RT-AX86U IoT (guest network) Intranet Question

[W3Wilkes]

Is there a way to enable intranet access on a Guest network that limits it to the Guest network attached devices but does not allow access to my main intranet network?

 

[bennor]

The YazFi add-on script is one option that allows for greater customization of Guest Network WiFi on Asus-Merlin firmware. Note that YazFi doesn't work on AiMesh nodes. It only works on the main router it's installed on.

YazFi - YazFi v4.x - continued

v4.4.4 Updated 2023-11-26 Feature expansion of guest WiFi networks on AsusWRT-Merlin, including, but not limited to: * Dedicated VPN WiFi networks * Separate subnets for organisation of devices * Restrict guests to only contact router for ICMP, DHCP, DNS, NTP and NetBIOS * Allow guest networks...

www.snbforums.com

GitHub - jackyaz/YazFi: Feature expansion of guest WiFi networks on AsusWRT-Merlin, including SSID -> VPN, separate subnets per guest network, pinhole access to LAN resources (e.g. DNS) and more!

Feature expansion of guest WiFi networks on AsusWRT-Merlin, including SSID -> VPN, separate subnets per guest network, pinhole access to LAN resources (e.g. DNS) and more! - jackyaz/YazFi

github.com

Much more discussion on YazFi in the Asus-Merlin AddOn's subforum:
https://www.snbforums.com/forums/asuswrt-merlin-addons.60/?prefix_id=13

PS: At the very least, ensure Set AP Isolated isn't enabled on the WiFi advanced settings section.

 

[Tech9]

Is there a way to enable intranet access on a Guest network that limits it to the Guest network attached devices but does not allow access to my main intranet network?

If I understand your question correctly - this is the default setting. If it doesn't work as expected on GN1 (it's different with some quirks), try the same with GN2/3. Devices connected to the Guest Network can communicate to each other, but not with devices connected to the Main Network. No custom scripts needed.

 

[W3Wilkes]

If I understand your question correctly - this is the default setting. If it doesn't work as expected on GN1 (it's different with some quirks), try the same with GN2/3. Devices connected to the Guest Network can communicate to each other, but not with devices connected to the Main Network. No custom scripts needed.

Thanks @Tech9 . This is what I was hoping for. Your reply does raise the question about GN1?? Why would GN1 work any differently than GN2/3?

 

[Tech9]

Why would GN1 work any differently than GN2/3?

Because on your model/firmware GN1 is VLAN isolated network used for GN propagation to nodes. Clients connected there are on a different subnet and from experience it may behave differently. GN2/3 are more common virtual interfaces separated with whatever bridging rules are created, with clients on the same subnet as far as I remember. I also remember you can't have DHCP reservations on GN1, but allowed on GN2/3. If you have no GN propagation to nodes in AiMesh - just use GN2/3. This advice is valid for your model/firmware.

 

[W3Wilkes]

@Tech9 Again, thank you for the explanation. I guess I'll just set up GN2 for my IoT devices and call it good.

 

[Tech9]

Test the result after, but what you describe as requirement must be the default setting. Many people prefer isolated IoT devices because of common security advice found online, but many others just keep the IoT devices on the main network for simplicity and convenience. Decide what is better for your use case. You may find inconvenient controlling your own devices through the cloud, making them Internet service dependent.

 

[W3Wilkes]

Of my IoT devices I think only 1 has local control and access so it has to stay on my "home" network. All others like thermostats, garage doors, sprinkler controller, doorbells, cameras, etc. require going through the device vendor cloud interface anyway so they should be fine on GN2. My FttH ISP connection availability is stellar. The only time it's gone down is in a power failure which happens almost never where I live.