main network. Why and what would be the benefit of doing it this way instead of creating an iot network but keeping it on the same vlan as your main?

I’ll give it a go but I think there’s others here far more qualified to explain. I do have 2.4Ghz only for the WiFi devices on this network btw.

Essentially what I’ve read is you want your IoT devices to be segregated on a VLAN on a separate subnet so if they are compromised your main is isolated from that.

 

[bennor]

I thought the point of an IoT network is bc you can do things like setting 2.4 only for better compatibility with iot devices. Not to separate the devices from your main network. Why and what would be the benefit of doing it this way instead of creating an iot network but keeping it on the same vlan as your main?

The main reason to separate and isolate Guest WiFi or WiFi IoT clients from the main LAN/WiFi network and their clients is security. Its why in the 3004.x firmware the Guest Network WiFi has the Access Intranet option. With Guest Network Pro one won't get the IoT preset to be isolated from the main LAN unless they set Use same subnet as main LAN to off/disabled.

The goofyness of the Guest Network Pro has been commented on in a number of other discussions and posts on the stock Asus 3006 firmware. It feels half baked and doesn't at times operate as one would expect with it's default setting.

 

[Ellenswamy]

The main reason to separate and isolate Guest WiFi or WiFi IoT clients from the main LAN/WiFi network and their clients is security. Its why in the 3004.x firmware the Guest Network WiFi has the Access Intranet option. With Guest Network Pro one won't get the IoT preset to be isolated from the main LAN unless they set Use same subnet as main LAN to off/disabled.

The goofyness of the Guest Network Pro has been commented on in a number of other discussions and posts on the stock Asus 3006 firmware. It feels half baked and doesn't at times operate as one would expect with it's default setting.

When I set it up on my be98 pro by default the iot network is a separate network so I set mine to 2.4 only but it shares the same subnet as the main. If your iot devices are in a network that is separate how does your phone for even Apple home even work. That is dependent on the subnet both devices are on.

I am using it like this to make iot devices my compatible

 

[bennor]

If your iot devices are in a network that is separate how does your phone for even Apple home even work.

Quite a few IoT devices communicate through the Internet to the app or device that controls them. Denying access to the main LAN doesn't affect them in any way. Have isolated all my IoT devices on their own Guest Network WiFi (and now Guest Network Pro using the 3006 firmware) that is isolated from the main LAN for years without issue.

 

[jksmurf]

When I set it up on my be98 pro by default the iot network is a separate network so I set mine to 2.4 only but it shares the same subnet as the main. If your iot devices are in a network that is separate how does your phone for even Apple home even work. That is dependent on the subnet both devices are on.

I am using it like this to make iot devices my compatible

So here’s a thought, if you’ve got some time (literally a few minutes) and don't have too much of an issue with family asking why the the internet doesn’t work (briefly, I’m not anticipating for long at all) why don’t you isolate the subnet (the SSID can remain as you set it) and see what, if anything does not work. If there area no issues, then you can decide which one you’d like to keep.

For me, I put my Home Assistant server on the IoT VLAN (not that it is a major issue) as I didn’t have time to run to ground CLI settings for mDNS and avahi reflector or port forwarding etc that I started to see was required for that to work. I also started to see a lot of folks kept the HA server on the IoT network intentionally to make “Matter” connections work, as these do not utilize mDNS well apparently.

 

[jass]

The main reason to separate and isolate Guest WiFi or WiFi IoT clients from the main LAN/WiFi network and their clients is security. Its why in the 3004.x firmware the Guest Network WiFi has the Access Intranet option. With Guest Network Pro one won't get the IoT preset to be isolated from the main LAN unless they set Use same subnet as main LAN to off/disabled.

The goofyness of the Guest Network Pro has been commented on in a number of other discussions and posts on the stock Asus 3006 firmware. It feels half baked and doesn't at times operate as one would expect with it's default setting.

Just for fun, this is how it's implemented in ASUS EBM68 Firmware version 3.0.0.6.102.44485

 

[jerry6]

The main reason to separate and isolate Guest WiFi or WiFi IoT clients from the main LAN/WiFi network and their clients is security. Its why in the 3004.x firmware the Guest Network WiFi has the Access Intranet option. With Guest Network Pro one won't get the IoT preset to be isolated from the main LAN unless they set Use same subnet as main LAN to off/disabled.

The goofyness of the Guest Network Pro has been commented on in a number of other discussions and posts on the stock Asus 3006 firmware. It feels half baked and doesn't at times operate as one would expect with it's default setting.,

half baked is giving it more credit than it deserves they made it more complicated for no reason