Could anybody help me to configure a Guest network like on my existing Asus router (RT-N18U running stock firmware) with easy turning on/off the "access to Intranet" and using the same network range and DHCP like basic LAN?
I've been successfull to configure a Guest network, isolated from the basic LAN, using separate network range (also DHCP), different from the basic LAN. Going step-by-step thru the docummentation, I was required to avoid using the basic LAN network range, so I did. Thats OK for a standard Guest networks, but I would like to have some modification (or create new network for WiFi smart home devices):
I want to use that Guest network (lets call it SmartHomeDevices network) for cameras and other smart devices, which usually uses their own vendor specific cloud services, to use the connection to Internet via the same network range used for basic LAN (dedicated static IP leases - static leases for smart devices already ready), avoiding direct communication towards my devices running on basic LAN, with only ocassional need to turn that communication on => "access intranet" check button on existing Asus router (same network range for basic and guest network with only turning on/off the access to the intranet).
So normal status => WiFi Smart Devices cannot communicate to other devices on the basic network
Ocassional usage (e.g. debugging/pinging) => WiFi Smart Devices can communicate to other devices on the basic network
Could you please recommend if the Guest network is the right configuration for that purpose (and how to reach the goal if so - probably to configure and turn on/off some dedicated route ???) or if there is a better or easier configuration in OpenWrt by not using the Guest network as the same network range usage is required (and how to reach the goal if so - probably to configure somehow the isolation of specific WiFi devices from the rest of the network ???).
Some people do it like this - the "IoT Network" (or in your case, "Guest Network") cannot initiate any communications to the basic network, whereas devices on the basic network can see and initiate communications to anything in the IoT Network, i.e. one-way traffic.
Use case: You have a "Home Assistant" smart home system that sits in your LAN that talks to the IoT devices locally to control their setting, turns lights on/off, etc etc. It can because of this setup. The IoT devices (or guest devices / phones / PCs for that matter) however won't be able to scan and see what's in your basic network even if it wants to.
Then, no need to manually flip something on for "occasional usage"...
Of course, you may already know about this concept, but still want to do "occasional usage" instead because of whatever reason. Doable of course with firewall config changes.
devices with Broadcom WiFi chipsets have limited OpenWrt supportability
WiFi does not work
(that note likely is still up to date)
You might need to consult an Asus discussion forum for guest config on vendor firmware or look for a more OpenWRT-capable device (and I doubt that you will be happy installing OpenWRT on your device considering that Wifi limitation)
I am actually running OpenWrt on similar router RT-N14U (single wan) => preparing the configs to switchover from Asus stock firmware (with no more security updates) to OpenWrt. WiFi is running OK so far...
Thanks I will check the OpenWrt compatibility/differences between RT-N14U and RT-N18U.
the N18 will have no Wifi once OpenWRT is installed. „Suitable“ as in „yes, but will be a wired router only“
The N14 is old and its 64MB RAM are not much. Its Wifi will work, as Ramips/Mediatek is supported.
„suitable“ as in „yes, but the hardware will stay outdated and feel slow“. Confoguring it as pure access point might save some RAM.
Wifi: I have neither of the 2 devices, I am only alerting about what others have noted on that wiki page in the past.
multi WAN: I would say pretty much all of the supported devices can have as many ports used for WAN as there are RJ45 ports available on the device, as long as the device has multiple dedicated network interfacd cards or a builtin switch with VLAN and/or DSA support.
As OpenWRT gives you low level config access to all network ports, you are not limited to what certain config wizard click paths of the vendor have implemented.
Discussion went to the N18 with the Broadcom chip - forget it. I have also applicable newer TP-Link Archer C50 v4 for OpenWrt.
So how to use/configure the same network range (also DHCP server with static leases) for two separate SSID, where SSID for IoT can communicate to Internet and cannot scan internal network or do "bad/wrong things" towards devices on LAN and MainSSID?
this is wrong approach
without deep networking talk
SSIDs are Layer2
IP are Layer3
so, if you wish to have both SSID serving same IP range, they need to be in same L2 segment
to separate them, you need L2 filtering, which wont work without days of trial&error
furthermore, what is a reason to have same IP range on IoT/LAN ?
best thing is to make GUEST network, assign different IP range (ex: 192.168.2.0/24) and filter on Layer3 with standard, build in OpenWRT firewall
Please see my first info in this topic - it is described there.
Later seemebreakthis user described the reason in the IoT usecase perfectly (if configured that way, no ocassional use would be needed).
The reason to have the IoT devices on separate SSID is simple - I do not want to share my primary SSID credentials (SSID&password) with IoT devices which communicates with their vendor cloud.
Can you help me to reach the goal by proper example configuration or step-by-step instructions?
Because I would like to use the same single DHCP server (during ocassional situations I wanted to allow IoT devices the communication towards LAN), also because of preserving the same IP settings on my network (IoT and PC LAN) during "the migration" from existing Asus RT-N18U router running stock firmware (where all devices uses the same network and I can enable/disable "access Intranet") to Asus RT-N14U router.
The final stage after migration might be probably on different networks (later move from the same network to another) if the ocassional need to "access Intranet" could be simply done by turning on/off some prepared route (???).
if the communication from sensors towards my LAN is blocked).
towards devices on LAN and MainSSID?