RT-AX88U Pro Blocking Internet Access

[fotingo]

I'd like to block Internet access to some devices connected to the IoT network and Guest network.
I am not able to block Internet access to the devices connected to the IoT networks or any network that is not setup to use the main network.

Even when using the MAC address in Parental Controls, do not work.
Is that normal or should I be able to block Internet access to devices connected to those Networks as well?

Thanks.

 

[bennor]

It may help others if you include the firmware version the RT-AX88U Pro is running. And if running Asus-Merlin firmware, list any add-on scripts running like YazFi for example that may affect WiFi Guest Networks.

 

[eibgrad]

I don't know for sure what's causing the problem here. Unfortunately, I don't have one of these ASUS Pro routers, which have introduced VLANs and things like IOT. But it wouldn't surprise me if in fact you couldn't deny internet access.

In general, esp. for OEM firmware (which is rarely all that flexible), things like Guest and IOT networks are typically isolated from all other networks, at least by default. And most of the time within a given Guest or IOT network, devices don't need to communicate amongst themselves either. In fact, enabling AP isolation is common for this reason. At that point, what's left BUT internet access. So if you now block internet access, for all intents and purposes, having such a device connected to the network is pointless! You might as well NOT connect it AT ALL.

Again, I have no way at this point to know if this is the problem, or even the rationale behind it, but knowing OEMs like I do, they tend to think this way, anticipating 3 steps ahead in order to remove additional complexities, esp. if THEY decide you don't need it. It's just another reason so many ppl turn to third-party firmware.

Anyway, just a guess. I could be totally offbase and it's just a bug.

 

[PunchCardBoss]

I am not able to block Internet access to the devices connected to the IoT networks or any network that is not setup to use the main network.

This is a known issue with the AX88U-PRO 102_33308 firmware. I reported it to Asus months ago.

Try using a "Custom" Guest Network Pro profile(s). Right now, I believe you can block an entire VLAN from internet access, but not individual devices within the VLAN.

So, if you want some devices to access the internet and block others, create 2 different VLANs.

 

[fotingo]

It may help others if you include the firmware version the RT-AX88U Pro is running. And if running Asus-Merlin firmware, list any add-on scripts running like YazFi for example that may affect WiFi Guest Networks.

I'm using stock Firmware version 3.0.0.6.102_33308.

I have not tried installing Merlin's yet as I just bought this router and wanted to try out the VLAN options.
The reason I wanted to get this router besides the fact that my AC86U will stop getting updates by the end of 2024.. I also wanted to see if the vlan option was going to do what I wanted Yazfi to do.

On my AC86U, I have Yazfi, but it has this issue where if I disable Internet access, I cannot control the IoT devices using their respective apps if my iPhone is connected to the main Wifi network. I know this is limitation of Yazfi.

I prefer my IoT devices and security cameras to not only be on a separate network, but to also not have Internet access at all, but at the same time be able to view them/control them with my iPhole while it being connected to the main wifi network....not sure if that makes sense.

 

[fotingo]

Try using a "Custom" Guest Network Pro profile(s). Right now, I believe you can block an entire VLAN from internet access, but not individual devices within the VLAN

How do I achieve this?

 

[PunchCardBoss]

How do I achieve this?

If I remember correctly, you can define up to 6 VLANs. I have 4. 3 are active. All are "Customized Network".

Another way to deny VLAN internet access is to enter a bogus DNS IP. That should work for domain queries, not so much for WAN IPs.

 

[eibgrad]

How do I achieve this?

OEM firmware always has annoying limitations, or policies not everyone agrees with. That's why you install third-party firmware. In this case, Merlin will give you the ability to access the firewall directly, even if the GUI fails to give you what you want. But if you insist on the GUI working the way you want (OEM or Merlin), then yeah, you're going to have unsolvable problems.

 

[fotingo]

View attachment 60547

If I remember correctly, you can define up to 6 VLANs. I have 4. 3 are active. All are "Customized Network".

Another way to deny VLAN internet access is to enter a bogus DNS IP. That should work for domain queries, not so much for WAN IPs.

I see that Customize Network, but when I go into it, I don't see an option to disable Internet. Is that option somewhere else?

 

[fotingo]

Are there any features not working/missing in the Merlin firmware?
For example, DNS Director. Is that a feature of the stock version or is that Merlin's?

I ask because on my AC86U with Merlin, it has DNS Director, but It's not on the stock AX88U Pro.

 

[eibgrad]

Are there any features not working/missing in the Merlin firmware?
For example, DNS Director. Is that a feature of the stock version or is that Merlin's?

I ask because on my AC86U with Merlin, it has DNS Director, but It's not on the stock AX88U Pro.

I'm not sure who is responsible for it. But as a general rule, Merlin does NOT take away features, but simply adds and enhances them. So if you're concerned about losing access to something by switching from OEM to Merlin, that seems highly unlikely. If anything, Merlin often fixes things the OEM firmware fails to, or at least addresses it much more promptly.

Worst case, you just make a backup of your current OEM settings, install Merlin, and try it. You can always quickly go back to OEM if you don't like it.

 

[fotingo]

I'm not sure who is responsible for it. But as a general rule, Merlin does NOT take away features, but simply adds and enhances them. So if you're concerned about losing access to something by switching from OEM to Merlin, that seems highly unlikely. If anything, Merlin often fixes things the OEM firmware fails to, or at least addresses it much more promptly.

Worst case, you just make a backup of your current OEM settings, install Merlin, and try it. You can always quickly go back to OEM if you don't like it.

I just found that DNS Director is a feature Merlin added, which is awesome. I just installed Merlin, but I see that the Guest Network tab looks completely different than stock.
I don't see the options I had when it was on stock.

Does that mean those options are not available in Merlin or do I also have to install YazFi? But if that's the case, I will be in the same scenario I was with the AC86U were YazFi has limitations and does not work as intended when it comes to blocking internet access and allowing LAN access at the same time.

 

[RMerlin]

I see that the Guest Network tab looks completely different than stock.

You must be comparing firmware 3006.102 with firmware 3004.388. Asuswrt-Merlin only offers 3006.102 for Wifi 7 devices at this time. The porting of other Wifi 6 devices to the 3006 firmware will only come later, hopefully once Asus has a more stable 3006 codebase.

 

[fotingo]

Thank you Merlin. I just installed YazFi and can confirm the issue I had on the AC86U were if I disabled Internet Access to a Guest Network I would not able to access the devices via LAN only.. on this AX88U Pro, YazFi is working as intended!

Is that because this model does allow full implementation of vlans?

 

[RMerlin]

Is that because this model does allow full implementation of vlans?

The hardware supports it, however you will need the software to leverage it. I have no idea how Yazfi implements its guest networks, but the 3006 firmware will provide VLAN-based guest networks.

 

[fotingo]

@RMerlin sorry, one last thing. I did a dirty install of Merlin from stock just to try it out. Do you recommend resetting to default settings?
Never mind. I read the documentation...thanks.

 

[fotingo]

Im closing this one as solved by installing Merlin firmware and YazFi.

 

[fotingo]

Actually I spoke too soon haha.
Only the wireless security cameras work without internet access. The IoTs like smart plugs and light switches, do not work work unless I enable internet access.
Meaning, I am not able to access them via LAN only.

This is the same behavior I was having with YazFi on the AC86U.

My dilemma is, I don't want to lose DNS Director by going back to stock firmware, but I would like to be able to deny Internet access IoT devices and keep them segregated at the same time.

 

[eibgrad]

As I pointed out previously, you can always add firewall rules of your own.

iptables -I FORWARD -s 192.168.10.100 -m state --state NEW -j DROP

This prevents the source IP 192.168.10.100 from initiating any connections outside it's own local IP network, but can still *reply* to connections initiated outside its own local IP network, such as the private IP network.

I would first test it w/ SSH (just copy/paste it into the terminal window). Just beware, it will NOT survive a reboot unless you make it persistent w/ a firewall-start script.

The following illustrates how (obviously you'll need to change the rules).

Routing guest 1 clients thru vpn client tunnel while access intranet set to disable

Trying to route some devices on guest 1 thru vpn client, seems to work ok if i enable the acess intranet option, but obviously that defeats the purpose of trying to isolate guest 1 from lan. When i disable intranet acess, guest 1 drops the vpn tunnel. I tried adding 192.168.101.0/24 which is my...

www.snbforums.com

P.S. You could alternatively block the device based on its MAC address, if you find that more convenient (which is often the case if you don't/can't assign a static IP).

iptables -I FORWARD -m mac --mac-source 00:01:02:03:04:05 -m state --state NEW -j DROP

 

[fotingo]

@eibgrad so in my case the IoTs are on 192.168.3.1 so it would be

iptables -I FORWARD -s 192.168.3.1 -m state --state NEW -j DROP

correct?