Mesh Solution with working Guest Network

[absolutepitch828]

Currenly using Asus RT-AC68U as main router (radio turned off to lower temps since it's in the bomb shelter) and hardcabled to several Access Points (RT-AC1200Gx2, RT-AC87, another RT-AC68 all in AP mode).

Why so many? Blame it on strange house shape, and poor lan point positioning. hahaha. Not purposely all Asus as well, it just happened that i chanced upon these routers on contract renewal or 2nd hand for cheap.


I've been researching wifi mesh options.
Not having connection drop when roaming between access points is nice.
Better speeds, coverage etc.

The key requirement in my setup is that i need a Guest Network (wireless only) that is isolated from my main network.
Devices on Guest Network can get internet but not access other devices on the network (NAS, home automation etc).

Current setup has only AP RT-AC87 & AP RT-AC68 broadcasting guest network SSID. Guest network only works if you run a specific script on Merlin firmware. "Isolated AP" function does not work as well. It serves for now.


Does anyone have a mesh system where the guest network works properly on the nodes? So far I haven't been able to find ANYTHING conclusive that works properly.

 

[giraffey]

Currenly using Asus RT-AC68U as main router (radio turned off to lower temps since it's in the bomb shelter) and hardcabled to several Access Points (RT-AC1200Gx2, RT-AC87, another RT-AC68 all in AP mode).

Why so many? Blame it on strange house shape, and poor lan point positioning. hahaha. Not purposely all Asus as well, it just happened that i chanced upon these routers on contract renewal or 2nd hand for cheap.


I've been researching wifi mesh options.
Not having connection drop when roaming between access points is nice.
Better speeds, coverage etc.

The key requirement in my setup is that i need a Guest Network (wireless only) that is isolated from my main network.
Devices on Guest Network can get internet but not access other devices on the network (NAS, home automation etc).

Current setup has only AP RT-AC87 & AP RT-AC68 broadcasting guest network SSID. Guest network only works if you run a specific script on Merlin firmware. "Isolated AP" function does not work as well. It serves for now.


Does anyone have a mesh system where the guest network works properly on the nodes? So far I haven't been able to find ANYTHING conclusive that works properly.

Quite a number of newer mesh systems already have some basic guest systems. linksys, google, etc should already have them.

An alternative, is also to consider having wireless access points instead (e.g. unifi). Is this would allow a higher level customization, different options for guest mode, more flexibility in deployment and better value for money over mesh systems.

 

[xiaofan]

Does anyone have a mesh system where the guest network works properly on the nodes? So far I haven't been able to find ANYTHING conclusive that works properly.

Even my cheap S$99 a pair TP-Link Deco M4 support Guest Network.
https://www.tp-link.com/fi/support/faq/1461/

Since you have Ethernet ports available, even low end Mesh like the Deco M4 can perform very well with Ethernet backhaul. Actually all the TP-Link Mesh routers support it.

But you can of course buy better dual band Mesh (no need expensive triband Mesh), eg, the Deco X20 WiFi 6 AX1800 or Deco X60 AX3000.

 

[Apparatus]

Re

Currenly using Asus RT-AC68U as main router (radio turned off to lower temps since it's in the bomb shelter) and hardcabled to several Access Points (RT-AC1200Gx2, RT-AC87, another RT-AC68 all in AP mode).

Why so many? Blame it on strange house shape, and poor lan point positioning. hahaha. Not purposely all Asus as well, it just happened that i chanced upon these routers on contract renewal or 2nd hand for cheap.


I've been researching wifi mesh options.
Not having connection drop when roaming between access points is nice.
Better speeds, coverage etc.

The key requirement in my setup is that i need a Guest Network (wireless only) that is isolated from my main network.
Devices on Guest Network can get internet but not access other devices on the network (NAS, home automation etc).

Current setup has only AP RT-AC87 & AP RT-AC68 broadcasting guest network SSID. Guest network only works if you run a specific script on Merlin firmware. "Isolated AP" function does not work as well. It serves for now.


Does anyone have a mesh system where the guest network works properly on the nodes? So far I haven't been able to find ANYTHING conclusive that works properly.

Guest network is for allowing guests to access the net and isolate them from accessing your main wifi network. If the guest can access the main wifi network then it means the guest network is not properly implemented in the router. This has happened to some routers.

So far I think consumer routers do NOT have AP (aka Wireless) Isolation in the Guest Network only in the main WiFi network. Prosumer/enterprise routers likely to have this feature or the VLANs in the routers.

I have IP Cams set in the Guest Network of my XT8 with a wireless backhaul node and they work so I'm not sure what you mean by 'have a mesh system where the guest network works properly on the nodes'? Smart Connect disabled here.

 

[absolutepitch828]

Guest network is for allowing guests to access the net and isolate them from accessing your main wifi network. If the guest can access the main wifi network then it means the guest network is not properly implemented in the router. This has happened to some routers.

So far I think consumer routers do NOT have AP (aka Wireless) Isolation in the Guest Network only in the main WiFi network. Prosumer/enterprise routers likely to have this feature or the VLANs in the routers.

I have IP Cams set in the Guest Network of my XT8 with a wireless backhaul node and they work so I'm not sure what you mean by 'have a mesh system where the guest network works properly on the nodes'? Smart Connect disabled here.

It really depends on how your IP Cam is setup.
On a working guest network your IP Cam still can access the internet and upload footage. You can still view footage from whatever cloud storage.
However you wont be able to directly access the settings of your IP Cam from local lan. just curious why your webcams need guest network, shouldnt they be on main network.

XT8 guest network on nodes is still not working. Your cam might me on the main router.

Well in short, the use case is: anything on the guest network gets internet and only internet. they access any other device on main network locally.

 

[absolutepitch828]

Even my cheap S$99 a pair TP-Link Deco M4 support Guest Network.
https://www.tp-link.com/fi/support/faq/1461/

Since you have Ethernet ports available, even low end Mesh like the Deco M4 can perform very well with Ethernet backhaul. Actually all the TP-Link Mesh routers support it.

But you can of course buy better dual band Mesh (no need expensive triband Mesh), eg, the Deco X20 WiFi 6 AX1800 or Deco X60 AX3000.

https://community.tp-link.com/us/home/forum/topic/162482

Cannot leh. AP mode still no mesh

 

[Apparatus]

It really depends on how your IP Cam is setup.
On a working guest network your IP Cam still can access the internet and upload footage. You can still view footage from whatever cloud storage.
However you wont be able to directly access the settings of your IP Cam from local lan. just curious why your webcams need guest network, shouldnt they be on main network.

XT8 guest network on nodes is still not working. Your cam might me on the main router.

Well in short, the use case is: anything on the guest network gets internet and only internet. they access any other device on main network locally.

Your quote

On a working guest network your IP Cam still can access the internet and upload footage. You can still view footage from whatever cloud storage.

Unquote

That's the job of a Guest network allowing the cam to access the net, right?

I have set up SSID on my XT8 2.4GHz Guest network.

IP cams have their own software. When asked to choose a network to connect I chose my 2.4GHz Guest network SSID.

Isn't this means my IP cams are set up on my XT8 Guest network?

I thought the node is acting only like a repeater?

Correct me if I'm wrong. You sure the node has its own settings for the 2.4/5-1/5-2 GHz and Guest settings just like the main router? Where to find in the ASUS set up page? By accessing the node's IP address like 192.168.50.x? I tried but cannot access the node's IP address

One of the protection for IoT/risky/untrusted devices is to isolate them from the main wifi network. And setting them in the Guest network provides isolation to the main wifi network. If I need access to the IP cams to change its settings I'll need to access its software to do it. I can't access from the router side to do the changes except if I assign static IP addresses to them

 

[absolutepitch828]

Your quote

On a working guest network your IP Cam still can access the internet and upload footage. You can still view footage from whatever cloud storage.

Unquote

That's the job of a Guest network allowing the cam to access the net, right?

I have set up SSID on my XT8 2.4GHz Guest network.

IP cams have their own software. When asked to choose a network to connect I chose my 2.4GHz Guest network SSID.

Isn't this means my IP cams are set up on my XT8 Guest network?

I thought the node is acting only like a repeater?

Correct me if I'm wrong. You sure the node has its own settings for the 2.4/5-1/5-2 GHz and Guest settings just like the main router? Where to find in the ASUS set up page? By accessing the node's IP address like 192.168.50.x? I tried but cannot access the node's IP address

One of the protection for IoT/risky/untrusted devices is to isolate them from the main wifi network. And setting them in the Guest network provides isolation to the main wifi network. If I need access to the IP cams to change its settings I'll need to access its software to do it. I can't access from the router side to do the changes except if I assign static IP addresses to them

ooo now I see.
Fair point that you are afraid your IP Cam gets hacked and your home network get compromised.
Well my use case is that I dont any of the folks on my guest network to access my home network's NAS/IoT etc.


On the Asus AIMesh thingy I think cannot configure the nodes individually beyond which backhaul to use (well idea is you shouldn't need to anyway).
Your guest network coverage from main node is probably good enough to reach your IP Cams so it's probably transparent to you.

I need to find something that can broadcast guest wifi from secondary nodes. the main node will be stuck in bomb shelter and wont provide enough guest coverage.

See post#13 (see the guest network on secondary node pt)
https://www.snbforums.com/threads/maylyn-networking-asus-zenwifi-xt8.61050/

 

[Apparatus]

Re

ooo now I see.
Fair point that you are afraid your IP Cam gets hacked and your home network get compromised.
Well my use case is that I dont any of the folks on my guest network to access my home network's NAS/IoT etc.


On the Asus AIMesh thingy I think cannot configure the nodes individually beyond which backhaul to use (well idea is you shouldn't need to anyway).
Your guest network coverage from main node is probably good enough to reach your IP Cams so it's probably transparent to you.

I need to find something that can broadcast guest wifi from secondary nodes. the main node will be stuck in bomb shelter and wont provide enough guest coverage.

See post#13 (see the guest network on secondary node pt)
https://www.snbforums.com/threads/maylyn-networking-asus-zenwifi-xt8.61050/

In your case you don't want any of the folks on your guest network to access you home network's NAS/IoT etc

This is the job of the Guest network as intended


As for post #13


Quote

4) The "Dong Knows" CT8 review also states that there is a long-standing bug that the guest network doesn't work on satellite nodes, only the primary node, unclear when this might be resolved. Presumably this would also be an issue with the XT8?

Unquote

This refers to one of the CONS in dongknows reviews of the CT8/XT8 ie. no Guest networking throughout when working with non-ZenWiFi AiMesh routers

If you have a non-ZenFi AiMesh router attached then its Guest network will not function. The node in the XT8 also don't support Guest network and 2.4/5-1/5-2 GHz bands ONLY the main router supports them.

If you need to look for a node which can use its Guest network then the XT8 is not for you

 

[xiaofan]

https://community.tp-link.com/us/home/forum/topic/162482

Cannot leh. AP mode still no mesh

I see. You do not want to give up your main router as it is in the bomb shelter.

The forum post actually says the feature has been implemented through a new FW.

"Firmware was released back in July of 2019 that added that feature in the US region, if you are not seeing that you need to contact your local TP-Link Support team for an update."

But I see other TP-Link forum post saying the isolation is not working.

https://community.tp-link.com/en/home/forum/topic/159689

So you need guest wifi in AP mode, looks like you need a better router.

Ref: an old thread in 2014.
https://forums.hardwarezone.com.sg/.../guest-network-access-point-mode-4884241.html

Edit to add:
Just powered up my Deco M4 again (AP mode) and it does show the option to enable Guest Network. But I have not tried to see how good it is.

 

[xiaofan]

Just a thought, maybe this is a stupid idea but anyway...

Often the experts here say it is not good to have double NAT, one problem is that the device under the 2nd router can not see the devices connected to the main router.

Is it possible to use "feature" to create a guest network using the second router?

 

[xiaofan]

But I see other TP-Link forum post saying the isolation is not working.

https://community.tp-link.com/en/home/forum/topic/159689

Edit to add:
Just powered up my Deco M4 again (AP mode) and it does show the option to enable Guest Network. But I have not tried to see how good it is.

I did a simple testing using my mobile phone, when using the main network on the Deco P4 (authentication is needed with WPA2), I can use my Brother network printer. When using the guest network (open, no password needed), I can not find the network printer. So it seems to me the basic isolation feature is working, even in AP mode.

 

[absolutepitch828]

I did a simple testing using my mobile phone, when using the main network on the Deco P4 (authentication is needed with WPA2), I can use my Brother network printer. When using the guest network (open, no password needed), I can not find the network printer. So it seems to me the basic isolation feature is working, even in AP mode.

hmm. so it works? how do u know you are connected to the secondary node and not the main node?
wat i've read is the main node works fine but not secondary nodes.
The problem with my setup is the nodes will be very far apart and each node has to be able to broadcast an isolated guest network.

if i turn on FULL AP isolation (not just guest network) on the asus ones i've (RT87U,AC68u all on merlin). it doesn't even work.

i mean it seems like the manufactures have all juz left guest mode broken on their devices in APs/ Secondary Node mode.

im reading on the Orbi Pros to see if they work. given the 3 device $1400 price, I rather spend money upgrading my switches to 10gb (and it probably be <1k given the mircotik choices around). zzz.

 

[xiaofan]

hmm. so it works? how do u know you are connected to the secondary node and not the main node?
wat i've read is the main node works fine but not secondary nodes.
The problem with my setup is the nodes will be very far apart and each node has to be able to broadcast an isolated guest network.

I know it works because I check the signal strength. I checked in master room node and a common room node and they go full bar when the mobile is close to the nodes. If they are connected to the main node in the living room the signal would be much weaker.

Take note that my two Deco M4 nodes can not even see the main node with wirelrss backhaul as they are located in the extreme end of the room respectively. I have to use power line adapter to form a pseudo Ethernet backhaul (PLC backhaul) to get the two nodes online.

BTW, I use the Deco M4 in AP mode since I using SingTel ONT and I have SingTel TV. Deco M4 supports vlan but only got two ports. I still use my 6-year old Linksys WRT1900AC as the main router (link to the SingTel TV box, Deco M4 main unit, NAS and the Power Line Adapter).

 

[xiaofan]

i mean it seems like the manufactures have all juz left guest mode broken on their devices in APs/ Secondary Node mode.

im reading on the Orbi Pros to see if they work. given the 3 device $1400 price, I rather spend money upgrading my switches to 10gb (and it probably be <1k given the mircotik choices around). zzz.

From what I read, Asus Lyra or Lyra Trio will also work. Linksys Velop also works even though some FW version may break the isolation.

What your encountered seems to be an Asus AIMesh specific issue.
https://www.snbforums.com/threads/guest-network-on-aimesh-node.54832/

Lyra Trio.
https://zitseng.com/archives/16121
"In bridge mode, the Lyra Trio still offers Guest Access features. But other features such as Traffic Manager, Smart Home, and features to monitor and limit Family Members, are available only in router mode."

Linksys Velop Guest Network in Bridge mode -- to downgrade FW version to have working guest network isolation
https://community.linksys.com/t5/Ve...op-Bridge-mode-and-Guest-network/td-p/1417549

 

[Apparatus]

Re

I did a simple testing using my mobile phone, when using the main network on the Deco P4 (authentication is needed with WPA2), I can use my Brother network printer. When using the guest network (open, no password needed), I can not find the network printer. So it seems to me the basic isolation feature is working, even in AP mode.

It just means your guest network is working ok ie. the guest network has isolated you from the main wifi network

Unless the AP Isolation also supports Guest network which is unlikely for consumer routers. FWIW only prosumer/enterprise routers likely to have AP Isolation/VLAN feature for their Guest Network besides the main wifi network

To confirm you can disable the AP Isolation feature and test again. And if you still cannot access the main wifi network it confirms your Guest network is working correctly. If it can access your main wifi network then the AP Isolation is there to protect the Guest network as well.

 

[absolutepitch828]

I know it works because I check the signal strength. I checked in master room node and a common room node and they go full bar when the mobile is close to the nodes. If they are connected to the main node in the living room the signal would be much weaker.

Take note that my two Deco M4 nodes can not even see the main node with wirelrss backhaul as they are located in the extreme end of the room respectively. I have to use power line adapter to form a pseudo Ethernet backhaul (PLC backhaul) to get the two nodes online.

BTW, I use the Deco M4 in AP mode since I using SingTel ONT and I have SingTel TV. Deco M4 supports vlan but only got two ports. I still use my 6-year old Linksys WRT1900AC as the main router (link to the SingTel TV box, Deco M4 main unit, NAS and the Power Line Adapter).

From what I read, Asus Lyra or Lyra Trio will also work. Linksys Velop also works even though some FW version may break the isolation.

What your encountered seems to be an Asus AIMesh specific issue.
https://www.snbforums.com/threads/guest-network-on-aimesh-node.54832/

Lyra Trio.
https://zitseng.com/archives/16121
"In bridge mode, the Lyra Trio still offers Guest Access features. But other features such as Traffic Manager, Smart Home, and features to monitor and limit Family Members, are available only in router mode."

Linksys Velop Guest Network in Bridge mode -- to downgrade FW version to have working guest network isolation
https://community.linksys.com/t5/Ve...op-Bridge-mode-and-Guest-network/td-p/1417549

ahh many thanks for the input.
Looks like if i wanna go mesh with working guest, the TP-Link M9/5s in AP mode is probably cheapest for me.
Thanks!

 

[xiaofan]

It just means your guest network is working ok ie. the guest network has isolated you from the main wifi network

Unless the AP Isolation also supports Guest network which is unlikely for consumer routers. FWIW only prosumer/enterprise routers likely to have AP Isolation/VLAN feature for their Guest Network besides the main wifi network

To confirm you can disable the AP Isolation feature and test again. And if you still cannot access the main wifi network it confirms your Guest network is working correctly. If it can access your main wifi network then the AP Isolation is there to protect the Guest network as well.

There is no AP Isolation settings for the guest network. Take note Deco M4 is a very cheap Mesh, S$99 per pair. I do not even see the option to set the password. (Edit: my bad. There is an option to add password).

 

[xiaofan]

ahh many thanks for the input.
Looks like if i wanna go mesh with working guest, the TP-Link M9/5s in AP mode is probably cheapest for me.
Thanks!

There is no AP Isolation settings for the guest network for my Deco M4. Take note Deco M4 is a very cheap Mesh, S$99 per pair. I do not even see the option to set the password. (Edit: my bad. There is an option to add password).

I am not so sure about Deco M5 which is a bit more advanced than M4. And M9 Plus is triband. However I am not so sure if they have more advanced settings than my Deco M4 in terms of guest network.

If you need more advanced features as in AP Isolation (more security) than guest network it seems to me the best is to get a better router or AP (eg: Ubiquiti stuff), as you already mentioned in your post.

From what I read, there is a difference between guest network and AP isolation.
https://www.neweggbusiness.com/smartbuyer/networking/access-point-isolation-secure-wireless/

 

[Apparatus]

Re

There is no AP Isolation settings for the guest network. Take note Deco M4 is a very cheap Mesh, S$99 per pair. I do not even see the option to set the password.

I'm talking about the AP Isolation for the main wifi network. You said it seems to work when you are in Guest Network leh