Improving Wi-Fi coverage: Use existing Cat5e and MoCA?

Questions on how we spend our money and our time - consumer goods and services, home and vehicle, leisure and recreational activities
xb7
Posts: 231
Joined: Sat Jun 09, 2018 6:13 pm
Location: WA State, USA

Re: Improving Wi-Fi coverage: Use existing Cat5e and MoCA?

Post by xb7 »

rich126 wrote: Wed Nov 04, 2020 1:38 pm
xb7 wrote: Wed Nov 04, 2020 12:34 pm
xb7 wrote: Wed Nov 04, 2020 12:30 pm Sounds reasonable. When you look for the words "isolate" or "isolation" along with "asus guest network" in a search you turn up various things, certainly to include some discussion of what I'm talking about. For example, in this article, jump down to the bold subheading "Isolation From Each Other": https://www.computerworld.com/article/3 ... works.html

Maybe what I should do is create a separate guest network (ASUS allows up to three) just for IoT stuff, and maybe a couple of them for different IoT stuff (?), and for this/those, and look to see if ASUS offers an "Access Intranet" setting. I'll look into that sometime ...
Okay, so I just looked and indeed --- for each ASUS guest network there's an "Access Intranet" setting, which looks like it defaults to "disable". So I guess I could enable that for a separate IoT guest network so that devices could connect with each other, but not have any access to my primary network. Sounds good. It's a PITA to change the SSID for a variety of IoT devices, so I'll probably give this a try --- a SOME point !

If anyone knows for sure if this is (or is not) a good idea, I'd appreciate a heads up before I go to the hassle.
I can't answer your question but I saw the same thing. The stuff I saw was kind of confusing because it was worded poorly. The problem is if you allow "intranet" access from a guest network that means (I think) the device can access anything it wants on your network. From a security perspective it isn't something I would want to allow considering how terrible security is on most smart home devices.
Hmm, I was assuming the access would be limited to just devices on the same SSID. This stuff is tricky to nail down!

As an example of that, I am contemplating setting up another router as an access point, and read somewhere that "Access Intranet" isn't available on guest networks for an ASUS router set up as a WAP. I haven't verified this, but I guess that would mean that my Iot devices would have to connect strictly to my router and not the WAP --- but giving a more solid signal to some peripheral IoT things is a big part of why I'm contemplating adding the WAP. Such puzzles to solve.
smackboy1
Posts: 1233
Joined: Wed Mar 14, 2007 9:41 pm

Re: Improving Wi-Fi coverage: Use existing Cat5e and MoCA?

Post by smackboy1 »

xb7 wrote: Wed Nov 04, 2020 12:34 pmOkay, so I just looked and indeed --- for each ASUS guest network there's an "Access Intranet" setting, which looks like it defaults to "disable". So I guess I could enable that for a separate IoT guest network so that devices could connect with each other, but not have any access to my primary network.
That is wrong.

I am using multiple ASUS routers currently, and have used other brands too. This is how guest network function (at least for ASUS):

- The router can broadcast multiple separate guest network SSIDs. They have their own login from the main LAN and have their own guest settings.

- If "Access Intranet" is disabled (default). Then clients on that guest network cannot see any of the other devices on guest network or the main network. They only get an internet connection.

- If "Access Intranet" is enabled, it kind of defeats the security purpose of guest network. Clients have access to ALL other devices on the guest network and the main network - including the router itself. Not good for security if there is anything of value on that network.

- If the goal is 2 segmented networks: IoT network and Main network, where clients on each network can see other clients on their own network but cannot see clients on the other network, AFAIK that's not something that any consumer grade router can do by itself (unless upgrade with 3rd party firmware). One way to do it is with 2 separate routers. Another is with a managed switch using VLANs.
Disclaimer: nothing written here should be taken as legal advice, but I did stay at a Holiday Inn Express last night.
smackboy1
Posts: 1233
Joined: Wed Mar 14, 2007 9:41 pm

Re: Improving Wi-Fi coverage: Use existing Cat5e and MoCA?

Post by smackboy1 »

xb7 wrote: Wed Nov 04, 2020 3:14 pmHmm, I was assuming the access would be limited to just devices on the same SSID. . . . .
As an example of that, I am contemplating setting up another router as an access point, and read somewhere that "Access Intranet" isn't available on guest networks for an ASUS router set up as a WAP. I haven't verified this, but I guess that would mean that my Iot devices would have to connect strictly to my router and not the WAP --- but giving a more solid signal to some peripheral IoT things is a big part of why I'm contemplating adding the WAP.
SSID is not a separate network, it's just a login. A network could have many different SSIDs with different access controls e.g. limited time access, bandwidth limits, MAC filter etc.. But once logged in, unless "Access Intranet" is disabled (or sometimes called "Network Isolation" enabled), clients can see all other clients, including the router.

Some mesh systems can allow the router and the satellite nodes to broadcast wifi guest network with LAN isolation. I know that ASUS AiMesh generally cannot broadcast guest network from the nodes - the sole exception is the ZenWifi AX Mini XD4, which has more advanced AiMesh. Other brands like Netgear or TP-Link might be different. Read the reviews and specs carefully.
Disclaimer: nothing written here should be taken as legal advice, but I did stay at a Holiday Inn Express last night.
xb7
Posts: 231
Joined: Sat Jun 09, 2018 6:13 pm
Location: WA State, USA

Re: Improving Wi-Fi coverage: Use existing Cat5e and MoCA?

Post by xb7 »

smackboy1 wrote: Thu Nov 05, 2020 10:40 am
xb7 wrote: Wed Nov 04, 2020 12:34 pmOkay, so I just looked and indeed --- for each ASUS guest network there's an "Access Intranet" setting, which looks like it defaults to "disable". So I guess I could enable that for a separate IoT guest network so that devices could connect with each other, but not have any access to my primary network.
That is wrong.

I am using multiple ASUS routers currently, and have used other brands too. This is how guest network function (at least for ASUS):

- The router can broadcast multiple separate guest network SSIDs. They have their own login from the main LAN and have their own guest settings.

- If "Access Intranet" is disabled (default). Then clients on that guest network cannot see any of the other devices on guest network or the main network. They only get an internet connection.

- If "Access Intranet" is enabled, it kind of defeats the security purpose of guest network. Clients have access to ALL other devices on the guest network and the main network - including the router itself. Not good for security if there is anything of value on that network.

- If the goal is 2 segmented networks: IoT network and Main network, where clients on each network can see other clients on their own network but cannot see clients on the other network, AFAIK that's not something that any consumer grade router can do by itself (unless upgrade with 3rd party firmware). One way to do it is with 2 separate routers. Another is with a managed switch using VLANs.
I read so much conflicting stuff on this. Not challenging you here (!), just wanting to understand --- is this something you've tested yourself, or if not, can you share the basis for this? I very much appreciate the response insofar as if I have confidence in it, you've saved me some needless hassle!

Looking around briefly, I see conflicting comments on whether ASUS routers even support VLANs. I know I've seen stuff relating to Vlan in the ASUS UI, but paid no attention. Perhaps it's a matter of "you can sort of do it with expertise and some script writing and a bit of luck".

I'm similarly uninspired by the idea of dedicating a second router to IoT devices. As IoT becomes more and more common, it seems like some router company should step up and build in support to make it easy to put both wireless AND wired IoT devices on their own separate SSID so that they can communicate with each other, but not have access to devices on any other SSID on the same router. I'm starting to think that I'm just going to throw in the towel and leave all of my devices on my primary network, as they are now. It's an additional security risk, but it's hard to measure how big of a one it is. The hassle of dealing with it is, in contrast, a cost that's starting to look non-trivial.

I wonder if there would be any advantage at all in putting them on their own "Access Intranet enabled" guest network? I.e., not complete security, but maybe "better than left on primary network? ??
rich126
Posts: 2132
Joined: Thu Mar 01, 2018 4:56 pm

Re: Improving Wi-Fi coverage: Use existing Cat5e and MoCA?

Post by rich126 »

Looking around briefly, I see conflicting comments on whether ASUS routers even support VLANs. I know I've seen stuff relating to Vlan in the ASUS UI, but paid no attention. Perhaps it's a matter of "you can sort of do it with expertise and some script writing and a bit of luck".
Strictly a guess. I'd say it doesn't support VLANs out of the box.

I'm only saying that because if you google around, there is custom software (I think it is called Tomato) you can install on the specific device you have to enable that kind of functionality. You can replace the existing software by installing new software into the flash memory. Not sure I'd recommend that but apparently people do it.

Not to mention downloading stuff from the internet may include "freebies" that you don't want in your network if you aren't careful.

Obviously companies should make this easier for the non-tech user.
bonglehead
Posts: 41
Joined: Thu Mar 15, 2012 7:45 am

Re: Improving Wi-Fi coverage: Use existing Cat5e and MoCA?

Post by bonglehead »

We live in a 2 storey 4,000 sq ft house and the WiFi coverage was spotty. I then got Google WiFi which improved things quite bit but about 4 months ago I also installed MoCA along with Google WiFi and now I am in WiFi heaven!! It did get little expensive but it’s totally worth it for me.
If interested check this out:
https://youtu.be/xMWDrocCldc
smackboy1
Posts: 1233
Joined: Wed Mar 14, 2007 9:41 pm

Re: Improving Wi-Fi coverage: Use existing Cat5e and MoCA?

Post by smackboy1 »

xb7 wrote: Thu Nov 05, 2020 11:55 amis this something you've tested yourself, or if not, can you share the basis for this? I very much appreciate the response insofar as if I have confidence in it, you've saved me some needless hassle!

Looking around briefly, I see conflicting comments on whether ASUS routers even support VLANs. I know I've seen stuff relating to Vlan in the ASUS UI, but paid no attention. Perhaps it's a matter of "you can sort of do it with expertise and some script writing and a bit of luck".

I'm similarly uninspired by the idea of dedicating a second router to IoT devices. . . I'm starting to think that I'm just going to throw in the towel and leave all of my devices on my primary network, as they are now. It's an additional security risk, but it's hard to measure how big of a one it is. The hassle of dealing with it is, in contrast, a cost that's starting to look non-trivial.

I wonder if there would be any advantage at all in putting them on their own "Access Intranet enabled" guest network? I.e., not complete security, but maybe "better than left on primary network? ??
I have 9 ASUS routers running multiple LANs, including a segmented LAN dedicated to only IoT devices. I've played with Access Intranet settings and it works exactly as I stated. If Access Intranet is enabled, any device on that guest network is assigned an IP address on the main LAN and can see everything on it.

AFAIK no consumer grade ASUS routers running OEM firmware support user configurable VLAN. It's possible 3rd party firmware might. I don't use Merlin.

https://www.asuswrt-merlin.net/

One risk is that an IoT device like a lightbulb or TV with poorly implemented security will be exploited and allow an attacker access to your LAN. Look what happened with Ring. The least complicated solution is probably to use multiple routers. Very little configuration compared to setting up VLANs.

Enabling Access Intranet defeats security. One use is to control access to the LAN e.g. limit children's internet hours or bandwidth.
Disclaimer: nothing written here should be taken as legal advice, but I did stay at a Holiday Inn Express last night.
xb7
Posts: 231
Joined: Sat Jun 09, 2018 6:13 pm
Location: WA State, USA

Re: Improving Wi-Fi coverage: Use existing Cat5e and MoCA?

Post by xb7 »

smackboy1 wrote: Thu Nov 05, 2020 2:07 pm
xb7 wrote: Thu Nov 05, 2020 11:55 amis this something you've tested yourself, or if not, can you share the basis for this? I very much appreciate the response insofar as if I have confidence in it, you've saved me some needless hassle!

Looking around briefly, I see conflicting comments on whether ASUS routers even support VLANs. I know I've seen stuff relating to Vlan in the ASUS UI, but paid no attention. Perhaps it's a matter of "you can sort of do it with expertise and some script writing and a bit of luck".

I'm similarly uninspired by the idea of dedicating a second router to IoT devices. . . I'm starting to think that I'm just going to throw in the towel and leave all of my devices on my primary network, as they are now. It's an additional security risk, but it's hard to measure how big of a one it is. The hassle of dealing with it is, in contrast, a cost that's starting to look non-trivial.

I wonder if there would be any advantage at all in putting them on their own "Access Intranet enabled" guest network? I.e., not complete security, but maybe "better than left on primary network? ??
I have 9 ASUS routers running multiple LANs, including a segmented LAN dedicated to only IoT devices. I've played with Access Intranet settings and it works exactly as I stated. If Access Intranet is enabled, any device on that guest network is assigned an IP address on the main LAN and can see everything on it.

AFAIK no consumer grade ASUS routers running OEM firmware support user configurable VLAN. It's possible 3rd party firmware might. I don't use Merlin.

https://www.asuswrt-merlin.net/

One risk is that an IoT device like a lightbulb or TV with poorly implemented security will be exploited and allow an attacker access to your LAN. Look what happened with Ring. The least complicated solution is probably to use multiple routers. Very little configuration compared to setting up VLANs.

Enabling Access Intranet defeats security. One use is to control access to the LAN e.g. limit children's internet hours or bandwidth.
Super, thanks very much for great clarity on that.

In reading up on this, I see comments about the two-router solution not being really secure either --- that hacker with reasonable ability could trace back from the IoT router to get into the main router. I.e., that a VLAN is the only decent approach. Which I think might require alternate firmware, but even that seems to have conflicting answers.

I'm thinking at this point that if it's this hard, the vast, vast majority of people out there are as exposed as I am, and if I'm good in other areas of security (including at the router itself), maybe I'll continue to accept the risk of this.

Anyway, thanks again.
ballons
Posts: 444
Joined: Sun Aug 18, 2019 3:05 pm

Re: Improving Wi-Fi coverage: Use existing Cat5e and MoCA?

Post by ballons »

1. Buy Asus router that supports aimesh to replace N66U.
2. Convert N66U to AP mode and use as AP on other side of main floor.
3. Eventually run cat5 to second floor and buy two aimesh routers (replace N66U AP + new on second floor).
OR
1. Buy three Asus aimesh routers, run cat5 to second floor, and do this all now.

Your final network would be an Asus aimesh router hardwired to two Asus aimesh AP's.
Topic Author
Chip
Posts: 3102
Joined: Wed Feb 21, 2007 4:57 am

Re: Improving Wi-Fi coverage: Use existing Cat5e and MoCA?

Post by Chip »

teCh0010 wrote: Tue Nov 03, 2020 9:29 am
Chip wrote: Tue Nov 03, 2020 6:35 am It seems that with these capabilities I could set up one Deco device by the TV, using the existing Cat 5e for a wired backhaul, then place the other devices as dictated by the signal analyzer. If one of the MoCA-served locations is desirable I could, if necessary, buy a MoCA bridge to create a wired backhaul there. Does this all sound reasonable or am I missing something?
One thing to feel in mind, if you are using a mesh setup in AP mode and you asus as a router to provide the multiple guest networks you like - the guest networks will not be extended by the mesh APs. In AP mode the mesh network will extend only the wired network the mesh base station are plugged into on the asus.

So you would have one “mesh” ssid that has good coverage around the house provided by mesh, and then you multiple guest network ssids would be provided by the asus with your current coverage.
Sorry for being MIA for a while.

Thanks for this bit of info, which will likely change my decision.

I need some understanding of what exactly is the difference between a guest network and a VLAN. As I mentioned, with the current ASUS router I can set up 3 guest networks (actually 6, 3 at 2.4 GHz and 3 at 5 GHz). How are these technically different from a VLAN? Why do some IoT devices fail to work on a "guest" network?
teCh0010
Posts: 154
Joined: Mon Oct 31, 2011 11:20 am

Re: Improving Wi-Fi coverage: Use existing Cat5e and MoCA?

Post by teCh0010 »

Chip wrote: Wed Nov 11, 2020 10:22 am
teCh0010 wrote: Tue Nov 03, 2020 9:29 am
Chip wrote: Tue Nov 03, 2020 6:35 am It seems that with these capabilities I could set up one Deco device by the TV, using the existing Cat 5e for a wired backhaul, then place the other devices as dictated by the signal analyzer. If one of the MoCA-served locations is desirable I could, if necessary, buy a MoCA bridge to create a wired backhaul there. Does this all sound reasonable or am I missing something?
One thing to feel in mind, if you are using a mesh setup in AP mode and you asus as a router to provide the multiple guest networks you like - the guest networks will not be extended by the mesh APs. In AP mode the mesh network will extend only the wired network the mesh base station are plugged into on the asus.

So you would have one “mesh” ssid that has good coverage around the house provided by mesh, and then you multiple guest network ssids would be provided by the asus with your current coverage.
Sorry for being MIA for a while.

Thanks for this bit of info, which will likely change my decision.

I need some understanding of what exactly is the difference between a guest network and a VLAN. As I mentioned, with the current ASUS router I can set up 3 guest networks (actually 6, 3 at 2.4 GHz and 3 at 5 GHz). How are these technically different from a VLAN? Why do some IoT devices fail to work on a "guest" network?
It would depend on if the asus can extend a guest network over a VLAN across the wired network. Many APs are built to leverage guest networks as only a wireless function, can’t map to VLANs.

VLANs segment multiple Ethernet networks on the same switch. These VLAN networks can’t talk to each other without a router, so in the case of a guest VLAN it forces traffic to the router where you can then decide if you want to allow access to your internal network or not.
Topic Author
Chip
Posts: 3102
Joined: Wed Feb 21, 2007 4:57 am

Re: Improving Wi-Fi coverage: Use existing Cat5e and MoCA?

Post by Chip »

OP here. I haven't abandoned this thread, have just been chewing thoroughly on my options and working on improving my limited networking knowledge.
smackboy1 wrote: Thu Nov 05, 2020 11:49 am Some mesh systems can allow the router and the satellite nodes to broadcast wifi guest network with LAN isolation. I know that ASUS AiMesh generally cannot broadcast guest network from the nodes - the sole exception is the ZenWifi AX Mini XD4, which has more advanced AiMesh. Other brands like Netgear or TP-Link might be different. Read the reviews and specs carefully.
Thanks. It's clear now that my understanding of a guest network was flawed. I thought that devices on that network could see each other, but not devices on the main LAN. This apparently isn't true for ASUS and maybe most guest networks. No device on the guest network can see anything but the internet. Someone please jump in if this is incorrect. If it is correct, I no longer have the need for multiple guest networks. I was merely using them to isolate devices on those networks from each other.

I would definitely want the Smart TV on the guest network. It's a Samsung and I've been thoroughly unimpressed with their firmware updates. So it appears that buying two ASUS AiMesh routers wouldn't allow this, as the node router near the TV wouldn't be broadcasting the guest network. Correct? I realize the ZenWiFi system would work in this regard, but I'm thinking it might be overkill.

I also need the guest network for, um, guests. The current router doesn't have sufficient coverage for their needs. This is pointing me back in the direction of one of the other simple mesh systems that many have advocated. Let's assume TP-Link Deco M5 for now. It appears that it can use the Cat5e that I have in place as a wired backhaul and that I can place the third AP wherever necessary to optimize coverage (using wireless backhaul). And that the guest network is broadcast by all of the nodes. Correct?
smackboy1 wrote: Wed Nov 04, 2020 10:24 am I would consider Tivo and smart TV to be IoT devices and do not trust their security. Also, some IoT devices will not function properly if on a guest network that is isolated from the LAN e.g. wifi cameras connected to an NVR; controlling devices with a smart home speaker; casting media to speakers/TV, wifi home security system, etc..

I keep all my untrusted devices on a dedicated segmented LAN just for IoT devices. My trusted high value devices, e.g. PC, smart phones, tablets, NAS, are on a separate segmented LAN that the IoT devices cannot see.
This is what I mean by a triple NAT system

https://pcper.com/2016/08/steve-gibsons ... nsecurity/
I agree that the Tivo is an IoT device and that I should be concerned about its security. The only reason it's connected to the main LAN right now is that I'm using it to grab music from my PC and feed it into the audio system that's co-located with the Tivo. I've been wondering if there is a better way to do this. Is this something that could be done securely by moving the music to a USB stick connected to the RT-N66U?

I read the paper on Steve Gibson's IoT solution. I have great respect for Gibson. I used the original SpinRite way back when, and have regularly used Shields Up to check port security. It's just a little too complex for me to attempt right now. Maybe later. :)

Thanks again for the help.
crefwatch
Posts: 724
Joined: Sun Apr 15, 2007 1:07 pm
Location: New Jersey, USA

Re: Improving Wi-Fi coverage: Use existing Cat5e and MoCA?

Post by crefwatch »

My outlook on this is slanted by the fact that more than half of our home devices are hard-wired on Ethernet. As a result, besides the ASUS router I cited earlier, we have a TP-Link Switch. When we upgraded to 300 Meg (from many years of Verizon Fios 25 Meg) Internet, I had to buy a new switch with Gigabit ports. Switches are even more of a commodity than routers, and I saw no reason not to get a simple Managed Switch (for $25 more?) that falls back to unmanaged if you just plug it in. I don't need to set up VLANs, but maybe you want a switch that can isolate (VLAN) your second router that is running your IOT devices? That sounds maybe like using a steamroller to do the job of a hammer, but it's a reliable, professional solution.

I guess this would still require a third device, to provide better WiFi for human users at the other end of the house.
Topic Author
Chip
Posts: 3102
Joined: Wed Feb 21, 2007 4:57 am

Re: Improving Wi-Fi coverage: Use existing Cat5e and MoCA?

Post by Chip »

crefwatch wrote: Sun Nov 15, 2020 2:21 pm My outlook on this is slanted by the fact that more than half of our home devices are hard-wired on Ethernet. As a result, besides the ASUS router I cited earlier, we have a TP-Link Switch. When we upgraded to 300 Meg (from many years of Verizon Fios 25 Meg) Internet, I had to buy a new switch with Gigabit ports. Switches are even more of a commodity than routers, and I saw no reason not to get a simple Managed Switch (for $25 more?) that falls back to unmanaged if you just plug it in. I don't need to set up VLANs, but maybe you want a switch that can isolate (VLAN) your second router that is running your IOT devices? That sounds maybe like using a steamroller to do the job of a hammer, but it's a reliable, professional solution.

I guess this would still require a third device, to provide better WiFi for human users at the other end of the house.
Thanks. My limited understanding of network architecture is a hindrance here. Given what you described, is this a reasonable connection plan?

Cable modem->managed switch->mesh router->mesh node ---- mesh node <- creates main lan, one guest lan, whole house wifi coverage
Same managed switch->different router <- creates VLAN for IoT devices, hardwired to the router or within range of this router's wifi

The mesh router connects via the Cat5e to the mesh node next to the Tivo, which for now is hard-wired to the node (remember the Tivo creates the MoCA network and must be hard-wired).

Assuming this is reasonable, could I later isolate the Tivo on the VLAN by switching the Cat5e cable to the VLAN router and adding a hard-wired AP/switch near the Tivo? This would put the mesh system into full wireless backhaul mode. I think. :)
crefwatch
Posts: 724
Joined: Sun Apr 15, 2007 1:07 pm
Location: New Jersey, USA

Re: Improving Wi-Fi coverage: Use existing Cat5e and MoCA?

Post by crefwatch »

Please note that I’m only a self-taught networker. I have no credentials. I currently use an ASUS RT-AC68U router (henceforth called “the WAN router”) with Verizon FIOS 200 Meg Internet ( No TV.) I have TP-Link TL-SG1024DE smart switch, which may have more ports than you need. I have always had our router set for dynamic address assignment (DHCP), but a few devices work better (on Windows!) with fixed addresses. So the WAN router gives out .2-.199, and our printers are .203 and .204 fixed, for example.

Let’s suppose for a minute that all your IoT devices can reach the same one WiFi station. I’m proposing that you put a second router, set as an Access Point, to supply WiFi to those untrusted devices. The TP-Link switch can set up 20 VLANs, which can “overlap”. They are created using the physical port numbers on the switch. (So you don’t need to type in all the MAC addresses of the IoT devices, for example.) I’m proposing that you make one VLAN with just your WAN router and the Access Point router. You could make a second VLAN with just your TIVO and your WAN router. (I have not used the smart features of my new switch as yet.)

By the way, referring to IoT devices, by way of an old internet joke, Do you need to turn on your "connected" coffeemaker from your desktop or backyard? If so, isolating the coffeemaker will make it impossible to control it except from within the VLAN it's assigned to.

Here’s a discussion by someone whose SURF router does have VLAN built into it. And it apparently allows you to quickly place an SSID into its own VLAN. This would be very easy, and not require a separate ethernet switch. https://www.routersecurity.org/vlan.php

I will note that back when we only had 25 Meg FIOS, a lousy Verizon router, and a 100Meg-only switch, I found that streaming services worked better when I connected the smart TV directly to a LAN port on the router, rather than going through the switch. I suspect that my newer, Gigabyte switch would be able to handle this, but I haven’t tried. Here’s a simpler discussion of home VLANs with a switch: https://stevessmarthomeguide.com/vlans-home-networks/ This illustrates how your would isolate the Tivo with a switch.

Because I have never set up a “Mesh” system, I originally proposed that you run an ethernet cable to the far side of the house, and put a third router, also set as an Access Point, to serve trusted WiFi devices over there. As I think I wrote, that might cause slight roaming problems because of the second SSID. (I'm emphasizing that Mesh is a specific term, and it's not a generic word for extending WiFi around a big house. Sorry if you already know that.)

I’m committed enough to this thread that I bought a second RT-AC68U router, which I will also use for some research my wife wants me to do at a meeting venue she rents for her orchid organization. That’s why it took me so long to answer your last question. So I HAVE set up an ASUS as a Repeater, and also as an Access Point. It is, unfortunately, true that the ASUS router interface for those two modes has far fewer WiFi options than the same router does when in normal “WAN router” mode. For that reason, I found it was best to use the built-in (top left of login landing page ... ) Network Configuration dialog utility that comes with the ASUS router, when setting up AP Mode or Repeater Mode. And I immediately "saved" the router configuration to a file, just in case.

It’s necessary to download the ASUS Device Discovery utility, because some operating modes allow (for example) the Repeater Mode ASUS to get a DHCP address, and you need that dynamic address to login to the Repeater (as opposed to logging into the WAN router, which is likely to have the address 192.168.1.1.) This utility worked very well for me on Windows 10.

When configuring the ASUS as a Repeater or AP, be very careful when you type in the WiFi password. Because the regular WiFi tab is not available in these other modes, you may overlook that you made a typing error, and mistake a connection failure for a networking failure. When you don’t have the WiFi tab, you can correct passwords in the main status window, in the pane at the right of the screen.
User avatar
alexp
Posts: 33
Joined: Wed Jan 01, 2020 1:22 am

Re: Improving Wi-Fi coverage: Use existing Cat5e and MoCA?

Post by alexp »

I had the same Asus router and was considering similar plans due to poor Wi-Fi coverage in some parts of my ~4000 sqft home.

As the first step, I changed my router to “ TP-Link AC2600 Smart WiFi Router (Archer A10)“ which is just over 100$. After this, I saw great coverage all over the house and in my yard as well. Figured that Asus had a very pathetic Wi-Fi coverage.

Not answering your question but perhaps you can try this before going for more expensive and time consuming solutions.


-Alex
Topic Author
Chip
Posts: 3102
Joined: Wed Feb 21, 2007 4:57 am

Re: Improving Wi-Fi coverage: Use existing Cat5e and MoCA?

Post by Chip »

crefwatch wrote: Sat Nov 21, 2020 11:15 am Please note that I’m only a self-taught networker. I have no credentials. I currently use an ASUS RT-AC68U router (henceforth called “the WAN router”) with Verizon FIOS 200 Meg Internet ( No TV.) I have TP-Link TL-SG1024DE smart switch, which may have more ports than you need. I have always had our router set for dynamic address assignment (DHCP), but a few devices work better (on Windows!) with fixed addresses. So the WAN router gives out .2-.199, and our printers are .203 and .204 fixed, for example.

Let’s suppose for a minute that all your IoT devices can reach the same one WiFi station. I’m proposing that you put a second router, set as an Access Point, to supply WiFi to those untrusted devices. The TP-Link switch can set up 20 VLANs, which can “overlap”. They are created using the physical port numbers on the switch. (So you don’t need to type in all the MAC addresses of the IoT devices, for example.) I’m proposing that you make one VLAN with just your WAN router and the Access Point router. You could make a second VLAN with just your TIVO and your WAN router. (I have not used the smart features of my new switch as yet.)
Thanks much for the detailed post and your continuing efforts to educate me. :beer

Before your post I had just about decided to buy a new router (likely an ASUS AiMesh unit) and set up the RT-N66U as an access point at the other end of the house, connected with the existing Cat 5e cable I mentioned in my OP. This would be near the Tivo, and I would think (but don't know for sure) that I could connect the Tivo to a LAN port on the N66U (remember it has to be hard-wired to serve as the MoCA adapter). I'm assuming that I could set up a guest WLAN for the smart TV that would be propagated by the N66U, so I would get a strong signal at the TV. And that I would also have the main WLAN on the same SSID at both the primary router and the AP, enabling mobile devices to jump to the stronger signal as they move around the house. This is the solution advocated by Bengineer & ballons earlier in the thread. I know that these handoffs won't be nearly as seamless as with a mesh system, but I note that the ASUS software has a setting for "Roaming Assistant", that will cause the AP to disconnect clients with signal strengths below a user-defined threshold.

I realize that this doesn't address the Tivo security issue. For now that Tivo needs access to my primary computer, as that's where the music files reside that it fetches. I suppose at some point I can figure out how to do this differently, isolating the Tivo, but for now I can live with it.
By the way, referring to IoT devices, by way of an old internet joke, Do you need to turn on your "connected" coffeemaker from your desktop or backyard? If so, isolating the coffeemaker will make it impossible to control it except from within the VLAN it's assigned to.
I guess this is where your managed switch proposal comes into play. If I get an IoT device that I will want to access, or that needs access to other IoT devices, the ASUS guest network won't suffice, as it isolates each device on the network.
Here’s a discussion by someone whose SURF router does have VLAN built into it. And it apparently allows you to quickly place an SSID into its own VLAN. This would be very easy, and not require a separate ethernet switch. https://www.routersecurity.org/vlan.php

Here’s a simpler discussion of home VLANs with a switch: https://stevessmarthomeguide.com/vlans-home-networks/
Both of these links were very helpful, especially the second, which appears to diagram a version of your proposal above.
I’m committed enough to this thread that I bought a second RT-AC68U router, which I will also use for some research my wife wants me to do at a meeting venue she rents for her orchid organization. That’s why it took me so long to answer your last question. So I HAVE set up an ASUS as a Repeater, and also as an Access Point. It is, unfortunately, true that the ASUS router interface for those two modes has far fewer WiFi options than the same router does when in normal “WAN router” mode.
Will it allow & broadcast the same guest networks as the main router when set up in AP mode?
It’s necessary to download the ASUS Device Discovery utility, because some operating modes allow (for example) the Repeater Mode ASUS to get a DHCP address, and you need that dynamic address to login to the Repeater (as opposed to logging into the WAN router, which is likely to have the address 192.168.1.1.) This utility worked very well for me on Windows 10.

When configuring the ASUS as a Repeater or AP, be very careful when you type in the WiFi password. Because the regular WiFi tab is not available in these other modes, you may overlook that you made a typing error, and mistake a connection failure for a networking failure. When you don’t have the WiFi tab, you can correct passwords in the main status window, in the pane at the right of the screen.
Thanks for the tips. The password warning is apropos, since I use 32 character passwords. I saw a recommendation somewhere to initially set up the AP with a different SSID (but same PW) to test connection speed and coverage, then rename it to the same as the main router.

Do you have strong feelings about the capabilities of the RT-AC68U vs the RT-AC66U B1?

Thanks again!
Topic Author
Chip
Posts: 3102
Joined: Wed Feb 21, 2007 4:57 am

Re: Improving Wi-Fi coverage: Use existing Cat5e and MoCA?

Post by Chip »

alexp wrote: Sun Nov 22, 2020 5:32 am I had the same Asus router and was considering similar plans due to poor Wi-Fi coverage in some parts of my ~4000 sqft home.

As the first step, I changed my router to “ TP-Link AC2600 Smart WiFi Router (Archer A10)“ which is just over 100$. After this, I saw great coverage all over the house and in my yard as well. Figured that Asus had a very pathetic Wi-Fi coverage.
Thanks, Alex. That's a good piece of information.

I'm thinking that I will buy a new router, and will also relocate it to a slightly more favorable position in the same room. That will only require a few internet cables and not much work. It won't be optimal, just better. Then I'll have the RT-N66U available to use an AP on the other side of the house if I still have signal strength issues.
crefwatch
Posts: 724
Joined: Sun Apr 15, 2007 1:07 pm
Location: New Jersey, USA

Re: Improving Wi-Fi coverage: Use existing Cat5e and MoCA?

Post by crefwatch »

Chip wrote: Sun Nov 22, 2020 2:35 pm Will it allow & broadcast the same guest networks as the main router when set up in AP mode?

Do you have strong feelings about the capabilities of the RT-AC68U vs the RT-AC66U B1?
I have zero experience with setting two access points or routers to the same SSID. But apparently it's possible. Here's one, conservative post that suggests a $400 management product, and one that says you can do it with no extra hardware. You are said to have to adjust the broadcast channels used by each access point. Note that in a crowded urban situation it might be harder to get fixed WiFi channels to work reliably, rather than auto selection. The WiFi spectrum can be very busy in a densely populated area.

https://www.madebywifi.com/blog/multipl ... e-network/

https://smallbusiness.chron.com/setting ... 68675.html

There are a lot of helpful replies in this discussion:
https://community.spiceworks.com/topic/ ... -same-ssid

I have no experience with the RT-AC66U. But it should be fine as your "second" router. I did find that I did NOT have to have the same firmware on my two identical 68U routers to make the second one work as an AP or as a Repeater. (I only delayed updating my WAN router because my wife does a lot of internet meetings and I did not want to disrupt her online work.)

Note that if you a buying a second router and want to save money, I would consider a reconditioned or renewed router from a reliable source.

To repeat two notes about my purchase decision, I needed a router with removable antennas, because of my WiFi home coverage strategy. That decision meant that I get better coverage (direct observation) by turning OFF the two beam-steering options in my WiFi page on the WAN router. That's also why I didn't search for a newer router with MIMO, because I believe that would have to be turned off too, IF that can be done. I believe this does not apply to your plan.

As a matter of interest, my second RT-AC68U (bought from a different vendor, three months later) has a completely redesigned plastic case, with far superior ventilation. I had already mounted an old CPU heatsink on the hottest spot of the rear of my original WAN router case, which had very little ventilation.
xb7
Posts: 231
Joined: Sat Jun 09, 2018 6:13 pm
Location: WA State, USA

Re: Improving Wi-Fi coverage: Use existing Cat5e and MoCA?

Post by xb7 »

crefwatch wrote: Mon Nov 23, 2020 9:43 am
Chip wrote: Sun Nov 22, 2020 2:35 pm Will it allow & broadcast the same guest networks as the main router when set up in AP mode?

Do you have strong feelings about the capabilities of the RT-AC68U vs the RT-AC66U B1?
I have zero experience with setting two access points or routers to the same SSID. But apparently it's possible. Here's one, conservative post that suggests a $400 management product, and one that says you can do it with no extra hardware. You are said to have to adjust the broadcast channels used by each access point. Note that in a crowded urban situation it might be harder to get fixed WiFi channels to work reliably, rather than auto selection. The WiFi spectrum can be very busy in a densely populated area.

https://www.madebywifi.com/blog/multipl ... e-network/

https://smallbusiness.chron.com/setting ... 68675.html

There are a lot of helpful replies in this discussion:
https://community.spiceworks.com/topic/ ... -same-ssid

I have no experience with the RT-AC66U. But it should be fine as your "second" router. I did find that I did NOT have to have the same firmware on my two identical 68U routers to make the second one work as an AP or as a Repeater. (I only delayed updating my WAN router because my wife does a lot of internet meetings and I did not want to disrupt her online work.)
I recently bought a newer ASUS router, one that does wi-fi 6 and has a faster processor, etc than my RT-AC68U. I had originally thought I would connect the 68U via AIMesh, but have read enough reports about problems with AIMesh that I ultimately just set it up as a WAP (wireless access point). Using the same SSID. Doing some testing I've found that this works fine. Devices that are closer to the WAP don't get the benefit of wi-fi 6, but at this point that's not a big issue, and my modest experiments in 'hand-off' (from router to WAP or vice-versa) as I move around the house seemed fine to me.

As I think someone else mentioned, the one somewhat weird thing is trying to examine or modify settings on the WAP --- you have to go through some gyrations with an extra ASUS application on a one-time basis in order to get an IP address needed to get into the settings for the WAP. So a little more complexity to remember on that.

I think that you can choose to set your own broadcast channels or not, at your option. I went round the house looking at conflicts with neighbors on various channels and ultimately did explicitly set my 2.4 ghz channels on both router and WAP (different channels from each other too), but did not do so for 5 ghz, where there appeared to be minimal conflict.
Topic Author
Chip
Posts: 3102
Joined: Wed Feb 21, 2007 4:57 am

Re: Improving Wi-Fi coverage: Use existing Cat5e and MoCA?

Post by Chip »

xb7 wrote: Mon Nov 23, 2020 12:25 pm I recently bought a newer ASUS router, one that does wi-fi 6 and has a faster processor, etc than my RT-AC68U. I had originally thought I would connect the 68U via AIMesh, but have read enough reports about problems with AIMesh that I ultimately just set it up as a WAP (wireless access point). Using the same SSID. Doing some testing I've found that this works fine. Devices that are closer to the WAP don't get the benefit of wi-fi 6, but at this point that's not a big issue, and my modest experiments in 'hand-off' (from router to WAP or vice-versa) as I move around the house seemed fine to me.

As I think someone else mentioned, the one somewhat weird thing is trying to examine or modify settings on the WAP --- you have to go through some gyrations with an extra ASUS application on a one-time basis in order to get an IP address needed to get into the settings for the WAP. So a little more complexity to remember on that.

I think that you can choose to set your own broadcast channels or not, at your option. I went round the house looking at conflicts with neighbors on various channels and ultimately did explicitly set my 2.4 ghz channels on both router and WAP (different channels from each other too), but did not do so for 5 ghz, where there appeared to be minimal conflict.
Thanks, that's all very helpful.

I haven't seen the reports about AiMesh problems, and I've read quite a few reviews and articles. Are there any in particular you would recommend? Not that it's particularly important right now, as the N66U isn't AiMesh capable.

Noted about the extra application required to configure the WAP. If I remember correctly the ASUS router software also provides a reminder about that extra application.

Yes, I believe broadcast channels can be set manually with the ASUS software, as well as radio power levels. One of the articles linked by crefwatch had some very good and detailed info on how to go about that process. Also, my understanding is that many more non-overlapping channels are available for 5 ghz, so not as difficult to set up as 2.4 ghz.
xb7
Posts: 231
Joined: Sat Jun 09, 2018 6:13 pm
Location: WA State, USA

Re: Improving Wi-Fi coverage: Use existing Cat5e and MoCA?

Post by xb7 »

Chip wrote: Tue Nov 24, 2020 6:30 am I haven't seen the reports about AiMesh problems, and I've read quite a few reviews and articles. Are there any in particular you would recommend? Not that it's particularly important right now, as the N66U isn't AiMesh capable.
My recollection is that I read about this a lot when looking at Amazon reviews for various AiMesh-capable ASUS routers.

But doing a hasty web search just now on the text "AiMesh problems", I quickly turned up a number of references.

I'm not saying that AiMesh is inherently a bad thing, just that a lot of people have seemingly concluded that it's not the most stable thing always, and in particular that certain hardware combinations seem to be more stable with it than others. But even having two of the same router isn't a guarantee. My recollection is that Amazon sells a pair of RT-AC68U routers to be paired with AiMesh, but that a lot of the reviews boiled down to "great router by itself, not so great when paired with AiMesh".

At any rate, this stuff steered me towards the less error-prone WAP approach, which again --- seems to be working fine for me. I think the one thing that I'm supposed to lose this way is a more "smooth transition" when being handed off from router to WAP or vice versa, but that doesn't seem to be a big deal. Oh, and with AiMesh you can directly tinker with the node rather than having to separately sign in via a different IP address to update firmware or review/modify settings, but that's not a big deal for something that I infrequently do.
jebmke
Posts: 11654
Joined: Thu Apr 05, 2007 2:44 pm
Location: Delmarva Peninsula

Re: Improving Wi-Fi coverage: Use existing Cat5e and MoCA?

Post by jebmke »

xb7 wrote: Tue Nov 24, 2020 11:42 am At any rate, this stuff steered me towards the less error-prone WAP approach, which again --- seems to be working fine for me. I think the one thing that I'm supposed to lose this way is a more "smooth transition" when being handed off from router to WAP or vice versa, but that doesn't seem to be a big deal.
I've been doing this with a spare router configured as a WAP for several years and don't have any big issues. But, I typically don't wander around the house with a device anyway. Once or twice a day I move with my iPad from one zone to another and it always acquires the stronger signal.
When you discover that you are riding a dead horse, the best strategy is to dismount.
xb7
Posts: 231
Joined: Sat Jun 09, 2018 6:13 pm
Location: WA State, USA

Re: Improving Wi-Fi coverage: Use existing Cat5e and MoCA?

Post by xb7 »

jebmke wrote: Tue Nov 24, 2020 11:51 am I've been doing this with a spare router configured as a WAP for several years and don't have any big issues. But, I typically don't wander around the house with a device anyway. Once or twice a day I move with my iPad from one zone to another and it always acquires the stronger signal.
That's a good point. Most of my wi-fi connections are from IoT devices, each installed in a specific location --- not moving. And when I'm actually looking at a phone or tablet in the house, I'm stationary. If I walk around the house with the device and start looking at it again, I'll likely be stationary again. And our laptops have ethernet connections (we rarely move 'em).

There are exceptions to this, but nothing that I've run into issues with. I guess the scenario of concern might be walking around the house listening to a (not downloaded) podcast, audiobook, music or similar and going from one device to the other. I seldom do this, don't know if there would be an audio-stutter or other issue as a result.

The other issue would be if, say, my tablet were connected to my router and I walked with it to a point where the WAP had the stronger signal but it held on to the weaker signal and had a slower and/or less reliable connection as a result. One can (and I did) explicitly set a threshhold in terms of -dBm signal strength for when the signal is handed off --- or rather, really, when the given device drops the connection, so that the other one can take over. A little research and maybe modest testing should get that to where it's reasonable.
Topic Author
Chip
Posts: 3102
Joined: Wed Feb 21, 2007 4:57 am

Re: Improving Wi-Fi coverage: Use existing Cat5e and MoCA?

Post by Chip »

xb7 wrote: Tue Nov 24, 2020 11:42 am But doing a hasty web search just now on the text "AiMesh problems", I quickly turned up a number of references.
Thanks. I guess I hadn't looked as much as I had imagined. One particularly thorough and scathing review is here:

https://www.smallnetbuilder.com/wireles ... ed?start=0

My summary of the review: AiMesh doesn't mesh. The review is two years old, so I suppose things could be better now but it doesn't appear that AiMesh is worth any sort of premium.
At any rate, this stuff steered me towards the less error-prone WAP approach, which again --- seems to be working fine for me.
That's where I'm headed. I just need to pick the new router.
toast0
Posts: 154
Joined: Fri Dec 12, 2014 1:41 am
Location: Puget Sound

Re: Improving Wi-Fi coverage: Use existing Cat5e and MoCA?

Post by toast0 »

Chip wrote: Thu Nov 26, 2020 5:30 am
xb7 wrote: Tue Nov 24, 2020 11:42 am But doing a hasty web search just now on the text "AiMesh problems", I quickly turned up a number of references.
Thanks. I guess I hadn't looked as much as I had imagined. One particularly thorough and scathing review is here:

https://www.smallnetbuilder.com/wireles ... ed?start=0

My summary of the review: AiMesh doesn't mesh. The review is two years old, so I suppose things could be better now but it doesn't appear that AiMesh is worth any sort of premium.
At any rate, this stuff steered me towards the less error-prone WAP approach, which again --- seems to be working fine for me.
That's where I'm headed. I just need to pick the new router.
AiMesh did recently get an update that lets you use only wired networking for backhaul. You still can't have the access points on different wireless channels though; although if you have 'tri-band' access points with two 5 Ghz radios, wired backhaul only mode enables using the second radio for client traffic. I don't know if it works better than having the devices in access point mode and on the same SSID but different channels, though. It's sort of nice poking at a single web page instead of three for my system. Although, actually it seems like my routers don't care for it, they've gone missing in action after I tweaked some settings. Back to AP mode I go, I guess.
Post Reply