Guest WiFi on repeater?

[Marvin Gage]

I have two Asus RT-AC68U routers running latest Merlin firmware. I have the second one setup as repeater but I noticed that it does not broadcast the Guest WiFi. Is their a method to get it to broadcast the Guest WiFi? My goal is to of course have guests connect to it and than I want a second one that I will hide the SSID on to connect IOT devices like Nests and Alexa's for security.

If it is unable to broadcast Guest WiFi's to the repeater what other method can I use to isolate traffic and protect my internal network?

 

[Ronald Schwerer]

You repeat the one SSID your repeater is configure for. So you can propagate the Guest SSID. I use a 68U repeating my primary router's 5GHz Guest SSID as a backhaul and repeat it (on both 2.4 and 5 since I can't seem to turn off 5G ) with a different SSID (so I know what I'm connecting to).

 

[Marvin Gage]

You repeat the one SSID your repeater is configure for. So you can propagate the Guest SSID. I use a 68U repeating my primary router's 5GHz Guest SSID as a backhaul and repeat it (on both 2.4 and 5 since I can't seem to turn off 5G ) with a different SSID (so I know what I'm connecting to).

Ahh so you can only repeat one SSID on the repeater so can not have the main SSID also and the Guest. Hmm.. any other way to do this than to isolate an SSID for Guest? I was hoping the repeater could repeat the main SSID also. As it now the repeater is in the main part of the house so the Guest one is a bit on the weak side for the signal. What I have now on the main is.

SSID5
SSID2.4
SSID5-Guest
SSID2.4-Guest

But repeater is only repeating the SSID5 and SSID2.4 but Guest does not show up on it.

 

[Zastoff]

Not sure..but test with setting intranet access=on In your guest network.
Think i read something about this with ap/repeater..

 

[Ronald Schwerer]

Ahh so you can only repeat one SSID on the repeater so can not have the main SSID also and the Guest. Hmm.. any other way to do this than to isolate an SSID for Guest? I was hoping the repeater could repeat the main SSID also. As it now the repeater is in the main part of the house so the Guest one is a bit on the weak side for the signal. What I have now on the main is.

SSID5
SSID2.4
SSID5-Guest
SSID2.4-Guest

But repeater is only repeating the SSID5 and SSID2.4 but Guest does not show up on it.

Actually, it only repeats the SSID that it connects to on the router. The names that it uses for the repeated SSIDs (only one for each band) are totally arbitrary. Think of it this way: the SSID you chose to connect to on the router is a virtual data path. The repeated SSIDs are just an extension of that single SSID and use the same path back through the router's SSID.

For example, using the above SSID names, if the repeater is configured to repeat SSID5, your repeater could have SSID2.4 and SSID5 also (or any other names you choose), but all the data would be merged into one backhaul to the router on it's SSID5.

If you want to repeat more that one of the router's SSIDs, you'll need another repeater for each. Generally, since the AC68U repeater splits the router's SSID into 2.4 and 5GHz, you'd need one repeater to do both the normal SSID and one repeater for each Guest SSID you want to extend.

For my low bandwidth IoT stuff (lights, switches, thermostats,... I have used a cheap TP-Link 2.4GHz repeater (often can be found for $15).

 

[CaptainSTX]

any other way to do this than to isolate an SSID for Guest?

If you can get an Ethernet cable to the second router then you could double NAT the second router. Then you could use the same SSIDs on both routers.

While there are no speed issues in a double NAT communicating from devices connected to the first router to devices connected to the second router is difficult. Not so difficult for devices on the second router to communicate with devices on the first router.

If you can't run Ethernet then consider MOCA or Powerline adapters. Either if they will work in your location should be an improvement over using a repeater.

 

[Klueless]

The Pros use a distributed architecture; a router dedicated to being the best it can be, switches to distribute Ethernet as needed and wireless access points to distribute WiFi access where it's needed.

Professional equipment often uses "command line interfaces" to provide the optimum in flexibility and configuration options. Unfortunately complexity often comes along with flexibility.

The rise of "all-in-one" home routers with "graphical user interfaces" (GUIs) make this technology readily available to novices like me (albeit with some limitations). I am simply prompted to give my WiFi service (SSID) a name and password and I'm done. As I further browse the interface I'm presented with options where I simply check "yes/no" or "enable/disable". Some GUIs present a robust list of features, others - few.

For many of us home users that's all we need, a single "all-in-one" router for the whole house!

The OP has set a second set of SSIDs with Intranet access disabled. This way "guest" can not view your internal network, they are only allowed access to the Internet.

Using the OP's router configuration;

SSID5
SSID2.4
SSID5-Guest
SSID2.4-Guest

If a client connects to SSID5 (or 2.4) he will inherit access to everything; if he connects to "Guest" he only has access to the Internet. In this case if the client connects to the router via Ethernet he also has access to everything. The client simply inherits the traits the router allows.

The OP is taking a 2nd router and is "downgrading" it to serve as a wireless access point. (Essentially he is disabling routing, NAT, DHCP et al.) How successful he is will depend on how robust the configuration options are.

If the AP connects (back-hauls) to the router over Ethernet or wireless over SSID 5 or 2.4 the AP's clients will inherit access to everything. If the AP connects wireless over SSID "Guest" the AP's clients will be limited to Internet access only.

Now if you have a smart (e.g., expensive) AP you would give it access to everything. Then you program the AP to broadcast multiple SSIDs; some "protected", some not. Ruckus comes to mind.

I have not re-purposed an Asus Router as an access point. My "guess" is (as per above) it can be setup to give clients either full access or guest access but not both.

Maybe "guest" access for the whole house would meet your needs? It would for me. My needs are simple. Yes, I'd have to walk my laptop downstairs / closer to the main router (where the "non-Guest" SSIDs are available) when I wanted to print, but not all that bad since I'd have to pass the beer cooler on the way : -)

Now, IMO, there are three types of wireless Access Points; a "Repeater", an "Extender" and a wired wireless AP.

The wired AP uses an Ethernet line as a dedicated backhaul to the router. Ethernet is Full Duplex; you can send and receive at the same time. That's 1 Gig up and another Gig down. It's also its very own collision domain. You are not sharing that bandwidth with anyone else.

A Repeater uses a WiFi radio as the backhaul to the router. Clients use the same radio to talk. A client talks. The radio then becomes unavailable because it has to relay the data to the router over the backhaul. This essentially cuts available air time in half. In addition wireless is half duplex, that means only one thing can talk at a time. All clients are also in the same collision domain, that means all bandwidth is shared by all users/clients.

An Extender falls in between the two. Like a Repeater clients are half duplex and live in the same collision domain. Unlike a Repeater it uses a second radio for the backhaul eliminating the "halving" effect of a Repeater.

Using my old $75 dual-band Netgear 6150 as an example:

• I connected it to my router with Ethernet. It offered me "Home" or "Public". "Home" gave clients full access, "Public" gave them Internet access only.
• I connected it as a wireless repeater. One backhaul connected at 2.4 and offered a 2.4 service. The other backhaul connected at 5 and offered a 5 GHz service. I guess I could have connected one to SSID2.4 and the other to "SSID5-Guest" and achieved pretty much what you're looking for at a cost of $75.
• Instead I set mine for Extender mode. I dedicated one radio as the backhaul and the other for client communications only.

Confused? Me too! Good Luck.

 

[joe scian]

The Pros use a distributed architecture; a router dedicated to being the best it can be, switches to distribute Ethernet as needed and wireless access points to distribute WiFi access where it's needed.

Professional equipment often uses "command line interfaces" to provide the optimum in flexibility and configuration options. Unfortunately complexity often comes along with flexibility.

The rise of "all-in-one" home routers with "graphical user interfaces" (GUIs) make this technology readily available to novices like me (albeit with some limitations). I am simply prompted to give my WiFi service (SSID) a name and password and I'm done. As I further browse the interface I'm presented with options where I simply check "yes/no" or "enable/disable". Some GUIs present a robust list of features, others - few.

For many of us home users that's all we need, a single "all-in-one" router for the whole house!

The OP has set a second set of SSIDs with Intranet access disabled. This way "guest" can not view your internal network, they are only allowed access to the Internet.

Using the OP's router configuration;

If a client connects to SSID5 (or 2.4) he will inherit access to everything; if he connects to "Guest" he only has access to the Internet. In this case if the client connects to the router via Ethernet he also has access to everything. The client simply inherits the traits the router allows.

The OP is taking a 2nd router and is "downgrading" it to serve as a wireless access point. (Essentially he is disabling routing, NAT, DHCP et al.) How successful he is will depend on how robust the configuration options are.

If the AP connects (back-hauls) to the router over Ethernet or wireless over SSID 5 or 2.4 the AP's clients will inherit access to everything. If the AP connects wireless over SSID "Guest" the AP's clients will be limited to Internet access only.

Now if you have a smart (e.g., expensive) AP you would give it access to everything. Then you program the AP to broadcast multiple SSIDs; some "protected", some not. Ruckus comes to mind.

I have not re-purposed an Asus Router as an access point. My "guess" is (as per above) it can be setup to give clients either full access or guest access but not both.

Maybe "guest" access for the whole house would meet your needs? It would for me. My needs are simple. Yes, I'd have to walk my laptop downstairs / closer to the main router (where the "non-Guest" SSIDs are available) when I wanted to print, but not all that bad since I'd have to pass the beer cooler on the way : -)

Now, IMO, there are three types of wireless Access Points; a "Repeater", an "Extender" and a wired wireless AP.

The wired AP uses an Ethernet line as a dedicated backhaul to the router. Ethernet is Full Duplex; you can send and receive at the same time. That's 1 Gig up and another Gig down. It's also its very own collision domain. You are not sharing that bandwidth with anyone else.

A Repeater uses a WiFi radio as the backhaul to the router. Clients use the same radio to talk. A client talks. The radio then becomes unavailable because it has to relay the data to the router over the backhaul. This essentially cuts available air time in half. In addition wireless is half duplex, that means only one thing can talk at a time. All clients are also in the same collision domain, that means all bandwidth is shared by all users/clients.

An Extender falls in between the two. Like a Repeater clients are half duplex and live in the same collision domain. Unlike a Repeater it uses a second radio for the backhaul eliminating the "halving" effect of a Repeater.

Using my old $75 dual-band Netgear 6150 as an example:

• I connected it to my router with Ethernet. It offered me "Home" or "Public". "Home" gave clients full access, "Public" gave them Internet access only.
• I connected it as a wireless repeater. One backhaul connected at 2.4 and offered a 2.4 service. The other backhaul connected at 5 and offered a 5 GHz service. I guess I could have connected one to SSID2.4 and the other to "SSID5-Guest" and achieved pretty much what you're looking for at a cost of $75.
• Instead I set mine for Extender mode. I dedicated one radio as the backhaul and the other for client communications only.

Confused? Me too! Good Luck.

As per your definitions then is "Wireless Bridged" mode similar to "Extender"

 

[Klueless]

As per your definitions then is "Wireless Bridged" mode similar to "Extender"

By my definition yes but, not everyone is on board with my understanding of the vernacular. Expanding and using the 7 layer OSI model as a reference point, a "repeater" connects two networks at layer one, a "bridge" connects two networks together at layer two (which is essentially what using a separate WiFi radio for the backhaul does) and "routers" connect two networks together at layer three. Each layer up results in traffic reduction.

I don't have access to anything at the moment that would allow me to interpret what Asus means by "wireless bridged". The "key" is that the AP's backhaul uses a wire or a different radio than the AP's clients use. (That's one of the attractions of tri-band mesh nodes, a separate radio for backhauls.)

There is another term tossed around - "Media Bridge". It was designed to give an Ethernet only device (e.g., an "Ethernet-only" printer or an "Ethernet-only" game machine) wireless access.

 

[Yota]

Maybe my thread will help you
https://www.snbforums.com/threads/expand-the-guest-network-to-two-merlin-routers.61231/

 

[Klueless]

Maybe my thread will help you
https://www.snbforums.com/threads/expand-the-guest-network-to-two-merlin-routers.61231/

Uh, over my head but, like, holy crap Batman, I am impressed!

So in addition to VLANs, etc. your script adds a 2nd SSID to the AP? If that's true then why bother with messing with the router, VLANs and a 2nd subnet?

You already know the address space (192.168.50.X). Why not just add the 2nd (guest) SSID to the AP and block access to everything on 192.168.50.X except 192.168.50.1 (the router, DHCP and DNS server)? <lol>, easy for me to say, I don't know diddly about scripting!

 

[Yota]

Uh, over my head but, like, holy crap Batman, I am impressed!

So in addition to VLANs, etc. your script adds a 2nd SSID to the AP? If that's true then why bother with messing with the router, VLANs and a 2nd subnet?

You already know the address space (192.168.50.X). Why not just add the 2nd (guest) SSID to the AP and block access to everything on 192.168.50.X except 192.168.50.1 (the router, DHCP and DNS server)? <lol>, easy for me to say, I don't know diddly about scripting!

The AP will run two SSIDs, one for the LAN and one for the guest. The scripts does not create them. The user needs to create them through the GUI and get the WiFi interface name of the guest, such as "wl1.1", and into it to the scripts.

Actually, I am a noob and don't know much about writing scripts. As you can see, I have read a lot of references to complete this scripts, and there are many commands that I do not fully understand.

And, thank you very much for your thoughts, I never thought about it, it was a great idea. If you do that, don't need VLAN and new subnets, just need some iptables rules, but, there is a problem. Your router cannot know who is the Guest through the AP, so you cannot apply rules to the Guest.

However, I will continue to study your ideas, thank you.

 

[Klueless]

The AP will run two SSIDs, one for the LAN and one for the guest. The scripts does not create them. The user needs to create them through the GUI and get the WiFi interface name of the guest, such as "wl1.1", and into it to the scripts.

I stand to learn much from you my new friend. I've never configured an Asus router as an AP so I did not know that you could configure it with multiple SSIDs.

... but, there is a problem. Your router cannot know who is the Guest through the AP, so you cannot apply rules to the Guest.

I'm not sure the router needs to know ... anything. Your script would be on the AP. It would simply apply the "rules" to the AP SSID you decide will act as "guest".

 

[Yota]

I stand to learn much from you my new friend. I've never configured an Asus router as an AP so I did not know that you could configure it with multiple SSIDs.

Yes, in AP mode, you can use the guest network function, and like router mode, you can create up to 6 guest WiFis.

I'm not sure the router needs to know ... anything. Your script would be on the AP. It would simply apply the "rules" to the AP SSID you decide will act as "guest".

In AP mode, the AP just forwards traffic to the superior router and does not apply any rules to the traffic. I think this is a characteristic of the AP mode.

So, what my script does is just let the AP add VLAN tags to the traffic of the guest network, and then the router can distinguish who the guest is based on different tags.

 

[Klueless]

In AP mode, the AP just forwards traffic to the superior router and does not apply any rules to the traffic. I think this is a characteristic of the AP mode.

So, what my script does is just let the AP add VLAN tags to the traffic of the guest network, and then the router can distinguish who the guest is based on different tags.

Huh. Now I know. Thank you for tolerating my ramblings ...

 

[Yota]

Huh. Now I know. Thank you for tolerating my ramblings ...

I really think your idea is interesting, because even ASUS is using it. In router mode, ASUSWRT does not use VLANs to distinguish guest networks, but some rules like iptables. be happy my friend.

 

[Klueless]

I really think your idea is interesting, because even ASUS is using it. In router mode, ASUSWRT does not use VLANs to distinguish guest networks, but some rules like iptables. be happy my friend.

With, what, 7 billion people in the world it's likely I'll never come up with an original thought