RT-AC86U Guest 2.4GHz network drops/refuses connections almost daily.

[Netachi]

Hello. I have an Asus RT-AC86U running Asus Merlin firmware 386.12. It is currently running in access point mode (Main router upstairs this one is just an AP for downstairs.) and I have run into a weird issue that has been ongoing.

I utilize a 2.4ghz guest network for all my Internet of Things devices such as lights, the garage, and Google Home systems et cetera. I transitioned from a RT-AC66U in this same scenario and never had any issues however I thought since that router was meeting end of life and merlin support, I would upgrade to the AC86U and that should be good for some time moving forward. The issue I'm running into is that every other day or even every few hours all the devices on the guest network will not be able to connect to the RT-AC86U and I can’t use them. The router is still broadcasting the guest network however when I try to connect to the network even my phone is refused connection and will say connection failed.

After doing some research it seemed initially that there was some discussion not to use slot 1 under the guest network section under 2.4ghz as there were various issues arising with that. I’ve tried moving the network from slot 1,2, and 3 with the same issue arising. To remedy the issue for a while, I then have to reboot the router and then the guest network will work for a little while, but the issue will always arise again. As a small workaround I then had to schedule the router to reboot every night, but the issue is becoming more and more frequent. What strikes me as weird however is that the regular 2.4 gigahertz network as well as 5 gigahertz networks on the same device seems to function fine without issue and I've never ran into this issue. I'm trying to isolate and see what could really cause this issue and has anyone seen this before. As you know many of the Internet off thing devices only support 2.4ghz. I would also rather they not be on my main network hence why I’m using the guest network. Any tips or advice is appreciated.

 

[ColinTaylor]

Although not directly related to your problem you must realise that when using access point mode the "guest networks" are not isolated from your main LAN. Apart from offering additional SSID's they are exactly the same as the regular Wi-Fi networks. The only way to have an isolated guest network on the AC86U would be to configure it as an AiMesh node (with the main router being an AiMesh master) and use "slot" 1.

You said the AC86U is the access point with the main router being upstairs. What make/model is this main router?

 

[Netachi]

Although not directly related to your problem you must realise that when using access point mode the "guest networks" are not isolated from your main LAN. Apart from offering additional SSID's they are exactly the same as the regular Wi-Fi networks. The only way to have an isolated guest network on the AC86U would be to configure it as an AiMesh node (with the main router being an AiMesh master) and use "slot" 1.

You said the AC86U is the access point with the main router being upstairs. What make/model is this main router?

Some food for thought for me. The router upstairs is also a RT-AC86U running merlin firmware. That one however is in full router mode. They are connected via ethernet cable

 

[Morris]

Unfortunately, it sounds like the 2.4 -Ghz radio is failing on your RT-AC86U. I've experienced the same thing. If it's still under warrantee, contact Asus. Otherwise purchase a new router.

 

[Netachi]

Unfortunately, it sounds like the 2.4 -Ghz radio is failing on your RT-AC86U. I've experienced the same thing. If it's still under warrantee, contact Asus. Otherwise purchase a new router.

Thanks for the info. I had thought since the regular 2.4ghz was working fine it couldn't be the radio. Will look into warranty then. I bought it new last year so would suck to have to trash it and buy another router. It seems this router has some type of design issue if this is a common issue.

 

[heywire]

Have you tried downgrading to 386.11, and preferably doing a WPS reset (if you're in no hurry, maybe run a day and see if the issue pops up again before you do the WPS reset.

There is a lot of claims of failing radios on the AC86U, but the truth is that it has a history of instability due to firmware bugs and piss poor QA from Asus.

When it works, it works very well, so you just have to be very mindful of bugs popping up after firmware upgrades. And version 386.12 is fairly new.

 

[drinkingbird]

Thanks for the info. I had thought since the regular 2.4ghz was working fine it couldn't be the radio. Will look into warranty then. I bought it new last year so would suck to have to trash it and buy another router. It seems this router has some type of design issue if this is a common issue.

If only the guest is having the issue, seems less likely to be the radio (possible, but would be odd). Did it start after upgrading to 386.12? If so I'd drop back down to 11. In fact, if you want your guest networks to be isolated, drop the latest factory firmware on it, factory reset, and make it AiMesh. That will make guest network 1 be isolated across both devices.

 

[heywire]

I would also rather they not be on my main network hence why I’m using the guest network. Any tips or advice is appreciated.

In fact, if you want your guest networks to be isolated, drop the latest factory firmware on it, factory reset, and make it AiMesh. That will make guest network 1 be isolated across both devices.

I think you are referring to VLAN separation between the main network and the guest network here?

This is currently not possible in Asus firmware unless you use Merlin with the YazFi plugin.

However, it should be mentioned that YazFi has a limitation in that it is not possible to create VLAN "integration" between the 2.4ghz and 5ghz bands on more than one SSID - the main network SSID.

In other words, if you set up the router with a default/main SSID called "My Wifi", devices can connect to it via 2.4ghz or 5ghz and stille be able to see each other on the network.

But when you create another VLAN with YazFi and give it an SSID name called, let's say "My Guest wifi", while you can create a "My Guest Wifi" SSID on both the 2.4ghz band and the 5ghz band, devices (let's say a 2.4ghz chromecast and a 5ghz smartphone") will not be able to see each other because they are on separate VLANs - one on "My wifi guest 2.4ghz" and the other on "My guest wifi 5ghz".

For your situation, that might be fine since it's only for IoT where speed it not an issue so that they can all just use 2.4ghz anyway, but in said Chromecast & smartphone example, you loose the ability for devices to be able to roam between the 2.4ghz and 5ghz bands in order to obtain the optimal speed&range as you move around the building.

 

[ColinTaylor]

I think you are referring to VLAN separation between the main network and the guest network here?

This is currently not possible in Asus firmware unless you use Merlin with the YazFi plugin.

Propagation of guest networks to AiMesh nodes (using VLANs) has been present in stock and Merlin's firmware for a few years now without the need for third-party scripts. IIRC it came in with AiMesh 2.0 in 2020.

[Wireless Router] How to set up Guest Network features to Sync to AiMesh Node? | Official Support | ASUS Global

 

[Netachi]

Have you tried downgrading to 386.11, and preferably doing a WPS reset (if you're in no hurry, maybe run a day and see if the issue pops up again before you do the WPS reset.

There is a lot of claims of failing radios on the AC86U, but the truth is that it has a history of instability due to firmware bugs and piss poor QA from Asus.

When it works, it works very well, so you just have to be very mindful of bugs popping up after firmware upgrades. And version 386.12 is fairly new.

Thanks for this info. I will try a factory reset. Can the WPS reset be done on Merlin firmware as well or do i need to be on stock asus firmware to try that ? I upgraded from 386.11 which was having the issue to 386.12 yesterday. So issue was present on 386.11.

 

[Tech9]

There is a lot of claims of failing radios on the AC86U

I used to fix those with hot air station, temporarily. They fail again after without IC re-balling. No firmware fix for hardware issues. This first Asus HND router is full of issues and I recommend replacing it or at least have some spare router. It's not about if it will fail, but when. Unreliable model.

But when you create another VLAN with YazFi

YazFi doesn't use VLANs.

 

[drinkingbird]

I think you are referring to VLAN separation between the main network and the guest network here?

This is currently not possible in Asus firmware unless you use Merlin with the YazFi plugin.

You're totally backwards. If you use stock firmware 386.x or later, it creates VLANs and separates guest wireless 1, and propagates those VLANs to the nodes if you use AIMESH (and have access intranet disabled).

Yazfi does NOT use VLANS and cannot propagate isolation (or anything for that matter) to nodes.

On 100% stock firmware, with GW1 enabled, and access intranet disabled, this is what it creates:
VLAN 501 - 2.4ghz guest - 192.168.101.0/24
VLAN 502 - 5ghz guest - 192.168.102.0/24
VLAN 503 - 5ghz-2 guest - 192.168.103.0/24 (only if you have a tri-band router)

VLAN 1 remains your main LAN.

Those VLANs will propagate via an 802.1Q trunk (whether wired or wireless) to aimesh nodes, as long as you have the guest set to propagate. Your guest network will be totally isolated across all devices.

 

[heywire]

You're totally backwards. If you use stock firmware 386.x or later, it creates VLANs and separates guest wireless 1, and propagates those VLANs to the nodes if you use AIMESH (and have access intranet disabled).

Yazfi does NOT use VLANS and cannot propagate isolation (or anything for that matter) to nodes.

On 100% stock firmware, with GW1 enabled, and access intranet disabled, this is what it creates:
VLAN 501 - 2.4ghz guest - 192.168.101.0/24
VLAN 502 - 5ghz guest - 192.168.102.0/24
VLAN 503 - 5ghz-2 guest - 192.168.103.0/24 (only if you have a tri-band router)

VLAN 1 remains your main LAN.

Those VLANs will propagate via an 802.1Q trunk (whether wired or wireless) to aimesh nodes, as long as you have the guest set to propagate. Your guest network will be totally isolated across all devices.

So, just to clarify&elaborate my perhaps somewhat imprecise or even technically incaccurate/inadequate description, my point was to convey the following, and I'll try and explain it it as straightforward as possible:

1. The challenge
- The stock firmware and Merlin allows for 1 main network, and 1 guest network with separate SSID's and passwords, where the clients on the Main SSID can see each other and communicate, which is available through the whole Aimesh network and all its nodes. You can create another 1-2 guest networks which are only available on the main router, not the Aimhes nodes.

- The Guest network, by default, has no VLAN functionlality, meaning that none of the clients can see each other - they are isolated and can only access the internet, not the other devices on "Guest SSID". Which is often a problem in an IoT setup because the devices need to communicate with a hub/bridge of some sort (Homekit, Aqara, Philips Hue, Ikea etc.)

- You can enable "access to intranet" on the Guest SSID, which will then mesh together the Main SSID and Guest SSID to one VLAN. But this sort of contradicts the point, which is commonly that you want the devices on the Main and Guest SSID to be separate from each other, but able to see only devices on each separate SSID - you want it where Guest clients can communicate other, and Main clients can communicate with each other, but no criss-cross.

2. YazFi - the solution?
- YazFi can help this by creating a separate Guest SSID VLAN where clients there can see each other, but not the devices on Main SSID. HOWEVER, it can only create one VLAN per band (2.4ghz or 5ghz), and so you loose the ability for a Guest SSID-VLAN where clients can roam freely between 2.4ghz (range) and 5ghz (speed) as necessary.

- As far as I remember, it also cannot propagate a separate VLAN throughout Aimesh Nodes, so you are limited to a Guest SSID VLAN on only 2.4ghz, which is only available when you connect to the main router, not an Aimesh node. If you create a Guest network.

So, my main point was - it can work for you if that's what you need - a separate VLAN for all the IoT devices in your house if they can connect to the main router. But it is less ideal for other use-cases, such as setting up VLAN's in an apartment complex where you run Aimesh and don't want the devices in each apartment to see each other, for example (annoying because of Chromecast for exqample, which broadscasts what the others are watching and gives all the other devices on the network the ability to cast to and access the playback controls of other chromecast units).

The last scenario may cause you to waste a lot of hope, time and empty promises to others that YazFi an solve your issues, because it is not clearly enough stated in the documentation. Don't ask me how i know....

I know that there is supposed to be some new VLAN functionality in the new Pro routers (AX86 Pro, for example). That might make the above possible without YazFi and throughout the Aimesh network. Maybe somebody can shed some more light on this...

 

[drinkingbird]

So, just to clarify&elaborate my perhaps somewhat imprecise or even technically incaccurate/inadequate description, my point was to convey the following, and I'll try and explain it it as straightforward as possible:

1. The challenge
- The stock firmware and Merlin allows for 1 main network, and 1 guest network with separate SSID's and passwords, where the clients on the Main SSID can see each other and communicate, which is available through the whole Aimesh network and all its nodes. You can create another 1-2 guest networks which are only available on the main router, not the Aimhes nodes.

- The Guest network, by default, has no VLAN functionlality, meaning that none of the clients can see each other - they are isolated and can only access the internet, not the other devices on "Guest SSID". Which is often a problem in an IoT setup because the devices need to communicate with a hub/bridge of some sort (Homekit, Aqara, Philips Hue, Ikea etc.)

- You can enable "access to intranet" on the Guest SSID, which will then mesh together the Main SSID and Guest SSID to one VLAN. But this sort of contradicts the point, which is commonly that you want the devices on the Main and Guest SSID to be separate from each other, but able to see only devices on each separate SSID - you want it where Guest clients can communicate other, and Main clients can communicate with each other, but no criss-cross.

2. YazFi - the solution?
- YazFi can help this by creating a separate Guest SSID VLAN where clients there can see each other, but not the devices on Main SSID. HOWEVER, it can only create one VLAN per band (2.4ghz or 5ghz), and so you loose the ability for a Guest SSID-VLAN where clients can roam freely between 2.4ghz (range) and 5ghz (speed) as necessary.

- As far as I remember, it also cannot propagate a separate VLAN throughout Aimesh Nodes, so you are limited to a Guest SSID VLAN on only 2.4ghz, which is only available when you connect to the main router, not an Aimesh node. If you create a Guest network.

So, my main point was - it can work for you if that's what you need - a separate VLAN for all the IoT devices in your house if they can connect to the main router. But it is less ideal for other use-cases, such as setting up VLAN's in an apartment complex where you run Aimesh and don't want the devices in each apartment to see each other, for example (annoying because of Chromecast for exqample, which broadscasts what the others are watching and gives all the other devices on the network the ability to cast to and access the playback controls of other chromecast units).

The last scenario may cause you to waste a lot of hope, time and empty promises to others that YazFi an solve your issues, because it is not clearly enough stated in the documentation. Don't ask me how i know....

I know that there is supposed to be some new VLAN functionality in the new Pro routers (AX86 Pro, for example). That might make the above possible without YazFi and throughout the Aimesh network. Maybe somebody can shed some more light on this...

I don't think you understand what VLANs are. VLANs separate networks, not join them together. With access intranet disabled, guest 1 is in VLANs. With it enabled there are no VLANs. This is on stock firmware. With Yazfi there are no VLANs, just router interfaces and firewall rules between them.

Guest 2 and 3 never have VLANs, if you disable intranet access they just use ebtables firewall rules to block access to the main LAN (on stock) or iptables on Yazfi.

Separately there is AP isolation (Yazfi calls it client isolation). This prevents clients on the same SSID from seeing each other. Om stock, that is always enabled on guests when intranet access is disabled, only way to disable it is with a script. With Yazfi you can disable it in the GUI.

On stock, guest 2 and 3 also seem to have some sort of broadcast or ARP filtering even if you manually disable AP isolation. Noticed the behavior when playing with it, but didn't do much digging to find where it is done, seems to be in the firmware somewhere and not in iptables or ebtables. So this means even if you create firewall rules to allow guest 2 or 3 to talk to the LAN or another guest, it won't work without static ARP entries on both devices. So you have to actually enable access intranet then create firewall rules (and optionally enable AP isolation) to create the segmentation you want. In that case probably easier to use Yazfi when you have more than one guest network that needs access to other guests or the LAN.

 

[ColinTaylor]

So, just to clarify&elaborate my perhaps somewhat imprecise or even technically incaccurate/inadequate description, my point was to convey the following, and I'll try and explain it it as straightforward as possible:

I think the confusion is coming from your incorrect use of the term VLAN. The things you're describing are not VLANs. AiMesh does use VLANs but only for Guest Network Index #1 when Access Intranet is disabled. Everything else, including everything that YazFi does, are not VLANs.

There was (still is?) an issue that you alluded to whereby setting Access Intranet to disabled on the guest network also activated AP Isolation for that SSID. I don't know whether that has been fixed.

EDIT: @drinkingbird beat me to it.

 

[drinkingbird]

There was (still is?) an issue that you alluded to whereby setting Access Intranet to disabled on the guest network also activated AP Isolation for that SSID. I don't know whether that has been fixed.

Still does it, but I'm assuming it is by design, wifi hotspots all use isolation so I'm assuming they're mirroring that functionality. Typically it is desirable to have clients isolated from each other on a guest (until IOTs came into the picture).

On top of that there is some sort of ARP/broadcast filtering between guest 2/3 and main LAN even AP isolation manually disabled via CLI. That's one I haven't had the time to dig into and figure out, it seems to be implemented in the code somewhere and not via some NVRAM variable or firewall rule. So the network where I want to have a few custom firewall rules to allow communication to main LAN printer etc I just use GW1 for that. Can be done via GW2 and 3 but much more convoluted.