What's new

New ISP router - has no Guest function - looking for suggestions

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

layw

New Around Here
First post.. for the longest time I had ran the previous ISP router in bridge mode and did all the work from a AC68U (DHCP, WiFi and Guest WiFi)

I have switched speeds and my provider has now switch to CGM4981 router. To take advantage of the speed increase I could eliminate the AC68U and use the WiFi from the CGM4981.
The problem is and confirmed by talking with the ISP tech support there is no "guest" WiFi option

In the past my home setup was very simple - just a few connected devices that I would connect to the guest WiFi (TV and Firestick) having these isolated away from my LAN (NAS drive and laptop)

We will be adding camera's soon which I wish to isolate as well.

Now that a guest network is no longer I could put the CGM4981 into bridge but the AC68U is a bit long in the tooth in comparison.
Could I run the CGM4981 as is and connect the AC68U WAN port to a LAN port on the ISP router and use the 2.4 channel in WiFI and Guest.

Or is the suggested solution involve different hardware or configuration (VLAN? which I know of but never used and would need to learn)

Suggestions? - (or am I just over thinking things)
 
With the ASUS gear I've used, it's possible to put the router into "AP-only" mode so that it just acts as a wireless AP, no routing or DHCP functionality. Running that downstream of your new ISP modem should work as a stopgap solution.

It's generally recommended to use a separate VLAN for security cameras, so if you are headed in that direction you will eventually need VLAN-aware switch(es) and should probably also switch out the AC68U in favor of AP(s) that can associate the guest SSID with a separate VLAN. But you don't need to spring for all that right away.

Are you in a hurry to upgrade the AC68U to get better wifi performance? If so, what are you concerned about --- speed, coverage, both?
 
Thank you..

No hurry on the AC68U at this point - coverage is pretty good (but could be improved upon) faster WiFi speed from the ASUS in AP mode would be nice as my new laptop and any new devices can take advantage of that.
I read that it has reached the end of support - but then if set as a "AP" that really isn't an issue.. when I replace it I'd would want something that can take 3rd party as I have been using Merlin for a while. I'm not stuck on ASUS but I just scratch my head when looking at all the choices out in the market.

With limited knowledge of implementation - would the ISP router feed a configured managed switch with a VLAN/AP combination for the cameras and another VLAN/AP for "guest"?
As well I would prefer to have my LAN (home office stuff) behind something that I control (and have up to date) - so another router behind the ISP router (not sure if this is making things overly complex)

What to look for when looking at AP's ?
 
I want to know that how can someone isolate devices like cameras and Firestick on a guest network, given that my new router (CGM4981) doesn’t support guest WiFi, and my old AC68U might not keep up with newer speeds? Should I try VLANs or use a different setup?

Have you considered using your AC68U in a “piggy-back” topology?

I do this with (1) AX-3000 that is piggy-backed to an AX-88U. With proper Network Services Filters on the AX-3000, it is possible to isolate all AX-3000 clients from all AX-88U clients.

I’m not going to explain the detail of how to set that up in this post. But I will give you a quick outline. If you study this outline carefully, you will see that you can make your AC68U connect to your CGM4981 router and act as it’s own LAN while using the gateway (internet access) of your CGM4981 router.
  1. Assign a different LAN subnet for your AC68U than your CGM4981 router
    1. e.g. CGM4981 router: 192.168.1.1; Subnet Mask: 255.255.255.0
    2. e.g. AC68U router: 192.168.77.1: Subnet Mask: 255.255.255.0
  2. CGM4981 router: reserve a DHCP IP address (static IP) which will be used for your AC68U router connection.
    1. e.g. 192.168.1.200
    2. Make sure you have properly declared the start and end IP address for your DHCP service on your CGM4981 router (e.g. 192.168.1.2 through 192.168.1.199), and make sure your static IP for your AC68U is outside that address range (192.168.1.200).
  3. In the WAN section of your AC68U (NOT LAN), assign the static IP (NOT DHCP) – the one you assigned in your CGM4981 router
    1. e.g. 192.168.1.200
    2. Subnet Mask: 255.255.255.0
    3. DNS: 192.168.1.1 (uses DNS from your CGM4981)
    4. Gateway: 192.168.1.1 (uses the gateway from your CGM4981)
  4. Connect your AC68U WAN port to your CGM4981 router LAN port by ethernet cable.
  5. Now, you should have WiFi from 2 different routers, each on different subnets. Each can have their own SSIDs (2.4Ghz and 5Ghz). So, in total, you will have 4 SSIDs: 2 from your CGM4981 router, and 2 from your AC68U. But, you will also see that clients from your AC68U LAN (wired or wireless) can access clients connected to your CGM4981 router. To isolate your AC68U clients from your CGM4981, use the “Network Services Filter” on your AC68U (in the firewall menu). Construct a “DENY” list as follows:
    1. Firewall - Network Service Filter [ENABLED]
      1. Deny List
        1. Destination IP: [192.168.1.*] Protocol: [TCP]
        2. Destination IP: [192.168.1.*] Protocol: [UDP]
    2. This deny list will stop any client connected to your AC68U router: 192.168.77.X subnet from being able to connect to any device on your 192.168.1.x subnet controlled by your CGM4981 router.
This topology solves your guest LAN (wired or wireless) issue.

Your security cameras are another story. More times than not, I see users trying to deploy surveillance cameras without thinking the network implications through. You MUST start asking yourself these questions:
  1. What are you going to use as an NVR (Network Video Recorder)?
  2. Does the NVR have addressable ports by IP and subnet? Good ones do, cheap ones don’t?
  3. Are your cameras WiFi or hard wired (ethernet cable)?
  4. Are your cameras POE?
  5. What level of AI is in your cameras?
    1. Motion only?
    2. Human & vehicle?
  6. Can your cameras locally record on an SD card?
    1. 128 gb
    2. 256 gb
  7. What is the resolution of your cameras?
    1. Are they sufficient for facial recognition by your police? (typically 500 or more pix per square foot).
  8. How do you intent to monitor your cameras?
  9. How do you intent to receive notifications?
 
First post.. for the longest time I had ran the previous ISP router in bridge mode and did all the work from a AC68U (DHCP, WiFi and Guest WiFi)

I have switched speeds and my provider has now switch to CGM4981 router. To take advantage of the speed increase I could eliminate the AC68U and use the WiFi from the CGM4981.
The problem is and confirmed by talking with the ISP tech support there is no "guest" WiFi option

Who is the provider that is supplying the modem?

Cox has this one, and they support multiple profiles... and here you can create a psuedo-guest network by creating a new profle, and assign devices to that profile.

Catch here is that it has to be done on the mobile app that they provide...


scroll down to profiles, and it'll take you step by step thru the process

Comcast should be similar, given that they align their requirements very closely...
 
Sfx2000

The provider is Rogers Communications here in Canada.. as previously mentioned I had talked to their tech support regarding guest function - no success
There was no suggestion about using “profile “ I’ll open the app and see what I see

I’ll also go thru degrub’s link in more detail

Thank you all
 
The provider is Rogers Communications here in Canada

See this:


Newer is not always better. Older Hitron gateways had Guest Network with captive portal.
 
You have to use it in double NAT with firewall rules restricting access to upstream network.
 
Would using a 'piggy-back' setup with different LAN subnets and configuring firewall filters on the AC68U be a good way to keep devices on the AC68U isolated from those on the CGM4981?
YES. It is one way to do what you want. Is it the best? Perhaps, given your current equipment.

I have such a setup in service now and has been working without issue for more than 2 years.
 
As I'm newly retired the project list is long and this has been on the shelf for a bit ..

degrub,
I'll look at VLAN and see how that can fit into what I have once I get a better understanding as to what I think I need or want to accomplish.

TGL,
I have put the AC68U into AP mode but realize that all channels on the AP are not separate

sfx2000,
I briefly looked at profiles and will set one up and see how this works - I think this is simular to setting a DMZ and having the AC68U not in double NAT (in my limited understanding) in the short term this would be a good thing (I think) in the long term one the AC68U is no longer supported I'd need to figure out a replacement.

Tech9,
Yes, new is not always better though in this case new is much faster than AC68U specifically WiFi.

PunchCardBoss,
Wondering if I run the AC68U in router mode (not as AP) in piggyback once it is no longer updated how is this from a security perspective?

Thank you all for your time..
 

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top