What's new

Understanding „Guest Network Pro IoT“

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

lawk

Occasional Visitor
Hello,

I created a new network with the iot preset within guest network pro.

I thought the point was to isolate the devices on it. I found that the iot network is still on the same subnet and I can ping them.

Or can I talk to them but they cant talk back? They obviously need WAN to talk to their control app.

But I dont want them talking to my LAN pcs.

To me iot network looks like just an ssid.?
 
Hello,

I created a new network with the iot preset within guest network pro.

I thought the point was to isolate the devices on it. I found that the iot network is still on the same subnet and I can ping them.

Or can I talk to them but they cant talk back? They obviously need WAN to talk to their control app.

But I dont want them talking to my LAN pcs.

To me iot network looks like just an ssid.?

IOT should let the guest devices talk to each other, and the main LAN to talk to them. It should block them from initiating to the main LAN. You can test it easily with a couple PCs and some ping tests.

They use the main LAN subnet as stuff like mDNS has to be on the same subnet to work. I would guess mDNS is probably allowed in both directions.
 
IoT preset can ping everyone, access network shares from windows etc... to me it seems like nothing but an ssid name :(

I tested now with a laptop on IoT network.
 
I think I figured out how to do it.

You create a VLAN in LAN settings, and then go to Guest Network Pro, and you can assign that VLAN to a new 2.4ghz Network. Then you can have the new SSID on a different subnet and also toggle Access to Intranet. You can also turn on and define DHCP and subnet.

I still think that in default it should do more than just create an SSID with stock settings.
 
I think I figured out how to do it.

You create a VLAN in LAN settings, and then go to Guest Network Pro, and you can assign that VLAN to a new 2.4ghz Network. Then you can have the new SSID on a different subnet and also toggle Access to Intranet. You can also turn on and define DHCP and subnet.

I still think that in default it should do more than just create an SSID with stock settings.

These are all fairly new features. Ideally the IOT preset should do what I said but that was just an assumption/guess as this stuff is not well documented. Check the links @bennor provided and see if it gives any info. The only other way to see what it is doing "under the hood" is to go into the CLI and look at firewall rules etc.

Note that many IOT devices need to be on the same subnet as whatever is talking to them. So if you put your IOT guest on a different VLAN with different subnet, you probably will not be able to "cast" stuff from a main LAN device to a guest device, even if you enable the "one way to guest" feature (I think guest network pro has that, not positive though).
 
Yeah, I have an AC Unit and a security camera on the VLAN because it only talks remotely to an app.

But the VLAN would break IKEA lights for example, (I assume) because those work on the regular LAN/WLAN.

But I trust IKEA appliances anyway :)
 
Can you confirm if you’re able to ping from the main to IoT SSIDs? From my observations, each SSID is invariably in a separate VLAN. If you desire to prevent devices from seeing each other within the same SSID, you should enable 'Isolate AP'.
However, be cautious with this feature as devices usually need to communicate with each other—for instance, a phone may need to set up an IoT device, making this option generally not recommended.

See my thread: https://www.snbforums.com/threads/u...ss-multiple-ssids-on-asus-rt-ax88u-pro.87006/
 
IMO the "IoT Network" preset does not create a VLAN. See this screenshot, if you use the preset I can ping all the devices from main subnet. Also if you join the SSID you can ping back. It only creates a WPA2 2,4gz SSID IMO. It does help to remove clutter or make it look more neat with its own SSID, but it does not seem to focus on the security aspect. Thats why I create my custom VLAN SSID. Then you can also leave the option "access intranet" unticket instead of working with the Isolate AP function.

This is what I use for IoT devices that work like this -LAN - WAN - WAN - APP. So it does not need LAN to LAN.

There are however IoT devices that communicate locally within your network. I dont know a solution for those. They need to be on the same VLAN and SSID to be able to be controlled by client Apps.

if you then go to LAN and VLAN and create a new VLAN ID it will show up in Guest Network Pro, and then you can modify it to add Wifi and customize it to make a IoT Network. See second screenshot.

Screenshot 2023-09-29 225343.png



Screenshot 2023-09-29 225948.png
 
IMO the "IoT Network" preset does not create a VLAN. See this screenshot, if you use the preset I can ping all the devices from main subnet. Also if you join the SSID you can ping back. It only creates a WPA2 2,4gz SSID IMO. It does help to remove clutter or make it look more neat with its own SSID, but it does not seem to focus on the security aspect. Thats why I create my custom VLAN SSID. Then you can also leave the option "access intranet" unticket instead of working with the Isolate AP function.

This is what I use for IoT devices that work like this -LAN - WAN - WAN - APP. So it does not need LAN to LAN.

There are however IoT devices that communicate locally within your network. I dont know a solution for those. They need to be on the same VLAN and SSID to be able to be controlled by client Apps.

if you then go to LAN and VLAN and create a new VLAN ID it will show up in Guest Network Pro, and then you can modify it to add Wifi and customize it to make a IoT Network. See second screenshot.

Having a VLAN and being able to ping are not exclusive of each other. The firewall controls traffic between VLANs, not the VLAN itself.
 
Having a VLAN and being able to ping are not exclusive of each other. The firewall controls traffic between VLANs, not the VLAN itself.
I would say, in the case of Asus, this is indeed the situation. There is no mechanism in place to manage the rules between VLANs, as each VLAN is inherently separated from the others.


IMO the "IoT Network" preset does not create a VLAN. See this screenshot, if you use the preset I can ping all the devices from main subnet. Also if you join the SSID you can ping back. It only creates a WPA2 2,4gz SSID IMO. It does help to remove clutter or make it look more neat with its own SSID, but it does not seem to focus on the security aspect. Thats why I create my custom VLAN SSID. Then you can also leave the option "access intranet" unticket instead of working with the Isolate AP function.

This is what I use for IoT devices that work like this -LAN - WAN - WAN - APP. So it does not need LAN to LAN.

There are however IoT devices that communicate locally within your network. I dont know a solution for those. They need to be on the same VLAN and SSID to be able to be controlled by client Apps.

if you then go to LAN and VLAN and create a new VLAN ID it will show up in Guest Network Pro, and then you can modify it to add Wifi and customize it to make a IoT Network. See second screenshot.

View attachment 53370


View attachment 53371
Interesting, you might be onto something. You have somewhat discovered a workaround that I was searching for (referencing my initial question in this thread https://www.snbforums.com/threads/u...ss-multiple-ssids-on-asus-rt-ax88u-pro.87006/).
It facilitates the creation of a separate SSID with the same VLAN as the main SSID (however, it does not yet allow modifications to the VLAN of the main SSID).
I haven't had the opportunity to verify what you've sent, as I am not currently at the residence with the Asus router; I will check in a few days.

Regarding your question, I suppose you would need to create a customized network - it automatically establishes a VLAN (and restricts its removal).
Isn’t that what you are looking for?
 
Yes for me is fine now.

I dont understand why you would want main network to be a vlan. If you want the iot on same vlan just use them on the main lan?
 
IMO the "IoT Network" preset does not create a VLAN. See this screenshot, if you use the preset I can ping all the devices from main subnet. Also if you join the SSID you can ping back. It only creates a WPA2 2,4gz SSID IMO. It does help to remove clutter or make it look more neat with its own SSID, but it does not seem to focus on the security aspect. Thats why I create my custom VLAN SSID. Then you can also leave the option "access intranet" unticket instead of working with the Isolate AP function.

This is what I use for IoT devices that work like this -LAN - WAN - WAN - APP. So it does not need LAN to LAN.

There are however IoT devices that communicate locally within your network. I dont know a solution for those. They need to be on the same VLAN and SSID to be able to be controlled by client Apps.

if you then go to LAN and VLAN and create a new VLAN ID it will show up in Guest Network Pro, and then you can modify it to add Wifi and customize it to make a IoT Network. See second screenshot.

View attachment 53370


View attachment 53371
How did you managed to alocate IPs to devices from the VLAN created (192.168.20.xx) not from the router (192.168.1.xx)? I already toggled DHCP server on Guest Network Pro for VLAN.
 
You create it from Guest Network pro and then it should be dhcp automatically? It was for me.
 

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top