What's new

Guest network question

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

DHLarson

Occasional Visitor
What's different with guest networks? Using it to segregate IOT traffic and suddenly a thermostat that was working fine went south. Moved it over to the internal network and everything is hunky dory. Interface gives me little info on the thermo to figure it out. All I was trying to do we limit the device to internet access only. Are there protocol differences, DNS, etc? In the interest of working this through, is there a primer for TCP dump on the router if I wanted to really dig deep?

I hate these type of issues.

Thanks!
 
What's different with guest networks? Using it to segregate IOT traffic and suddenly a thermostat that was working fine went south. Moved it over to the internal network and everything is hunky dory. Interface gives me little info on the thermo to figure it out. All I was trying to do we limit the device to internet access only. Are there protocol differences, DNS, etc? In the interest of working this through, is there a primer for TCP dump on the router if I wanted to really dig deep?

I hate these type of issues.

Thanks!

how were you limiting it?
 
What's different with guest networks? Using it to segregate IOT traffic and suddenly a thermostat that was working fine went south. Moved it over to the internal network and everything is hunky dory. Interface gives me little info on the thermo to figure it out. All I was trying to do we limit the device to internet access only. Are there protocol differences, DNS, etc? In the interest of working this through, is there a primer for TCP dump on the router if I wanted to really dig deep?

I hate these type of issues.

Thanks!

You could just put it in a DMZ.
 
how were you limiting it?
Only specific limit was blocked access to intranet. Running Skynet but didn't find any outbound blocks on the thermostat's local IP. Does the guest network use the DoT DNS target or the router WAN DNS (they are different - router is using ISP's DNS, DoT is using Cloudflare)?
 
You could just put it in a DMZ.
Shouldn't need to - it sets ups a SSL tunnel to an upstream host. No inbound packets outside the tunnel that I can see. That's what seems weird about this.
 
Only specific limit was blocked access to intranet. Running Skynet but didn't find any outbound blocks on the thermostat's local IP. Does the guest network use the DoT DNS target or the router WAN DNS (they are different - router is using ISP's DNS, DoT is using Cloudflare)?

I don't understand where do you have dot set up? You can try putting the thermostat ip in dhcp settings as static ip and specify the dns for it there.
 
DNS over TLS is set up on WAN tab with Cloudflare DNS servers as TLS targets. ISP DNS addresses are the default DNS addresses on the same page but I assume go unused because of DoT setting. I'm unclear if the guest networks use the default DNS address or they, too, use the DoT configured addresses.
 
DNS over TLS is set up on WAN tab with Cloudflare DNS servers as TLS targets. ISP DNS addresses are the default DNS addresses on the same page but I assume go unused because of DoT setting. I'm unclear if the guest networks use the default DNS address or they, too, use the DoT configured addresses.

Hmm I'm not sure, hopefully someone else can chime in. Judging by this maybe they don't. (1) YazFi - YazFi - enhanced AsusWRT-Merlin Guest WiFi inc. SSID <-> VPN Client | SmallNetBuilder Forums (snbforums.com) You could see if that addon works for you.
 
With my Ecobee I had to use the middle button for guest 2.4 GHZ, DNS filter set to Router and the Ecobee set to unfiltered.
There is an issue with the first guest Wifi and Diversion.
Issue has nothing to do with DoT which I run successfully.
 
Just picked up a refurb ax58u for very cheap. running great. but I now am running into similar problems. With latest firmware I like that it uses different subnet for better isolation of guest 1. but now I lose the ability to specify dns for it in the dhcp settings. When aimesh 2.0 is officially released for ax58u I would like to be able to have this option and use the guest 1 with a specific dns.

I'm not sure how Yazfi is going to work with aimesh, only other option is to put them all on a vpn with merlin firmware and specify a dns there. But I've found that causes problem with alexa controlling my tv (I'm lazy). Everything works but power on and select button, don't ask me why lol. I really just wanted to keep things as simple as possible now.


I think bbunge hit the nail on the head also in another thread. It makes no sense that allow intranet would work if guest 1 is on a different subnet. You have to use guest 2 or 3. Its very strange that asus has the option there, but it would make sense why it is not working with your diversion.

I also don't put anything that needs intranet access on a guest network unless using a time limit. Or only allowing intranet temporarily for some functions, then disabling it later. Otherwise it defeats the purpose of having a guest network in the first place. (and I don't mean guest 1, ironic, not a pun)
 

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top