What's new

Guest wifi for smart devices

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Hello 🙂
I have 11 Smart Bulbs, 3 Wifi Cameras and 3 Alexa Echo devices and I'm using Asus AX86U router.
Is it worth it moving them all to a seperate guest ssid for better "security" or it ain't worth the hassle?
The decision to create a separate guest SSID for your IoT devices comes down to your personal preference and the level of security you desire. If you prioritize enhanced network segmentation and are willing to invest the time and effort into setting up and managing a separate network, it can provide an additional layer of protection. However, if convenience and simplicity are your primary concerns, keeping all devices on the same network may be more suitable for your needs.
 
Yeah sidewalk gets immediately disabled, same with any ISP hotspot (if the person is using ISP supplied router). Screw all that stuff.

Amazon Sidewalk is another discussion thread perhaps - has nothing to do with the chat here...

I've recently signed up for the SDK on that platform - and there is no impact to the local WLAN/LAN aspects in a significant way - Sidewalk is primarily LoraWan across the nodes...
 
YazFi_Guest.png

Short answer is yes, for devices which need internet access but do not need LAN access, put them in an isolated guest WiFi. I do that with YazFi as above.
 
Amazon Sidewalk is another discussion thread perhaps - has nothing to do with the chat here...

I've recently signed up for the SDK on that platform - and there is no impact to the local WLAN/LAN aspects in a significant way - Sidewalk is primarily LoraWan across the nodes...
The topic is: “Guest wifi for smart devices”.

To me it’s not about how much traffic is added to the WAN or how much overhead is added to the router as I don’t have troubles there, it’s about isolating possibly misbehaving iOT devices as much as possible from my internal LAN and WLAN. All my current iOT devices communicate with their respective APPS via their respective clouds so no reason to allow access to my internal LAN and WLAN other than simplifying and having one less Guest network to administer. I find the Asus WEB based management is pretty good and makes that no big deal and with a side bonus of allowing me to quickly see the network status of all my iOT devices quickly and in one place.

Repeat: My Azus RT-AX Routers allow for 3 x 2.4Gig Guest Networks so why not allow for a dedicated iOT network for added security? Selecting Guest Network-1 and disabling Intranet access, this gives it it’s own IP address range also.

But that being said I have done a little R&D looking for a security camera system that can be hosted internally without WAN access. I guess I’m old school, I don’t back up critical personal data to the cloud or expose my NAS to the WAN either.

IMO Amazon Sidewalk is a good example of misbehaving and that’s why I brought it up. Most users have no idea what that is and that it comes enabled by default. Here I went the extra step of disabling it on my Echo device. Low power long range wireless communication is interesting, and maybe worthy of another thread, but it would be something I would personally want to be in control of.
 
Last edited:
View attachment 50056
Short answer is yes, for devices which need internet access but do not need LAN access, put them in an isolated guest WiFi. I do that with YazFi as above.

So Yazfi does allow you to set client isolation (guests talking to each other) separately from LAN isolation, so that is a useful feature for those that want that mix. Asus stock does not support having one without the other. Someone brought that up recently, can't remember if it was this thread or another.
 
View attachment 50056
Short answer is yes, for devices which need internet access but do not need LAN access, put them in an isolated guest WiFi. I do that with YazFi as above.
I'm new here but want to learn and contribute, I don't know everything but I'm not a so called "bonehead" either. Maybe I 'm Not Young Enough To Know Everything might apply? Or something else?

You have seemed to have done your homework. Thanks.​

 
Last edited:
Resurrecting topic as opposed to creating a new thread.

I have Alexa devices that are only 2.4ghz cable. I also have newer Alexa devices that support both 2.4 and 5ghz bands. If I create two guest networks via YAZFI as follows:

- ALEXA_2G
- ALEXA_5G

Is it possible to make the devices speak to each other in just those. two networks.

Reason - Alexa has a function where you can issue a voice command to play X song everywhere. This then plays the song on every Alexa device in the house. I wanted to know if by separating Alexa devices in two guest networks would allow that function to continue? or will Amazon just handle that in the background regardless of LAN IP or SSID assigned to said Alexa device?

As I type this I was thinking, can I just set the same subnet in both 2G and 5G guest networks? Maybe have 2G host 10 LAN devices in x.x.2.x subnet and have 5G host 10 LAN devices in the same x.x.2.x subnet?

Let's try
 
Resurrecting topic as opposed to creating a new thread.

I have Alexa devices that are only 2.4ghz cable. I also have newer Alexa devices that support both 2.4 and 5ghz bands. If I create two guest networks via YAZFI as follows:

- ALEXA_2G
- ALEXA_5G

Is it possible to make the devices speak to each other in just those. two networks.

Reason - Alexa has a function where you can issue a voice command to play X song everywhere. This then plays the song on every Alexa device in the house. I wanted to know if by separating Alexa devices in two guest networks would allow that function to continue? or will Amazon just handle that in the background regardless of LAN IP or SSID assigned to said Alexa device?

As I type this I was thinking, can I just set the same subnet in both 2G and 5G guest networks? Maybe have 2G host 10 LAN devices in x.x.2.x subnet and have 5G host 10 LAN devices in the same x.x.2.x subnet?

Let's try

You should have those two SSIDs created under the same guest network number on the main guest tab. Then on yazfi set client isolation to "no" for that guest network number. They should already be using the same subnet.
 
So here are the settings. Didn't work and I did what you said:

First the main guest network settings (passphrase removed in pic)

2.4G Network

Screenshot 2023-09-07 at 12.32.26.png


5G Network

Screenshot 2023-09-07 at 12.32.51.png


YAZFI settings:

Screenshot 2023-09-07 at 12.33.47.png


Finally connected one Alexa device to 2G and other Alexa device to 5G. When you go into the Alexa App to merge the two devices under the "everywhere" speaker group, you get this error:

Screenshot_20230907_122738_Amazon Alexa.jpg


Any ideas? Im guessing its not possible?


 
At this point I guess I need to know how the 192.168.2.0 network can speak/see the 192.168.5.0 network in order for the Alexa devices to speak to one another? Im assuming I need a static rule added somwhere but haven't got the foggiest on how to do this. Can anyone help with a simple idiots guide on how I do this please?

Alternatively, I can just:

- Stick all Alexa devices on the 2G and not make use of the 5G wireless radio on each Alexa device
 
Last edited:
So here are the settings. Didn't work and I did what you said:

First the main guest network settings (passphrase removed in pic)

2.4G Network

View attachment 52916

5G Network

View attachment 52917

YAZFI settings:

View attachment 52918

Finally connected one Alexa device to 2G and other Alexa device to 5G. When you go into the Alexa App to merge the two devices under the "everywhere" speaker group, you get this error:

View attachment 52919

Any ideas? Im guessing its not possible?

Hm I guess Yazfi uses different subnets even for the two frequencies on the same guest (like Asus does on guest 1). Have you tried using guest2 instead? Not sure if that will change Yazfi or not, probably not.

You can use a script to modify the Yazfi rules but i suspect they need to be on the same subnet and possibly even same SSID to see each other. Same SSID is easy, just remove the _2G and _5G. Same subnet not sure if Yazfi will allow that. Someone more familiar with Yazfi will need to chime in.

You can use the stock guest 2 or 3 but will still need a script to disable isolation (or enable LAN access which also disables isolation, but obviously gives them access to/from your LAN).
 
Side line question.

If I have my computer/laptop on the main wirelress connection and my TV on an isolated guest network. Would i be able to mirror my laptop to the TV via airplay knowing that they are both on different subnets? Im guessing the answer is no. Boooooooo.
 
Side line question.

If I have my computer/laptop on the main wirelress connection and my TV on an isolated guest network. Would i be able to mirror my laptop to the TV via airplay knowing that they are both on different subnets? Im guessing the answer is no. Boooooooo.

I'm assuming airplay relies on MDNS, there is a way to forward that between networks, but you'd also have to have "access intranet" enabled on your guest, or use Yazfi to allow main to talk to guest.
 
I'm assuming airplay relies on MDNS, there is a way to forward that between networks, but you'd also have to have "access intranet" enabled on your guest, or use Yazfi to allow main to talk to guest.

Airplay is dependent on mDNS/Avahi - there are a couple of items in the config files to allow mDNS to cross subnets - I'm at a lost for the moment on the specifics there, but it is there...
 
I'm assuming airplay relies on MDNS, there is a way to forward that between networks, but you'd also have to have "access intranet" enabled on your guest, or use Yazfi to allow main to talk to guest.

So noticed a weird issue.

IOT_2G and IOT_5G have been configured under GUEST NETWORK 2.

I've then configured the YAZFI settings for each and enable one way talk.

I go back to the main GUEST NETWORK screen and ACCESS INTRANET for both is set to enabled.

I disable the 2.4ghz and save - all good. I now go ahead and disable the 5ghz, screen comes back and BOTH access intranet settings are enabled again.

Does Access Intranet basically mean the IOT networks can access the LAN? thus defeating the purpose of separating networks in the first place? So with access intranet ON/ENABLED. If a hacker was able to get onto or breach one of the Alexa devices. Could he then piggy back and connect to my other LAN devices on the MAIN subnet?
 
Does Access Intranet basically mean the IOT networks can access the LAN? thus defeating the purpose of separating networks in the first place? So with access intranet ON/ENABLED. If a hacker was able to get onto or breach one of the Alexa devices. Could he then piggy back and connect to my other LAN devices on the MAIN subnet?

Yes, allowing intranet access defeats the guest / main LAN isolation.
 
Pathetic regarding intranet enabling. The router has a mind of its own.

Here's another one.

Created an SSID in YAZFI named DEVICES_2G and connected the PS4 to it with client isolation enabled. All good.

- Go into online menu - it connects
- Finds another player to play with - works
- Moment you say yes connect to other player, immediately CONNECTION error.

Disable client isolation and it all works marvellously again and connects to player.

This YAZFI is becoming a little pathetic the more I play with it. May aswell just stick everything on the MAIN networks because clearly this feature produces some strange results.
 
Pathetic regarding intranet enabling. The router has a mind of its own.

Here's another one.

Created an SSID in YAZFI named DEVICES_2G and connected the PS4 to it with client isolation enabled. All good.

- Go into online menu - it connects
- Finds another player to play with - works
- Moment you say yes connect to other player, immediately CONNECTION error.

Disable client isolation and it all works marvellously again and connects to player.

This YAZFI is becoming a little pathetic the more I play with it. May aswell just stick everything on the MAIN networks because clearly this feature produces some strange results.

Yazfi requires that to be enabled on the main guest because it now controls that setting (in a much more granular fashion), read the documentation instead of calling someone's hard work (which was done for FREE) pathetic.
 

Similar threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top