Connecting to device in Guest or IOT VLAN from intranet (using Guest Pro on 3.0.0.6 firmware)?

[mmjlmjl]

I'm evaluation an RT-BE88U with latest firmware. One specific issue I'm facing: I cannot access a device from intranet (VLAN1) on a Guest Network Pro created VLAN.

Given this:
IP camera on 192.168.3.59 in VLAN3 Guest Network AP isolation on (or off for that matter)
IP of the router 192.168.50.1

From the .50.x range need to access the camera in 3.x subnet. How to set this up without giving the .3.x subnet devices access to intranet?

Some background: I use a 3.0.0.4 Merlin fork on another device, there this just simply works, one way connectivity from intranet to Guest network. Guest devices cannot access intranet.. on the new router this does not work.

I tried some Firewall rules but did not get anything to work.... (sorry FW noob here...)

 

[bennor]

If you haven't seen it already, Asus Support has a general support document on how to setup/use Guest Network Pro in various configurations including IoT.

[Guest Network Pro] What is Guest Network Pro? | Official Support | ASUS Global

Generally the block intranet access tends to be an all or nothing affair. Either you block communication in both directions to/from the intranet to the Guest Network Pro clients or you don't.

One possible way to work around this (if not using AiMesh) if the Guest Network Pro doesn't offer the capability is to roll back to Asus-Merlin firmware and use something like YazFi. With YazFi you can configure custom firewall rules to allow traffic from the LAN to the Guest Network YazFi clients.

 

[PunchCardBoss]

From the .50.x range need to access the camera in 3.x subnet. How to set this up without giving the .3.x subnet devices access to intranet?

I have experienced the same issue. As you have described, 192.168.3.xx subnet is not accessable from your primary router subnet when intranet isolation is on.

My work around is to temporarilly config my laptop PC nic with a camera VLAN subnet static IP. This is a simple task.

In your case, change your PC/Mac nic to a static IP, something like 192.168.3.30. Now, you have access to all cameras (but not to the internet or your 192.168.50.XX subnet).

Once you are finished with whatever you need to do on your cameras, revert your PC/Mac nic to its previous settings.

If you are intending to use your PC/Mac as a monitoring station, that becomes a different challenge. In my case, I can ethernet cable into my camera VLAN, and I can have my WiFi connected to my router primary subnet. Although not a particularly elegant solution, it can work (to a degree).

In my case, I have decided to get a seperate monitoring station (android tablet) that connects to my camera VLAN.

Until Asus adds the PRO features that are missing in their 3.0.0.6 Firmware, we are all stuck with work arounds or Merlin FW as @bennor has pointed out.

 

[tiddlywink]

It's all or nothing.

Intervlan routing with asus:
1. Flash merlin + addons like YazFi, etc.
2. manually script the iptable changes you want and pray an update doesn't break it
3. Flash openwrt and enjoy fully working vlans and intervlan routing with a GUI

I've used the Expertwifi "business" class routers. Intervlan routing wasn't there and is not coming. That's why I chose #3.


FYI, you should always avoid vlan 1, 2, and 3.

 

[mmjlmjl]

Unfortunately Merlin does not support this router yet.

I'm a bit surprised this does not work on the 3.0.0.6 firmware as in the 3.0.0.4 firmware on my XT12 it does work. Well I'll send it back to amazon and order it again once Merlin supports it (he posted he is working on it).

So no static route or Firewall rule I could enter to make this work..?

 

[tiddlywink]

So no static route or Firewall rule I could enter to make this work..?

"2. manually script the iptable changes you want and pray an update doesn't break it"

VLAN routing across networks

AC68U running latest Merlin with AB-Solution and OpenVPN. No other customization. I managed to set up VLAN using this guide from user schmerg and its working fine. My main LAN is at 192.168.1.0/24 and VLAN10 is at 192.168.10/24. As this setup is for my IoT devices, I need to be able to access...

www.snbforums.com

 

[mmjlmjl]

"2. manually script the iptable changes you want and pray an update doesn't break it"

VLAN routing across networks

AC68U running latest Merlin with AB-Solution and OpenVPN. No other customization. I managed to set up VLAN using this guide from user schmerg and its working fine. My main LAN is at 192.168.1.0/24 and VLAN10 is at 192.168.10/24. As this setup is for my IoT devices, I need to be able to access...

www.snbforums.com

Merlin is not (yet) available on this model.

“FYI, you should always avoid vlan 1, 2, and 3”

Why? As some other switches in the network only support Vlan1 through 8 I’m a bit limited ..

 

[tiddlywink]

That was for showing you syntax for intervlan routing. You would create a local script to automate the manual firewall edits which you would have to run after each reboot until merlin firmware.

Low vlan ID's are more than likely already the hardcoded default native vlan that belongs to all ports. So long as you understand and design security around that, it's not an issue. IMHO the default native vlan and management vlan should be moved to at least 10 or higher.