RT-AX86U Pro LAN Port on Guest Network

[rung]

As I wait for a 3006 version of Merlin for my RT-AX86U Pro to get VLAN capability someday, I have been moving some less trusted devices to GW1 which acts somewhat like an IOT VLAN. Some of the devices are connecting to the AX3000 mesh node and some are local to the RT-AX86U Pro. I feel this setup is safer in case any device gets malware, the attack surface would be reduced (i.e. more isolated from the router admin interfaces and PCs).

Okay, so here is where I am uncertain: I have a VOIP device connected to eth3 on the RT-AX86U Pro and wanted to move it to GW1 as well. I have added the following commands to my services-start script:

brctl delif br0 eth3 >/dev/null 2>&1 # remove eth3 from main network
brctl addif br1 eth3 >/dev/null 2>&1 # add eth3 to guest network

This seems to work fine. The device uses DHCP and now gets an IP on the GW1 ip range instead while also connecting properly to its external services. To further test the behavior of the port, I hooked up a laptop on eth3 instead and found that it could still see all devices on 192.168.101.xxx (i.e. it is not fully isolated). The good news is it cannot see anything on the main network and the dns on 192.168.101.1 works as expected.

Now does anyone see any issues with what I did and do you recommend any changes or additions (e.g. ways to further isolate the port)?

Thanks,
Rung

 

[rung]

I wanted to add that I am concerned that this was just way too easy. I must be missing something. I read through a bunch of posts and scripts for something similar and they were all much more complicated. Is this only because of my model or has something changed with the recent firmware to make this easier for all models? I would have thought this feature would be useful for others enough for it to be an normal option or an add-on by now.