RT-AC68u - access point mode question

[claykin]

If this router is set to access point mode, do the guest network features still work the same? In particular the ability to restrict access to the LAN (Intranet, as Asus calls it) for one of the secondary SSIDs?

The Netgear R7000 does what all previous Netgear routers have done when set to AP mode. They grey out the LAN access option so all clients (even Guest) have unfettered access to the subnet.

 

[claykin]

102 views and no reply. Seriously, no one is using their 68U in AP mode and can answer this question?

 

[L&LD]

Why don't you simply use it in router mode then?

Main Router LAN IP: 192.168.1.1

2nd Router WAN IP: 192.168.1.2 (I would set this as static in this router).

2nd Router LAN IP: 192.168.2.1


This way; you have all the benefits of being in Router mode.

 

[cdikland]

Why don't you simply use it in router mode then?

Main Router LAN IP: 192.168.1.1

2nd Router WAN IP: 192.168.1.2 (I would set this as static in this router).

2nd Router LAN IP: 192.168.2.1


This way; you have all the benefits of being in Router mode.

Does the above restrict all clients connected to the 2nd router from accessing resources on the 1st router??

 

[Ford Prefect]

Does the above restrict all clients connected to the 2nd router from accessing resources on the 1st router??

No IMHO it won't.
Even a guest on 2nd Router will be able to access the network on the 1st router.
You'll need a VLAN going from LAN/WLAN of 2nd Router to WAN-Side of the 1st router
in order to separate the networks.
Best next thing is add a port-forwarding rule for all IP traffic from WAN-2nd-router/guests-2nd-router to WAN-IP-1st-router.

Also, since the 2nd Router runs a FW and NAT table, this will prevent clients (guest or not)
on the 1st router to access clients on the LAN/WLAN of the 2nd router.

 

[cdikland]

Best next thing is add a port-forwarding rule for all IP traffic from WAN-2nd-router/guests-2nd-router to WAN-IP-1st-router.

Could you elaborate please??( i.e. examples)

 

[Ford Prefect]

Could you elaborate please??( i.e. examples)

I actually don't know *how* guests are handled inside the ASUS.
Maybe there is a vlan-tag already.

To restrict clients from 2nd router to Internet access on 1st-router only, I think you
need two forwarding rules:

[striketrough]....... [/strikethrough]

Edit2: errr..I think this is complete BS ...forwarding will not work that way here.
Best is to find out how guests get separated in router mode first, than think of a solution

...sorry for any confusion or inconvenience.

 

[starfall]

I posted this in a different thread, but maybe useful to you here -

Actually you can make it work with Asuswrt-Merlin (I tested this on a RT-AC68U and RT-AC56U). As the guess access separation is handled by ebtables, you need to put the following ebtables config into your secondary AP -

ebtables -I FORWARD 1 -d Broadcast -j ACCEPT
ebtables -I FORWARD 1 -s xx:xx:xx:xx:xx:xx -j ACCEPT
ebtables -I FORWARD 1 -d xx:xx:xx:xx:xx:xx -j ACCEPT

Where xx:xx:xx:xx:xx:xx is the MAC address of the primary router's LAN interface (br0).

In short, this will allow the secondary AP guest networks to send broadcast traffic to your LAN for ARP and DHCP, and it will allow your router's LAN interface to communicate with guest users on your AP. By inserting the rules at the front of the FORWARD chain, the traffic will be allowed before it hits the DROP rules that does the guest separation -

-i wl0.1 -j DROP
-o wl0.1 -j DROP
-i wl1.1 -j DROP
-o wl1.1 -j DROP