• SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Looking for a router with multiple Guest Networks (SSIDs)

I think it is simpler to have 1 guess vlan at my home. They can fend for themselves. My guests are not going to be hacking at each other. And if they are I don't care. Most of them are only here for a little while. I have had several guests need to print. So, I can share a printer with them. I use ACLs for access to the printer. So, but my guest network is pretty tame. I don't need security like at an airport. This is at my home with my friends.

Yeah I had that for a while but then set up one for IOTs (well, the 3 or 4 devices that I would consider IOT), one for semi-trusted guests in the house and my wired work laptop, and another for the guest network on my outdoor AP that the neighbors use sometimes.

My semi-trusted guest network can print (mostly so my work PC can print, never had a guest need it).

As far as AP isolation, it's enabled by default in the asus and haven't seen a need to disable it via script. Not hurting anything, since none of my IOTs or guests need to talk to one another. If I needed to "cast" to my TV or something it would be an issue but I have a PC with wireless keyboard hooked up for that.

Yeah in reality it isn't a huge deal, but does make sense to have it there for most people.
 
My IOT devices use Bluetooth as I feel it is safer. So, it is all Apple. It seems better to me and safer. You must be present to hack my system.
I need my wireless APs to relay Bluetooth. It depends on where I am in my house as to what Bluetooth devices I have access to. In the front half of my house I can control the front devices. And when I am in the back half of my house I can control the back devices. No where in my house can I control all of my IOT devices using Bluetooth.
Cisco may be testing it as my new Cisco wireless 150ax devices have Bluetooth but they are for future use.
 
My IOT devices use Bluetooth as I feel it is safer. So, it is all Apple. It seems better to me and safer. You must be present to hack my system.
I need my wireless APs to relay Bluetooth. It depends on where I am in my house as to what Bluetooth devices I have access to. In the front half of my house I can control the front devices. And when I am in the back half of my house I can control the back devices. No where in my house can I control all of my IOT devices using Bluetooth.
Cisco may be testing it as my new Cisco wireless 150ax devices have Bluetooth but they are for future use.

But of course if you relayed your bluetooth via an AP there is theoretically an IP attack surface there....

Not like bluetooth is totally secure, but at least you only have to worry about people in close proximity. But isolating them to a guest network with good firewall rules should be plenty secure and let you have more control. To each their own though. If I was a heavy user of bulbs, outlets, smart speakers etc I'd have a dedicated AP just for them. But all I have is an old smart TV, Blu Ray Player and Fire TV stick.
 
But of course if you relayed your bluetooth via an AP there is theoretically an IP attack surface there....

Not like bluetooth is totally secure, but at least you only have to worry about people in close proximity. But isolating them to a guest network with good firewall rules should be plenty secure and let you have more control. To each their own though. If I was a heavy user of bulbs, outlets, smart speakers etc I'd have a dedicated AP just for them. But all I have is an old smart TV, Blu Ray Player and Fire TV stick.
I don't think so. I have been over this several times in my head and Bluetooth seems like the right solution. I am not going to use wireless IOT devices. My wife is happy uisng Apple Bluetooth devices. We mainly use our iPhones to control the devices.
 
I don't think so. I have been over this several times in my head and Bluetooth seems like the right solution. I am not going to use wireless IOT devices. My wife is happy uisng Apple Bluetooth devices. We mainly use our iPhones to control the devices.

In your situation, I agree - I'm not seeing a security issue...
 
Yeah I had that for a while but then set up one for IOTs (well, the 3 or 4 devices that I would consider IOT), one for semi-trusted guests in the house and my wired work laptop, and another for the guest network on my outdoor AP that the neighbors use sometimes.

My semi-trusted guest network can print (mostly so my work PC can print, never had a guest need it).

As far as AP isolation, it's enabled by default in the asus and haven't seen a need to disable it via script. Not hurting anything, since none of my IOTs or guests need to talk to one another. If I needed to "cast" to my TV or something it would be an issue but I have a PC with wireless keyboard hooked up for that.

Yeah in reality it isn't a huge deal, but does make sense to have it there for most people.

AP isolation is kind of interesting - depends on the SDK, but for AP's using HostAPD's "isolate" function...

It basically stops any bridging across associated client STA's in their BSS (BSS meaning AP/Client within a given SSID) - this all happens at the MAC layer itself, and it's outside of VLAN's which are one layer up in the stack (the data link layer)...

It does make life a bit easier for the client station if accessing the internet directly, but interaction with the LAN side...

Going back to multiple SSID's and Guest Networks - each SSID adds a lot of overhead, and that overhead, the management frames, which includes the beacons, are transmitted at the legacy 802.11b 1Mbps rate - and this sucks up a huge amount of airtime that cannot be used for traffic frames...

So just be careful - just because one can do something, doesn't mean one should - it's all about use cases...

In mesh networks, this just compounds the airtime problem...
 
AP isolation is kind of interesting - depends on the SDK, but for AP's using HostAPD's "isolate" function...

It basically stops any bridging across associated client STA's in their BSS (BSS meaning AP/Client within a given SSID) - this all happens at the MAC layer itself, and it's outside of VLAN's which are one layer up in the stack (the data link layer)...

It does make life a bit easier for the client station if accessing the internet directly, but interaction with the LAN side...

Going back to multiple SSID's and Guest Networks - each SSID adds a lot of overhead, and that overhead, the management frames, which includes the beacons, are transmitted at the legacy 802.11b 1Mbps rate - and this sucks up a huge amount of airtime that cannot be used for traffic frames...

So just be careful - just because one can do something, doesn't mean one should - it's all about use cases...

In mesh networks, this just compounds the airtime problem...

Yeah I'm not aware of any that are doing AP isolation using VLANs, that would be pretty overkill and hard to implement. Filtering broadcasts and/or traffic via the shared connection (or not even establishing that shared connection) is the easiest.

My beacons are set to 5.5M (think we've discussed this one before, would set it to 6 or 12 but for some reason a couple old IOT devices don't like that even though they're N). With 3 SSIDs I notice no performance impact vs when I had one. There probably is a slight one but not anything that has had any impact.
 
Cisco has had isolation in my older Cisco APs. I never turned it on. I have not looked in my latest Cisco 150ax APs.
 
Cisco has had isolation in my older Cisco APs. I never turned it on. I have not looked in my latest Cisco 150ax APs.

Pretty much every AP has it, never seen one without the option. I'm sure there's some out there but it won't be Cisco or other higher end brands.
 
My beacons are set to 5.5M (think we've discussed this one before, would set it to 6 or 12 but for some reason a couple old IOT devices don't like that even though they're N). With 3 SSIDs I notice no performance impact vs when I had one. There probably is a slight one but not anything that has had any impact.

Just as a friendly heads up - if you're doing 5.5, you're still in 802.11b legacy... legacy mode sucks the hell out of airtime - even though you might set the rate to 5.5, 802.11b requires management frames to be set at 1 - and then we have the legacy preamble...

Challenge here is most consumer router/AP's - you can set to 11n only, but they still do 11b legacy - and there, things can get complicated if one has ERP stations nearby - not just on the local WLAN, but also adjacent WLAN's - so the neighbor with an old HP printer can mess you up and put one into protection modes for 2.4...

as a reminder - OFDM starts at 6 - and that is a much better place with ERP (11g), HT(11n), HE(11ax) modes in 2.4...

Even on old chipsets - disabling WPA and DSSS support - it's a 20 percent improvement in throughput - I've been doing a fair amount of work on ath9k/ath10k along with mt76 - and the improvement is real...

QCA WiFi 6 drivers - not quite at a point where I can do useful things - closed source works fine with QSDK...
 
Just as a friendly heads up - if you're doing 5.5, you're still in 802.11b legacy... legacy mode sucks the hell out of airtime - even though you might set the rate to 5.5, 802.11b requires management frames to be set at 1 - and then we have the legacy preamble...

Challenge here is most consumer router/AP's - you can set to 11n only, but they still do 11b legacy - and there, things can get complicated if one has ERP stations nearby - not just on the local WLAN, but also adjacent WLAN's - so the neighbor with an old HP printer can mess you up and put one into protection modes for 2.4...

as a reminder - OFDM starts at 6 - and that is a much better place with ERP (11g), HT(11n), HE(11ax) modes in 2.4...

Even on old chipsets - disabling WPA and DSSS support - it's a 20 percent improvement in throughput - I've been doing a fair amount of work on ath9k/ath10k along with mt76 - and the improvement is real...

QCA WiFi 6 drivers - not quite at a point where I can do useful things - closed source works fine with QSDK...

Yep, I know, unfortunately if I set it to 6 or 12 my Panasonic TV and Blu Ray (both draft N) won't connect. Since they're the only things that connect to 2.4 (and sometimes my phone if it doesn't switch to the outdoor AP when I go outside), not a big deal.

My beacons are at 5.5 though, B is disabled and no B devices can connect, confirmed that much in the CLI and by cracking out an old laptop with Lucent PCMCIA card just out of curiosity. As far as I know the beacon rate is what management frames use also, maybe I'm wrong on that.

My outdoor AP is set to 6 since nothing draft N needs to hit that. I actually bumped it to 12 for a while to completely disable CCK rates including 11 but it got a bit too short range.

My 5Ghz is set to 6 minimum and 6 beacon, mostly because that's what the asus supports via the GUI and saw no reason to script it to force 12. All legacy rates are disabled on that band which is good enough for me.

The impact of "Auto" "N Only" "N/AC Only" and "Legacy" in the asus GUI are very un-intuitive. Setting it to auto with "disable b" will disable CCK rates and sets the basic rates to 6 and 12 (with 6M beacons) until it senses a legacy device then it enables them. Setting it to "N only" sets the 5.5 minimum and beacon rate and keeps 11 as the other basic rate, but it never changes them, that is static. Setting it to legacy enables all rates starting at 1. Similar on the 5ghz band.

For my setup with those draft N devices needing CCK, "N Only" is the best choice. For those without that compatibility problem, auto with "disable B" would probably be the best choice, though a nearby G device could potentially re-enable some rates you don't want randomly.

Basically I really don't need high performance on my 2.4ghz so it isn't really a concern. I think last time I tested it it was pushing about 65-70M on a 144M link rate which is pretty much all you can ask for anyway.
 
Setting it to auto with "disable b" will disable CCK rates and sets the basic rates to 6 and 12 (with 6M beacons) until it senses a legacy device then it enables them. Setting it to "N only" sets the 5.5 minimum and beacon rate and keeps 11 as the other basic rate, but it never changes them, that is static. Setting it to legacy enables all rates starting at 1. Similar on the 5ghz band.

Actually - depending on the SDK involved with Asus - turning off B support breaks things in the WL driver...

I've done a patch for that SDK that fixes things, but that likely won't result in a pull request to upstream, as I don't have the resources to test the fix...
 
Actually - depending on the SDK involved with Asus - turning off B support breaks things in the WL driver...

I've done a patch for that SDK that fixes things, but that likely won't result in a pull request to upstream, as I don't have the resources to test the fix...

Yeah I think we've had this discussion before. On mine it seems to work as expected (Auto with B disabled) and all my true N devices can connect fine at 6 or 12M basic rate without issue. Maybe it is only an issue on the HND ones. Or maybe that is what causes my old draft N IOTs to not be able to connect, but I far more suspect that issue is related to be whatever chip Panasonic was using back in 2011 (Hon Hai electronics is what the MACs come back to, clearly a quality well known wifi chipset maker).
 

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top