What's new

Is it possible to make main wifi isolated to internet only?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

saltyzip

Occasional Visitor
Hi All,
I have an unusual use case in that the guest network (seperate SSID) I've enabled on my RT AC88U which sits at the front of my house is shared with my next door neighbour who happens to be family. He connects to my guest wifi in his house using an Asus RP-AC52 which is a wireless repeater and all works well.

The guest network is not able to access the intranet (my stuff), so everything is well isolated.

The problem with this arrangement is the main wifi on the router doesn't quite cover the back rooms in my house or the garden, so I thought I had a cunning plan to fix this.

I purchased a Ubiquiti UAP‑AC‑PRO wifi AP and stuck that on the landing ceiling upstairs and plugged that into the existing network. That works brilliant 5G everywhere and only drops down to 2G in the garden, lots of wifi goodness.

To finish up I wanted to turn off the old main wifi on the asus router and just leave the guest network running. However there is no option for me to do that, if I disable the 2g radio, it disables the 2g guest network too, same problem with the 5g network too.

So my next thought is to turn off the guest wifi and make the main wifi the guest wifi, and this is where I need your help.

How do I force the main router wifi to perform in the same manner as the guest wifi, only has access to the internet and not my stuff?

Hope that all makes sense and you can offer me some help.

I am currently running Merlin Firmware Version:384.5

Thanks!
 
You could probably do want you want with custom scripting, but it's not really worth the effort IMHO. The primary WiFi and it's associated guest networks are in reality the same radio operating on the same band. There's just a few bytes changed in some of the packet headers. So even if you achieved what you want the difference is illusory. You can achieve much the same outcome by changing the SSID of the primary network to something unique and giving it a complex password. Hide this SSID if you don't want to see it. As there will be nothing connecting to it the amount a traffic generated for it will be negligible.
 
The guest network already has a seperate sid, and it's that Sid which I want to move over to the main wifi.

I need the isolation from my network. For example, otherwise I get to see all his Google homes and Chromecasts when casting and vice versa.

Hiding the master Sid in an effort to just make it redundant goes against my principles really, plus causes noise on the airwaves which shouldn't be there.
 
Last edited:
Under professional wireless settings, set ap isoloated mode to yes for the radio in question. This will prevent devices from talking to each other and will only allow internet traffic.
 
In which case try entering these commands from the router's command line and see if it works. If it does you can put them in a script.
Code:
ebtables -t broute -A BROUTING -p IPv4 -i eth1 --ip-dst 192.168.1.0/24 --ip-proto tcp -j DROP
ebtables -t filter -A FORWARD -i eth1 -j DROP
ebtables -t filter -A FORWARD -o eth1 -j DROP
This only effects the primary 2.4GHz SSID (eth1). You will have to substitute eth2 if you want to effect the primary 5GHz SSID. It also assumes your LAN is on 192.168.1.0/24.

Additionally you will have to set AP Isolated as mentioned by @agilani . Additionally you might want to set AP Isolated if you don't want the guests to be able to talk to each other.
 
Last edited:
IMO just set the main wifi and Ubiquiti (AP) to same SSIDs and let the clients pick whichever has stronger signal.

Set the main, guest, and ap to different non-overlapping bands then you shouldn’t have any degradation due to interference.
 
Under professional wireless settings, set ap isoloated mode to yes for the radio in question. This will prevent devices from talking to each other and will only allow internet traffic.
Problem with this is I assume his laptop will not see his wireless printer yet they will be connected to the same WiFi.

I've just tried this and unfortunately when I connect to the WiFi via my phone and click cast, all my cast to devices are visible they are not isolated, so this isn't workable.
 
Last edited:
Why don’t you run a Ethernet cable. Put him on 192.168.2.1 to his router in AP mode. Your main router will be on 192.168.1.1
 
Why don’t you run a Ethernet cable. Put him on 192.168.2.1 to his router in AP mode. Your main router will be on 192.168.1.1

Run a cable to next door neighbour?

On top of that, just using a separate subnet does not automatically give you isolation.
 
I would assume that his neighbour couldn’t see his devices because they would be on their own subnet.

This is certainly my experience. You see the same with Wi-fi in hotels. Even though they may share the same Wi-fi SSID I couldn’t “see” my notebook (connected) on the other side of the hotel because there are several AP’s around the hotel. Slightly different to his setup I know.

If you don’t create layered routes they remain contained. It’ll be the simplest solution for him and allow him to do whatever he wants to his own Wi-fi.
 
I would assume that his neighbour couldn’t see his devices because they would be on their own subnet.

This is certainly my experience. You see the same with Wi-fi in hotels. Even though they may share the same Wi-fi SSID I couldn’t “see” my notebook (connected) on the other side of the hotel because there are several AP’s around the hotel. Slightly different to his setup I know.

If you don’t create layered routes they remain contained. It’ll be the simplest solution for him and allow him to do whatever he wants to his own Wi-fi.

They remain contained indeed and have zero WAN access without any routes. There is no DHCP either so all client devices the neighbour has would have to all switch to static IPs as well.
 

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top