RT-AX56U - Define LAN port to the guest network?

[stonypass]

RT-AX56U on Merlin 388.2_2

Is it possible to define one or more LAN ports to the guest network, and leave the others alone?

 

[drinkingbird]

RT-AX56U on Merlin 388.2_2

Is it possible to define one or more LAN ports to the guest network, and leave the others alone?

Yes but depending on which chipset it uses, it can either be easy or very difficult. Script required either way.

Far easier to buy a $25 smart switch and do it there, the router sends the guest VLANs tagged out all LAN ports. I posted a tutorial on it a while back.

 

[stonypass]

Yes but depending on which chipset it uses, it can either be easy or very difficult. Script required either way.

Far easier to buy a $25 smart switch and do it there, the router sends the guest VLANs tagged out all LAN ports. I posted a tutorial on it a while back.

Thanks, I assume this your tutorial?

Tutorial - How to use VLANs on your non-pro Asus router with 386 or 388 code (no scripting required)

With 386 and 388 code base, you can make use of two built in VLANs (plus the main LAN VLAN 1) to further segment your wired and wireless network, even on non-pro models. This definitely works in router mode on all models that support AIMESH and these code versions. From what I have seen (but...

www.snbforums.com

How would I determine which chipset I have on my router, and if I have one that setup is easy on is there a post or tutorial for that?

 

[drinkingbird]

Thanks, I assume this your tutorial?

Tutorial - How to use VLANs on your non-pro Asus router with 386 or 388 code (no scripting required)

With 386 and 388 code base, you can make use of two built in VLANs (plus the main LAN VLAN 1) to further segment your wired and wireless network, even on non-pro models. This definitely works in router mode on all models that support AIMESH and these code versions. From what I have seen (but...

www.snbforums.com

How would I determine which chipset I have on my router, and if I have one that setup is easy on is there a post or tutorial for that?

Yes, that's the one. You can use that no matter which chipset you have.

If you want to do the script and do it directly on the router, someone here may know off the top of their head what chipset it has, but you can also SSH into it and do "robocfg show". If you get an output, that is the easier chipset, if not, it is the much harder one. I don't think many routers are using the older/easier chipset anymore so I'm guessing probably the latter, in which case just use an external switch, far easier.

 

[stonypass]

Yes, that's the one. You can use that no matter which chipset you have.

If you want to do the script and do it directly on the router, someone here may know off the top of their head what chipset it has, but you can also SSH into it and do "robocfg show". If you get an output, that is the easier chipset, if not, it is the much harder one. I don't think many routers are using the older/easier chipset anymore so I'm guessing probably the latter, in which case just use an external switch, far easier.

"Your wired devices will now be in the respective VLAN/subnet and isolated from your main LAN (and also isolated from wireless devices in that same guest network)"

I'm using Firesticks for my TV's on the 5ghz Guest Network, and am adding a hardwired SiliconDust HDHomeRun tuner and Mini PC with Plex Server on it.
Will the Firestick apps be able to control the Tuner and Plex Server being Isolated from each other on the Guest Network?

Don't want to put either on my LAN with my main PC.

 

[drinkingbird]

"Your wired devices will now be in the respective VLAN/subnet and isolated from your main LAN (and also isolated from wireless devices in that same guest network)"

I'm using Firesticks for my TV's on the 5ghz Guest Network, and am adding a hardwired SiliconDust HDHomeRun tuner and Mini PC with Plex Server on it.
Will the Firestick apps be able to control the Tuner and Plex Server being Isolated from each other on the Guest Network?

Don't want to put either on my LAN with my main PC.

If they need to talk directly to each other then no, but you can use a pretty simple script to disable the AP/client isolation on that guest network. Actually the setting seems pretty "sticky" so you may even be able to just do it in the CLI and have it be permanent, as long as you never touch the "access intranet" setting in the GUI. A script is probably safer though.

You may want to consider one of the Pro routers with VLANs and advanced guest. Or use Yazfi and have all the guests wireless (won't be able to have a wired port in guest with that). But the above will work if you don't mind toying with the CLI settings or creating a script (along with the external smart switch).

 

[stonypass]

If they need to talk directly to each other then no, but you can use a pretty simple script to disable the AP/client isolation on that guest network. Actually the setting seems pretty "sticky" so you may even be able to just do it in the CLI and have it be permanent, as long as you never touch the "access intranet" setting in the GUI. A script is probably safer though.

You may want to consider one of the Pro routers with VLANs and advanced guest. Or use Yazfi and have all the guests wireless (won't be able to have a wired port in guest with that). But the above will work if you don't mind toying with the CLI settings or creating a script (along with the external smart switch).

As I have two RT-AX56U routers would this work, or is it just extending my LAN on router 1 to router 2?
Router 1, Connect WAN to internet and use a LAN port for my main PC.
Router 2 in AP Mode, Connect WAN to LAN port on Router #1, Firesticks use Wireless (Not Guest) and the HDHomeRun and Plex Server use LAN ports.

Just trying to keep my main PC safe from Firesticks, Kodi, Plex, Security Cams etc.

 

[drinkingbird]

I have two RT-AX56U routers so, would this work?
Router 1, Connect WAN to internet and use a LAN port for my main PC.
Router 2 in AP Mode, Connect WAN to LAN port on Router #1 (port 1 or 4 or does it matter?), Firesticks use Wireless (Not Guest) and the HDHomeRun and Plex Server use LAN.

Or should my main PC be on Router 2 in AP mode and the media devices be on Router 1?
Just trying to keep my main PC safe from Firesticks, Kodi, Plex, Security Cams etc.

Yes, that will work too, but your second router must be router mode, not AP mode (AP mode provides 0 protection). You will give it a different subnet from the main router. So if main router is 192.168.50.1 LAN, your second router would have 192.168.50.2 WAN (well doesn't really matter, you can just let it grab a DHCP 192.168.50.whatever) and 192.168.51.1 LAN (or whatever LAN subnet you want other than 192.168.50.1).

The safest "out of the box" solution with minimal config would be to have your guests on the first router. You can use the main wireless, different SSID from your trusted LAN. Then they are considered "internet" as far as the second router is concerned and the firewall etc protects your main LAN (which is on the second router) from them. Your main LAN would be double NAT'd, but that usually isn't a big deal.

If you want to avoid double NAT, a bit more complex but can all be done via the GUI:

-Trusted devices go on first router that is connected directly to internet. Use main wireless and wired ports.
-Untrusted devices go on second router that has its WAN connected to the LAN of the first router (with the different IP addressing as detailed above), use main wireless with different SSID and wired LAN ports.
-In firewall/network services filter on router 2, turn it on, set it to deny list, and create two rules:
Destination IP 192.168.50.0/24, protocol TCP, leave all others blank, add it
Destination IP 192.168.50.0/24, protocol UDP, leave all others blank, add it and apply
Note 192.168.50.0/24 is the subnet of router 1 LAN, change as needed.

This will block everything except ICMP and some non-standard IP protocols to the main LAN but that is pretty low risk (ping, etc). TCP and UDP are the big ones you need to block. If you really want to block this you can do it in the "filtered ICMP types", but that would also block it to the internet which could be problematic. I wouldn't worry about it, and if you are worried about it, better to use the static route below to address that, that will prevent them from hitting main LAN but can still ping etc to the internet.

As an optional second layer of protection, you can create dummy static routes on router 2. (I guess some might consider this a first layer of protection with the firewall a second). Personally I'd do both, but it is probably overkill. If I had to pick one, I'd go with firewall, but why pick one when you can do both?

First ping one of your trusted devices from an untrusted one, it should work

Now
LAN -> Route Tab
Enable it
Below assumes your main router LAN is 192.168.50.0 with a mask of 255.255.255.0, adjust as needed
You need two routes so that they are more specific (and thus take priority) over the route that will already be in the routing table, so we're splitting the /24 into two /25s
Network/host IP 192.168.50.0, Netmask 255.255.255.128, Gateway 192.168.51.1 (LAN IP of router 2), metric 0, interface LAN, add it
Network/host IP 192.168.50.128, Netmask 255.255.255.128, Gateway 192.168.51.1 (LAN IP of router 2), metric 0, interface LAN, add it
apply

Once it finishes applying, again try pinging the trusted device from untrusted, traceroute to it, etc. Should say destination unreachable. But you can then ping google.com and it will still work. So basically any traffic attempting to hit your main/trusted network (not just pings, all traffic) will just blackhole on router 2, it will never even get there. Probably won't even ever hit your two firewall rules above, but they're there as an extra layer of protection.

Few notes on this static route setup:
-Clients on router 2 will be able to ping router 1's LAN IP still. Not a big deal. They can't ssh or web access it, do DNS to it, etc, as your firewall rules will block that.
-Router 2 itself will be able to ping and do DNS lookups against router 1, again that's fine (and in fact required if you don't change the DNS servers on router 2)
-By default, clients on router 2 will be able to do DNS lookups for clients on main LAN (since they lookup to router 2, and router 2 looks up to router 1), but not really any concern there, they can't actually reach them. See below if you want to block this also.
-Clients on router 2 will pass through an extra DNS "hop" when doing lookups, probably not a big deal but again, see below to change that.
-To avoid that and make it more efficient (and also prevent them from being able to DNS lookup main LAN devices) go change your router 2 WAN DNS to match whatever is in router 1 (probably your ISP's dns servers). Router 2 will now lookup directly to those DNS servers and not to router 1 anymore.
-If you ever did want to allow some traffic between the two, you can do this with port forwarding and/or slightly more complex firewall rules/routes. Not going to detail that here as it doesn't seem like you need or want that.

 

[drinkingbird]

As I have two RT-AX56U routers would this work, or is it just extending my LAN on router 1 to router 2?
Router 1, Connect WAN to internet and use a LAN port for my main PC.
Router 2 in AP Mode, Connect WAN to LAN port on Router #1, Firesticks use Wireless (Not Guest) and the HDHomeRun and Plex Server use LAN ports.

Just trying to keep my main PC safe from Firesticks, Kodi, Plex, Security Cams etc.

One other option too is if you have an ISP router in the path, you can just have your untrusted stuff connect to that, then hang one asus off that for your trusted stuff. Basically same as the "easier" option I just posted but you utilize an otherwise underutilized ISP router. Still have double NAT for your trusted devices in that case though.

 

[stonypass]

One other option too is if you have an ISP router in the path, you can just have your untrusted stuff connect to that, then hang one asus off that for your trusted stuff. Basically same as the "easier" option I just posted but you utilize an otherwise underutilized ISP router. Still have double NAT for your trusted devices in that case though.

Thanks very much for all the info.

The ISP router is a Starlink V2 in Passthrough Mode and then ethernet to my Asus network, no wireless possible on the Starlink in Passthrough.
The Asus has better range to my cameras, so I want it for wireless to untrusted clients.
Will implement your second solution without the double nat.

 

[drinkingbird]

Thanks very much for all the info.

The ISP router is a Starlink V2 in Passthrough Mode and then ethernet to my Asus network, no wireless possible on the Starlink in Passthrough.
The Asus has better range to my cameras, so I want it for wireless to untrusted clients.
Will implement your second solution without the double nat.

Ok let us know if it works as expected, some of that is from memory, but I believe it is all correct. Then we can just refer people to this post as it gets asked from time to time and I'm not writing it again

 

[stonypass]

Ok let us know if it works as expected, some of that is from memory, but I believe it is all correct. Then we can just refer people to this post as it gets asked from time to time and I'm not writing it again

Seems to be working great,
Trusted clients on Router 1 are isolated from Non Trusted on Router 2, and those can see each other from LAN Ports / WiFi.

Can't ping Google.com from Router 2 Clients, but performance seems fine otherwise.
Ipconfig /all from Router 1 Client shows DNS is the LAN IP of Router 1 (192.168.50.1) which seems odd as it's set to obtain from ISP (Currently Verizon) in the GUI.
Tried setting Router 2 DNS to 192.158.50.1 and also to 8.8.8.8 with no change.

Could be my test setup: Android phone with Visible Sim, PdaNet USB Tether to Windows 11 Mini PC, Connectify Sharing Internet out Ethernet to Router 1.
Will be on Starlink as soon as the Ethernet adapter I have on order arrives, so DNS might react differently then.

 

[drinkingbird]

Seems to be working great,
Trusted clients on Router 1 are isolated from Non Trusted on Router 2, and those can see each other from LAN Ports / WiFi.

Can't ping Google.com from Router 2 Clients, but performance seems fine otherwise.
Ipconfig /all from Router 1 Client shows DNS is the LAN IP of Router 1 (192.168.50.1) which seems odd as it's set to obtain from ISP (Currently Verizon) in the GUI.
Tried setting Router 2 DNS to 192.158.50.1 and also to 8.8.8.8 with no change.

Could be my test setup: Android phone with Visible Sim, PdaNet USB Tether to Windows 11 Mini PC, Connectify Sharing Internet out Ethernet to Router 1.
Will be on Starlink as soon as the Ethernet adapter I have on order arrives, so DNS might react differently then.

Router 1
WAN DNS should be set to automatic, it will get your ISP's DNS servers. Copy those down for use on router 2. You can specify different DNS servers here too if you want but usually the ISP ones are the best, unless you want to use one of the filtering DNS servers (adguard, cleanbrowsing, quad9, etc).
LAN DHCP - DNS servers should be blank. While you're in there, make sure 192.168.50.2 is not part of the DHCP range. I forget what the default is but have it start at like 50. The checkbox for "advertise router IP" can be checked or unchecked, doesn't matter in this configuration, it won't have any impact.

Router 2
WAN I would set to static IP
IP address 192.168.50.2
Gateway 192.168.50.1
DNS - enter your ISP DNS servers you copied down here. Alternatively, if you want to be more strict on this one, you can use something like cleanbrowsing or quad9 to block these more "risky" devices from being able to reach malicious sites.
Note the above can also be accomplished using a DHCP reservation on router 1 and leaving router 2 at automatic, but that only lets you assign one DNS server that way, personally I'd rather have network devices using static IPs and not relying on DHCP anyway, and it is more flexible.
LAN DHCP - DNS servers should be blank. The default range is fine unless you want to reserve some for static IPs or something, but that's better done through DHCP reservations anyway.

Router 1 clients should get 192.168.50.1 as their DNS server, this is normal, the router acts as a DHCP proxy so that it can respond to queries for local hosts (which your ISP DNS can't). It knows to forward internet stuff to the ISP DNS.

Router 2 clients should get 192.168.51.1 (or whatever you set the router LAN IP to) as their DNS for the same reason.

It is possible to override this behavior but typically there is no reason to and it can cause problems.

On router 2, if you left Network Services Filter "filtered ICMP packet types" blank, clients should be able to ping 192.168.50.1 and probably 192.168.50.2 but nothing else in that range. They should also be able to ping and traceroute to anything on the internet. If you put something like "0 8" in this field that will block all pings to anything except 192.168.51.x (local stuff) and traceroutes as well.

If you're using the static route option and want clients to be able to ping, it is safe to leave the filtered ICMP types blank since they won't be able to ping anything on your main LAN other than the router IP which is fine (and often necessary for troubleshooting).

 

[stonypass]

Router 1
WAN DNS should be set to automatic, it will get your ISP's DNS servers. Copy those down for use on router 2. You can specify different DNS servers here too if you want but usually the ISP ones are the best, unless you want to use one of the filtering DNS servers (adguard, cleanbrowsing, quad9, etc).
LAN DHCP - DNS servers should be blank. While you're in there, make sure 192.168.50.2 is not part of the DHCP range. I forget what the default is but have it start at like 50. The checkbox for "advertise router IP" can be checked or unchecked, doesn't matter in this configuration, it won't have any impact.

Router 2
WAN I would set to static IP
IP address 192.168.50.2
Gateway 192.168.50.1
DNS - enter your ISP DNS servers you copied down here. Alternatively, if you want to be more strict on this one, you can use something like cleanbrowsing or quad9 to block these more "risky" devices from being able to reach malicious sites.
Note the above can also be accomplished using a DHCP reservation on router 1 and leaving router 2 at automatic, but that only lets you assign one DNS server that way, personally I'd rather have network devices using static IPs and not relying on DHCP anyway, and it is more flexible.
LAN DHCP - DNS servers should be blank. The default range is fine unless you want to reserve some for static IPs or something, but that's better done through DHCP reservations anyway.

Router 1 clients should get 192.168.50.1 as their DNS server, this is normal, the router acts as a DHCP proxy so that it can respond to queries for local hosts (which your ISP DNS can't). It knows to forward internet stuff to the ISP DNS.

Router 2 clients should get 192.168.51.1 (or whatever you set the router LAN IP to) as their DNS for the same reason.

It is possible to override this behavior but typically there is no reason to and it can cause problems.

On router 2, if you left Network Services Filter "filtered ICMP packet types" blank, clients should be able to ping 192.168.50.1 and probably 192.168.50.2 but nothing else in that range. They should also be able to ping and traceroute to anything on the internet. If you put something like "0 8" in this field that will block all pings to anything except 192.168.51.x (local stuff) and traceroutes as well.

If you're using the static route option and want clients to be able to ping, it is safe to leave the filtered ICMP types blank since they won't be able to ping anything on your main LAN other than the router IP which is fine (and often necessary for troubleshooting).

Ok, set Router 2 to static IP 192.168.50.2 and Gateway 192.168.50.1

WAN DNS on Router 1 is set to automatic, but I can't see where to get the DNS IP's that my ISP is assigning.
Network Map, Internet Status shows WAN IP of 192.168.70.77, clicking on that box then shows a panel to the right and a DNS of 192.168.70.1 and gateway is the same.
Where do I go to see both DNS servers from my ISP?

 

[drinkingbird]

Ok, set Router 2 to static IP 192.168.50.2 and Gateway 192.168.50.1

WAN DNS on Router 1 is set to automatic, but I can't see where to get the DNS IP's that my ISP is assigning.
Network Map, Internet Status shows WAN IP of 192.168.70.77, clicking on that box then shows a panel to the right and a DNS of 192.168.70.1 and gateway is the same.
Where do I go to see both DNS servers from my ISP?

So your ISP device is a router. 192.168 is a private IP, so technically your first router is in double nat and your second router is in triple NAT. Not something to be too worried about, just be aware that likely is not in "passthrough" mode (though not exactly sure what that means on Starlink, maybe they are handing out private IPs and then NAT'ing at an aggregation point).

192.168.70.1 is your ISP DNS (again, probably their device acting as a DNS proxy, just like the Asus does).

If their router can't be placed into true bridge mode to where you're getting a public IP on Router 1, see if their device lets you configure router 1 as a DMZ host. That's the next best thing. While in there you can also see what their router has for "real" DNS servers and put those into both Asus if you want, to eliminate an unnecessary DNS hop.

In reality it doesn't make a huge difference, less DNS hops is better to a certain extent but most would not notice the difference, you can put 192.168.70.1 into router 2 or like I said, use cleanbrowsing or quad9 to give a bit of protection (they're generally about the same, when I used one briefly I went with cleanbrowsing as it had better latency and response time for me, but for you may be the other way around). Technically you could even put 192.168.50.1 in Router 2 but now you're hopping through 3 DNS proxies before even hitting the internet, so that's a bit excessive.

 

[stonypass]

So your ISP device is a router. 192.168 is a private IP, so technically your first router is in double nat and your second router is in triple NAT. Not something to be too worried about, just be aware that likely is not in "passthrough" mode (though not exactly sure what that means on Starlink, maybe they are handing out private IPs and then NAT'ing at an aggregation point).

192.168.70.1 is your ISP DNS (again, probably their device acting as a DNS proxy, just like the Asus does).

If their router can't be placed into true bridge mode to where you're getting a public IP on Router 1, see if their device lets you configure router 1 as a DMZ host. That's the next best thing. While in there you can also see what their router has for "real" DNS servers and put those into both Asus if you want, to eliminate an unnecessary DNS hop.

In reality it doesn't make a huge difference, less DNS hops is better to a certain extent but most would not notice the difference, you can put 192.168.70.1 into router 2 or like I said, use cleanbrowsing or quad9 to give a bit of protection (they're generally about the same, when I used one briefly I went with cleanbrowsing as it had better latency and response time for me, but for you may be the other way around). Technically you could even put 192.168.50.1 in Router 2 but now you're hopping through 3 DNS proxies before even hitting the internet, so that's a bit excessive.

The DNS weirdness was due to my test setup using a Verizon tethered phone for an internet source.

With Starlink in Passthrough, Router 1 was assigned 1.1.1.1 and 8.8.8.8 for WAN DNS servers, input the same into Router 2.
Thanks again for all the assistance.

 

[stonypass]

Two router setup works great for non trusted clients, but I'm having some issues with my Plex Server on router 2 working remotely.

Enabled port forwarding on Router 2 for the Public and Private IP's / Ports shown in plex remote access settings.
If I disable/enable Plex Remote, it says "fully accessable outsite your network" but then goes red after a short time.
canyouseeme.org says it can't see port 32400 with my pubic IP.

Enabled port forwarding on Router 1 for the WAN IP of Router 2 and now Plex remote access stays green for a bit longer, but still eventually says it's not accessable outside my network.
Interestingly the Plex app on my phone connects using cell data as does the Firestick in my RV using the phone's internet, but both are really slow to connect.

Is Port Forwarding on Router 1 a security risk, since it's only for Router 2's WAN IP?
Router 2 is using the same DNS server as router 1 so I should have avoided a double nat.

Any suggestions to make remote access of Plex on Router 2 work better, while preserving security are appreciated.

 

[drinkingbird]

Two router setup works great for non trusted clients, but I'm having some issues with my Plex Server on router 2 working remotely.

Enabled port forwarding on Router 2 for the Public and Private IP's / Ports shown in plex remote access settings.
If I disable/enable Plex Remote, it says "fully accessable outsite your network" but then goes red after a short time.
canyouseeme.org says it can't see port 32400 with my pubic IP.

Enabled port forwarding on Router 1 for the WAN IP of Router 2 and now Plex remote access stays green for a bit longer, but still eventually says it's not accessable outside my network.
Interestingly the Plex app on my phone connects using cell data as does the Firestick in my RV using the phone's internet, but both are really slow to connect.

Is Port Forwarding on Router 1 a security risk, since it's only for Router 2's WAN IP?
Router 2 is using the same DNS server as router 1 so I should have avoided a double nat.

Any suggestions to make remote access of Plex on Router 2 work better, while preserving security are appreciated.

If your plex server is behind router 2 and you need inbound traffic to it, you need port forwarding configured on both routers. Router 1 to router 2 WAN, and router 2 to plex. Whether the plex server will "like" that double NAT I don't know, but usually not a problem.

You also have the option of putting router 2's WAN as the DMZ of router 1 (a bit less secure but should be ok) so you only have to configure the port forwarding on router 2. You could even take that a step further and enable uPNP on router 2 (assuming the plex server uses uPNP). uPNP I wouldn't want though, static port mappings are more secure (and uPNP isn't the most reliable, in fact it could actually be interfering, that may be what is timing out your connections).

If you know exactly what port you need and you don't need uPNP for game consoles or anything, I'd disable uPNP on both routers, and just configure a static mapping on both. Make sure you don't have any port trigger rules etc either as that could interfere and should not be needed.

 

[stonypass]

If your plex server is behind router 2 and you need inbound traffic to it, you need port forwarding configured on both routers. Router 1 to router 2 WAN, and router 2 to plex. Whether the plex server will "like" that double NAT I don't know, but usually not a problem.

You also have the option of putting router 2's WAN as the DMZ of router 1 (a bit less secure but should be ok) so you only have to configure the port forwarding on router 2. You could even take that a step further and enable uPNP on router 2 (assuming the plex server uses uPNP). uPNP I wouldn't want though, static port mappings are more secure (and uPNP isn't the most reliable, in fact it could actually be interfering, that may be what is timing out your connections).

If you know exactly what port you need and you don't need uPNP for game consoles or anything, I'd disable uPNP on both routers, and just configure a static mapping on both. Make sure you don't have any port trigger rules etc either as that could interfere and should not be needed.

Plex server is behind router 2 and uPNP can be used for auto remote server configuration, I had it on for testing but it's off now.

I setup port forwarding on both routers, and remote apps now connect and work fine even though the inital connection takes 15-20 seconds.
Interesting as both the Plex Remote interface shows disconnected, and canyouseeme.org shows the remote port isn't publicly visible.

So, no security concerns with Port Forwarding on Router 1 (my private lan), and I assume there isn't any one public port that's inherently safer than others?
Also, doesn't having Router 2's DNS servers set to the same one's Starlink assigns Router 1 avoid a Double Nat?