Asus DSL-N66U Guest network can access intranet - Bug?

[HolmPC]

I have an Asus DSL-N66U and the guest network functionality used to work perfectly, with guest devices being given IP addresses on a separate subnet to the main network.

Recently I noticed that this is no longer working, which is a worry as it's very important that I work on client machines disconnected from my main network.

Has anyone else experienced this? Does anyone know which version of the firmware I should roll back to to make it work, and where I'd get this old firmware from? I only bought this router because it had this functionality, so I'm tempted to ditch it and avoid Asus in the future.

Thanks.

 

[Ralston18]

I think you need to investigate it all a bit more before making any hardware changes.

Did you check the router's configuration?

My sense is that you did and that the settings you used are no longer available due to a firmware upgrade.... do I understand correctly?

What IP addresses are now being assigned to the guest devices versus what you expect(ed).

What is your internal IP address and subnetting scheme?

Add a few more details please. Thanks.

 

[HolmPC]

Thanks for the reply. I have extensive experience with Asus routers, which is why this is puzzling me, but it's always possible I've missed something. I've thoroughly checked the setup, and the guest networking shouldn't be complicated. You simply turn it on and there's a checkbox which is supposed to control whether clients attached to the guest network can access the intranet or not. This setting now seems to do nothing.

For example, say my internal network was 192.168.100.x with a subnet of 255.255.255.0 , I would expect the (up to 3) guest networks to give out addresses of the form 192.168.101.x, 192.168.102.x and 192.168.103.x

However, all of the guest networks are allocating addresses in the 192.168.100.x range, regardless of what the "Access intranet" box is set to. This functionality has changed at some point since I originally set up guest networks on the router, when it worked as described above,

 

[Ralston18]

As I understand it, the router is doing exactly what it should be doing: i.e., assignning IP addresses 192.168.100.x range as it should be doing with a subnet of 255.255.255.0

I found a setting for Access Internet = "off" with respect to the wireless guest settings for 2.4 GHz and 5.0 GHz.

But you specified "Access Intranet" which I have not found via the Router's User Manual. (Note: I downloaded the manual as a .zip file. However the manual has been problematic to reference: i.e., open, read, and search.)

Two things then:

1) I am wondering about the subnet mask being used with respect to the three guest networks (why three) and,

2) how/where (apparently missing) is the setting to exclude devices on those three subnets from connecting to your part of the network? What other routers or access points (if any)do you have in your network?

Still find myself a bit blurred with respect to the larger picture. Thanks.

 

[HolmPC]

It is not working as designed. The guest networks should be isolated from the main network by using a different subnet. This is the whole point of a guest network. When it has worked in the past this changing of the subnet has happened automatically. On the guest networks page of the admin interface there is clearly an "Access Intranet" setting, which is set to off.

A screenshot showing this is here.

This model of router allows creation of three guest networks, which is why I mentioned it in my example. I have other access points in my network, but that is irrelevant to my question.

As I understand it, the router is doing exactly what it should be doing: i.e., assignning IP addresses 192.168.100.x range as it should be doing with a subnet of 255.255.255.0

I found a setting for Access Internet = "off" with respect to the wireless guest settings for 2.4 GHz and 5.0 GHz.

But you specified "Access Intranet" which I have not found via the Router's User Manual. (Note: I downloaded the manual as a .zip file. However the manual has been problematic to reference: i.e., open, read, and search.)

Two things then:

1) I am wondering about the subnet mask being used with respect to the three guest networks (why three) and,

2) how/where (apparently missing) is the setting to exclude devices on those three subnets from connecting to your part of the network? What other routers or access points (if any)do you have in your network?

Still find myself a bit blurred with respect to the larger picture. Thanks.

 

[Ralston18]

Thank you.

I did discover that the reference manual I was looking at is for the RT-N66U, Firmware 3.0.0.1. and the equivalent screen is clearly "Access Intranet" with an "off" setting. Not sure where I went astray there - my apologies.

Anyway, I noticed that your Firmware version is 1.1.0.4. Do you know if your DSL-N66U firmware was upgraded? I looked at ASUS's website and did not find much information with respect to that router. (My idea being to check on recent firmware upgrades and see if there were any forum comments or related FAQs.)

What I am not sure about, or could not at least document, is that the router automatically subnets. I am not sure that having a router do that is a good idea as it surely cannot know the overall network design.

What I could see happening is that the router simply keeps track of wireless devices via their assigned IP and determines (based on that IP and membership in some guest network name) whether or not that device is permitted to access the network anywhere beyond just its assigned Guest network name. (Meaning the Intranet being disabled as you have selected and indicated on your screen picture.) No subnetting involved.

Unfortunately I am unable to drill down into the screens as I do not have that router. Did not note any user manual screens that establish subnetting and masking for subnets.

The only other thing that might be relevant is proxy servers. Page 11 of the manual (at least the copy I have) specifies that all proxy servers on each device be disabled to avoid problems connecting to the wireless network. No idea as to how those "problems" might manifest themselves.

At this point I am a bit stuck so will hope that someone else will provide additional input and suggestions. Always willing to learn here.

 

[HolmPC]

Thanks for your reply and for trying to help me get this figured out.

The firmware is the latest, downloaded a couple of days ago. I think I have it working now, and what you said about it not subnetting helped. This functionality appears to me to have changed at some point, as when I first got the router I have records that show me that subnetting was used.

When I posted the question, clients connected to a guest network with "Access Intranet" set to off could nevertheless access machines on my main network, and I transferred files from my NAS to confirm this was the case.

Today I have completely reset the router and started setup again, and redownloaded and reinstalled the latest firmware. With this done, the guest networking now appears to be working in the way you describe and I can no longer ping or access the machines on my main network.

Thanks for the discussion, I'm not sure I would have persevered with the reset without it, I was ready to give up on it.

Out of interest, can I ask where you saw the info about how the router is designed to restrict access to the intranet so I can have a read and try to understand why it wasn't working?

 

[Ralston18]

Glad it worked out.

To answer your question, that source was an Asus URL to the RT_N66U_B1 manual. Wrong router I now understand.

The "Access Intranet" option ("off" being the default I think) was under the Guest Network admin screen and appeared for both 2.4 GHz and 5 GHz.

There are five settings for each frequency:

Network name
Wireless Security
Security key
Access Time
Access Intranet

However, the screen top explanation for the the Guest Network page reads: "The guest network can provide internet connectivity for temporary visitors without accessing your primary network."

Note that the sentence says "internet" while the setting is "Intranet".

I think that that is where I went astray on that matter. Typo, translation error....?

Now in the manual for the DSL-N66U the sentence (page 24) reads " The guest network can provide internet connectivity for temporary visitors but restricts access to your Intranet."

On the Guest Network screen for the RT_N66U there is a "Modify" button available just below the "Access Intranet" setting - I just cannot see what options that button offers. The Modify button does not appear on the matching screen for the DSL-N66U.

But it does appear that you can enable up to three guest Network names (there are three buttons) for each frequency within the DSL-N66U. Again I cannot drill down into those Enable buttons to see what options/configurations are available.

You might find it handy to use a utility such as as Advance IP Scanner to keep an overall eye on the IP's within your network. Or Nmap/Zen map perhaps.

 

[HolmPC]

OK, so it doesn't describe how it does it, just that the guest network is isolated.

You say... " "The guest network can provide internet connectivity for temporary visitors without accessing your primary network."
Note that the sentence says "internet" while the setting is "Intranet". "

Clearly the setting governs whether the guest network will have access to the "Intranet", ie the main internal network. It will always provide access to the Internet as stated. No typo, I'm not sure I understand the confusion.

Thanks again for your help.