RT-AX86U IoT (guest network) Intranet Question

[W3Wilkes]

Is there a way to enable intranet access on a Guest network that limits it to the Guest network attached devices but does not allow access to my main intranet network?

 

[bennor]

The YazFi add-on script is one option that allows for greater customization of Guest Network WiFi on Asus-Merlin firmware. Note that YazFi doesn't work on AiMesh nodes. It only works on the main router it's installed on.

YazFi - YazFi v4.x - continued

v4.4.4 Updated 2023-11-26 Feature expansion of guest WiFi networks on AsusWRT-Merlin, including, but not limited to: * Dedicated VPN WiFi networks * Separate subnets for organisation of devices * Restrict guests to only contact router for ICMP, DHCP, DNS, NTP and NetBIOS * Allow guest networks...

www.snbforums.com

GitHub - jackyaz/YazFi: Feature expansion of guest WiFi networks on AsusWRT-Merlin, including SSID -> VPN, separate subnets per guest network, pinhole access to LAN resources (e.g. DNS) and more!

Feature expansion of guest WiFi networks on AsusWRT-Merlin, including SSID -> VPN, separate subnets per guest network, pinhole access to LAN resources (e.g. DNS) and more! - jackyaz/YazFi

github.com

Much more discussion on YazFi in the Asus-Merlin AddOn's subforum:
https://www.snbforums.com/forums/asuswrt-merlin-addons.60/?prefix_id=13

PS: At the very least, ensure Set AP Isolated isn't enabled on the WiFi advanced settings section.

 

[Tech9]

Is there a way to enable intranet access on a Guest network that limits it to the Guest network attached devices but does not allow access to my main intranet network?

If I understand your question correctly - this is the default setting. If it doesn't work as expected on GN1 (it's different with some quirks), try the same with GN2/3. Devices connected to the Guest Network can communicate to each other, but not with devices connected to the Main Network. No custom scripts needed.

 

[W3Wilkes]

If I understand your question correctly - this is the default setting. If it doesn't work as expected on GN1 (it's different with some quirks), try the same with GN2/3. Devices connected to the Guest Network can communicate to each other, but not with devices connected to the Main Network. No custom scripts needed.

Thanks @Tech9 . This is what I was hoping for. Your reply does raise the question about GN1?? Why would GN1 work any differently than GN2/3?

 

[Tech9]

Why would GN1 work any differently than GN2/3?

Because on your model/firmware GN1 is VLAN isolated network used for GN propagation to nodes. Clients connected there are on a different subnet and from experience it may behave differently. GN2/3 are more common virtual interfaces separated with whatever bridging rules are created, with clients on the same subnet as far as I remember. I also remember you can't have DHCP reservations on GN1, but allowed on GN2/3. If you have no GN propagation to nodes in AiMesh - just use GN2/3. This advice is valid for your model/firmware.

 

[W3Wilkes]

@Tech9 Again, thank you for the explanation. I guess I'll just set up GN2 for my IoT devices and call it good.

 

[Tech9]

Test the result after, but what you describe as requirement must be the default setting. Many people prefer isolated IoT devices because of common security advice found online, but many others just keep the IoT devices on the main network for simplicity and convenience. Decide what is better for your use case. You may find inconvenient controlling your own devices through the cloud, making them Internet service dependent.

 

[W3Wilkes]

Of my IoT devices I think only 1 has local control and access so it has to stay on my "home" network. All others like thermostats, garage doors, sprinkler controller, doorbells, cameras, etc. require going through the device vendor cloud interface anyway so they should be fine on GN2. My FttH ISP connection availability is stellar. The only time it's gone down is in a power failure which happens almost never where I live.

 

[W3Wilkes]

If I understand your question correctly - this is the default setting. If it doesn't work as expected on GN1 (it's different with some quirks), try the same with GN2/3. Devices connected to the Guest Network can communicate to each other, but not with devices connected to the Main Network. No custom scripts needed.

I setup GN2 and moved devices over. The "Access Intranet" is set Disabled. If I connect my PC to the GN2 network I cannot ping other devices on GN2 or my main home network. If I set "Access Intranet" to Enabled I can ping devices on GN2 AND my main home network. What I want is for devices on GN2 to be able to communicate to other devices on GN2 but not have access to devices on my main home network. In Wireless -> Professional "Set AP Isolated" is No. Is there a way to allow GN2 devices ability to communicate with other devices on GN2 but not my main home network. RT-AX86U (not pro).

 

[bennor]

@W3Wilkes, As indicated above, see YazFi if you haven't done so already. It extends the options for Guest Networks. Among it's options is one to enable or disable client isolation on the guest network.

CLIENTISOLATION​

Should Guest Network radio prevent clients from talking to each other? (true/false)

 

[Tech9]

If I connect my PC to the GN2 network I cannot ping other devices on GN2 or my main home network. If I set "Access Intranet" to Enabled I can ping devices on GN2 AND my main home network.

What you describe is a firmware bug then. Is the behavior the same with current stock Asuswrt? If you decide to check and find the same - report it to Asus in Feedback Form.

 

[W3Wilkes]

@W3Wilkes, As indicated above, see YazFi if you haven't done so already. It extends the options for Guest Networks. Among it's options is one to enable or disable client isolation on the guest network.

Pulled the trigger and YazFi pretty much does what I wanted. I tried to make both the 2.4 & 5G network the same so the 5G & 2.4 devices could talk to each other. 2.4 can talk to the 2.4 devices and same for 5G, just can't talk to each other.

 

[W3Wilkes]

What you describe is a firmware bug then. Is the behavior the same with current stock Asuswrt? If you decide to check and find the same - report it to Asus in Feedback Form.

Did the YazFi thing and it pretty much does the job.

 

[Tech9]

Whatever works for you. I have an RT-AX86U and will test stock behavior when I have the time.

 

[bennor]

Pulled the trigger and YazFi pretty much does what I wanted. I tried to make both the 2.4 & 5G network the same so the 5G & 2.4 devices could talk to each other. 2.4 can talk to the 2.4 devices and same for 5G, just can't talk to each other.

If you want YazFi 2.4Ghz clients to communicate with YazFi 5Ghz clients you may need to use the YazFi custom firewall rules option to create IP Table entries to allow that communication.
https://github.com/jackyaz/YazFi?tab=readme-ov-file#custom-firewall-rules

An example of using custom firewall rules:
https://www.snbforums.com/threads/allowing-access-to-selected-network-devices.80405/#post-784521

 

[W3Wilkes]

Don't know why... I have Squeezebox Duets and the controllers refused to connect to my regular home 2.4 wifi with YazFi installed and some other devices on the YazFi guest network. Uninstalled YazFi and the Duet controllers connected right up. I'll leave it for the next 3 months as I'll be away from this network.