Improving Wi-Fi coverage: Use existing Cat5e and MoCA? [Solved]

[xb7]

Sounds reasonable. When you look for the words "isolate" or "isolation" along with "asus guest network" in a search you turn up various things, certainly to include some discussion of what I'm talking about. For example, in this article, jump down to the bold subheading "Isolation From Each Other": https://www.computerworld.com/article/3 ... works.html

Maybe what I should do is create a separate guest network (ASUS allows up to three) just for IoT stuff, and maybe a couple of them for different IoT stuff (?), and for this/those, and look to see if ASUS offers an "Access Intranet" setting. I'll look into that sometime ...

Okay, so I just looked and indeed --- for each ASUS guest network there's an "Access Intranet" setting, which looks like it defaults to "disable". So I guess I could enable that for a separate IoT guest network so that devices could connect with each other, but not have any access to my primary network. Sounds good. It's a PITA to change the SSID for a variety of IoT devices, so I'll probably give this a try --- a SOME point !

If anyone knows for sure if this is (or is not) a good idea, I'd appreciate a heads up before I go to the hassle.

I can't answer your question but I saw the same thing. The stuff I saw was kind of confusing because it was worded poorly. The problem is if you allow "intranet" access from a guest network that means (I think) the device can access anything it wants on your network. From a security perspective it isn't something I would want to allow considering how terrible security is on most smart home devices.

Hmm, I was assuming the access would be limited to just devices on the same SSID. This stuff is tricky to nail down!

As an example of that, I am contemplating setting up another router as an access point, and read somewhere that "Access Intranet" isn't available on guest networks for an ASUS router set up as a WAP. I haven't verified this, but I guess that would mean that my Iot devices would have to connect strictly to my router and not the WAP --- but giving a more solid signal to some peripheral IoT things is a big part of why I'm contemplating adding the WAP. Such puzzles to solve.

[smackboy1]

Okay, so I just looked and indeed --- for each ASUS guest network there's an "Access Intranet" setting, which looks like it defaults to "disable". So I guess I could enable that for a separate IoT guest network so that devices could connect with each other, but not have any access to my primary network.

That is wrong.

I am using multiple ASUS routers currently, and have used other brands too. This is how guest network function (at least for ASUS):

- The router can broadcast multiple separate guest network SSIDs. They have their own login from the main LAN and have their own guest settings.

- If "Access Intranet" is disabled (default). Then clients on that guest network cannot see any of the other devices on guest network or the main network. They only get an internet connection.

- If "Access Intranet" is enabled, it kind of defeats the security purpose of guest network. Clients have access to ALL other devices on the guest network and the main network - including the router itself. Not good for security if there is anything of value on that network.

- If the goal is 2 segmented networks: IoT network and Main network, where clients on each network can see other clients on their own network but cannot see clients on the other network, AFAIK that's not something that any consumer grade router can do by itself (unless upgrade with 3rd party firmware). One way to do it is with 2 separate routers. Another is with a managed switch using VLANs.

[smackboy1]

Hmm, I was assuming the access would be limited to just devices on the same SSID. . . . .
As an example of that, I am contemplating setting up another router as an access point, and read somewhere that "Access Intranet" isn't available on guest networks for an ASUS router set up as a WAP. I haven't verified this, but I guess that would mean that my Iot devices would have to connect strictly to my router and not the WAP --- but giving a more solid signal to some peripheral IoT things is a big part of why I'm contemplating adding the WAP.

SSID is not a separate network, it's just a login. A network could have many different SSIDs with different access controls e.g. limited time access, bandwidth limits, MAC filter etc.. But once logged in, unless "Access Intranet" is disabled (or sometimes called "Network Isolation" enabled), clients can see all other clients, including the router.

Some mesh systems can allow the router and the satellite nodes to broadcast wifi guest network with LAN isolation. I know that ASUS AiMesh generally cannot broadcast guest network from the nodes - the sole exception is the ZenWifi AX Mini XD4, which has more advanced AiMesh. Other brands like Netgear or TP-Link might be different. Read the reviews and specs carefully.

[xb7]

Okay, so I just looked and indeed --- for each ASUS guest network there's an "Access Intranet" setting, which looks like it defaults to "disable". So I guess I could enable that for a separate IoT guest network so that devices could connect with each other, but not have any access to my primary network.

That is wrong.

I am using multiple ASUS routers currently, and have used other brands too. This is how guest network function (at least for ASUS):

- The router can broadcast multiple separate guest network SSIDs. They have their own login from the main LAN and have their own guest settings.

- If "Access Intranet" is disabled (default). Then clients on that guest network cannot see any of the other devices on guest network or the main network. They only get an internet connection.

- If "Access Intranet" is enabled, it kind of defeats the security purpose of guest network. Clients have access to ALL other devices on the guest network and the main network - including the router itself. Not good for security if there is anything of value on that network.

- If the goal is 2 segmented networks: IoT network and Main network, where clients on each network can see other clients on their own network but cannot see clients on the other network, AFAIK that's not something that any consumer grade router can do by itself (unless upgrade with 3rd party firmware). One way to do it is with 2 separate routers. Another is with a managed switch using VLANs.

I read so much conflicting stuff on this. Not challenging you here (!), just wanting to understand --- is this something you've tested yourself, or if not, can you share the basis for this? I very much appreciate the response insofar as if I have confidence in it, you've saved me some needless hassle!

Looking around briefly, I see conflicting comments on whether ASUS routers even support VLANs. I know I've seen stuff relating to Vlan in the ASUS UI, but paid no attention. Perhaps it's a matter of "you can sort of do it with expertise and some script writing and a bit of luck".

I'm similarly uninspired by the idea of dedicating a second router to IoT devices. As IoT becomes more and more common, it seems like some router company should step up and build in support to make it easy to put both wireless AND wired IoT devices on their own separate SSID so that they can communicate with each other, but not have access to devices on any other SSID on the same router. I'm starting to think that I'm just going to throw in the towel and leave all of my devices on my primary network, as they are now. It's an additional security risk, but it's hard to measure how big of a one it is. The hassle of dealing with it is, in contrast, a cost that's starting to look non-trivial.

I wonder if there would be any advantage at all in putting them on their own "Access Intranet enabled" guest network? I.e., not complete security, but maybe "better than left on primary network? ??

[rich126]

Looking around briefly, I see conflicting comments on whether ASUS routers even support VLANs. I know I've seen stuff relating to Vlan in the ASUS UI, but paid no attention. Perhaps it's a matter of "you can sort of do it with expertise and some script writing and a bit of luck".

Strictly a guess. I'd say it doesn't support VLANs out of the box.

I'm only saying that because if you google around, there is custom software (I think it is called Tomato) you can install on the specific device you have to enable that kind of functionality. You can replace the existing software by installing new software into the flash memory. Not sure I'd recommend that but apparently people do it.

Not to mention downloading stuff from the internet may include "freebies" that you don't want in your network if you aren't careful.

Obviously companies should make this easier for the non-tech user.

[bonglehead]

We live in a 2 storey 4,000 sq ft house and the WiFi coverage was spotty. I then got Google WiFi which improved things quite bit but about 4 months ago I also installed MoCA along with Google WiFi and now I am in WiFi heaven!! It did get little expensive but it’s totally worth it for me.
If interested check this out:
https://youtu.be/xMWDrocCldc

[smackboy1]

is this something you've tested yourself, or if not, can you share the basis for this? I very much appreciate the response insofar as if I have confidence in it, you've saved me some needless hassle!

Looking around briefly, I see conflicting comments on whether ASUS routers even support VLANs. I know I've seen stuff relating to Vlan in the ASUS UI, but paid no attention. Perhaps it's a matter of "you can sort of do it with expertise and some script writing and a bit of luck".

I'm similarly uninspired by the idea of dedicating a second router to IoT devices. . . I'm starting to think that I'm just going to throw in the towel and leave all of my devices on my primary network, as they are now. It's an additional security risk, but it's hard to measure how big of a one it is. The hassle of dealing with it is, in contrast, a cost that's starting to look non-trivial.

I wonder if there would be any advantage at all in putting them on their own "Access Intranet enabled" guest network? I.e., not complete security, but maybe "better than left on primary network? ??

I have 9 ASUS routers running multiple LANs, including a segmented LAN dedicated to only IoT devices. I've played with Access Intranet settings and it works exactly as I stated. If Access Intranet is enabled, any device on that guest network is assigned an IP address on the main LAN and can see everything on it.

AFAIK no consumer grade ASUS routers running OEM firmware support user configurable VLAN. It's possible 3rd party firmware might. I don't use Merlin.

https://www.asuswrt-merlin.net/

One risk is that an IoT device like a lightbulb or TV with poorly implemented security will be exploited and allow an attacker access to your LAN. Look what happened with Ring. The least complicated solution is probably to use multiple routers. Very little configuration compared to setting up VLANs.

Enabling Access Intranet defeats security. One use is to control access to the LAN e.g. limit children's internet hours or bandwidth.

[xb7]

is this something you've tested yourself, or if not, can you share the basis for this? I very much appreciate the response insofar as if I have confidence in it, you've saved me some needless hassle!

Looking around briefly, I see conflicting comments on whether ASUS routers even support VLANs. I know I've seen stuff relating to Vlan in the ASUS UI, but paid no attention. Perhaps it's a matter of "you can sort of do it with expertise and some script writing and a bit of luck".

I'm similarly uninspired by the idea of dedicating a second router to IoT devices. . . I'm starting to think that I'm just going to throw in the towel and leave all of my devices on my primary network, as they are now. It's an additional security risk, but it's hard to measure how big of a one it is. The hassle of dealing with it is, in contrast, a cost that's starting to look non-trivial.

I wonder if there would be any advantage at all in putting them on their own "Access Intranet enabled" guest network? I.e., not complete security, but maybe "better than left on primary network? ??

I have 9 ASUS routers running multiple LANs, including a segmented LAN dedicated to only IoT devices. I've played with Access Intranet settings and it works exactly as I stated. If Access Intranet is enabled, any device on that guest network is assigned an IP address on the main LAN and can see everything on it.

AFAIK no consumer grade ASUS routers running OEM firmware support user configurable VLAN. It's possible 3rd party firmware might. I don't use Merlin.

https://www.asuswrt-merlin.net/

One risk is that an IoT device like a lightbulb or TV with poorly implemented security will be exploited and allow an attacker access to your LAN. Look what happened with Ring. The least complicated solution is probably to use multiple routers. Very little configuration compared to setting up VLANs.

Enabling Access Intranet defeats security. One use is to control access to the LAN e.g. limit children's internet hours or bandwidth.

Super, thanks very much for great clarity on that.

In reading up on this, I see comments about the two-router solution not being really secure either --- that hacker with reasonable ability could trace back from the IoT router to get into the main router. I.e., that a VLAN is the only decent approach. Which I think might require alternate firmware, but even that seems to have conflicting answers.

I'm thinking at this point that if it's this hard, the vast, vast majority of people out there are as exposed as I am, and if I'm good in other areas of security (including at the router itself), maybe I'll continue to accept the risk of this.

Anyway, thanks again.

[ballons]

1. Buy Asus router that supports aimesh to replace N66U.
2. Convert N66U to AP mode and use as AP on other side of main floor.
3. Eventually run cat5 to second floor and buy two aimesh routers (replace N66U AP + new on second floor).
OR
1. Buy three Asus aimesh routers, run cat5 to second floor, and do this all now.

Your final network would be an Asus aimesh router hardwired to two Asus aimesh AP's.

[Chip]

It seems that with these capabilities I could set up one Deco device by the TV, using the existing Cat 5e for a wired backhaul, then place the other devices as dictated by the signal analyzer. If one of the MoCA-served locations is desirable I could, if necessary, buy a MoCA bridge to create a wired backhaul there. Does this all sound reasonable or am I missing something?

One thing to feel in mind, if you are using a mesh setup in AP mode and you asus as a router to provide the multiple guest networks you like - the guest networks will not be extended by the mesh APs. In AP mode the mesh network will extend only the wired network the mesh base station are plugged into on the asus.

So you would have one “mesh” ssid that has good coverage around the house provided by mesh, and then you multiple guest network ssids would be provided by the asus with your current coverage.

Sorry for being MIA for a while.

Thanks for this bit of info, which will likely change my decision.

I need some understanding of what exactly is the difference between a guest network and a VLAN. As I mentioned, with the current ASUS router I can set up 3 guest networks (actually 6, 3 at 2.4 GHz and 3 at 5 GHz). How are these technically different from a VLAN? Why do some IoT devices fail to work on a "guest" network?

[teCh0010]

It seems that with these capabilities I could set up one Deco device by the TV, using the existing Cat 5e for a wired backhaul, then place the other devices as dictated by the signal analyzer. If one of the MoCA-served locations is desirable I could, if necessary, buy a MoCA bridge to create a wired backhaul there. Does this all sound reasonable or am I missing something?

One thing to feel in mind, if you are using a mesh setup in AP mode and you asus as a router to provide the multiple guest networks you like - the guest networks will not be extended by the mesh APs. In AP mode the mesh network will extend only the wired network the mesh base station are plugged into on the asus.

So you would have one “mesh” ssid that has good coverage around the house provided by mesh, and then you multiple guest network ssids would be provided by the asus with your current coverage.

Sorry for being MIA for a while.

Thanks for this bit of info, which will likely change my decision.

I need some understanding of what exactly is the difference between a guest network and a VLAN. As I mentioned, with the current ASUS router I can set up 3 guest networks (actually 6, 3 at 2.4 GHz and 3 at 5 GHz). How are these technically different from a VLAN? Why do some IoT devices fail to work on a "guest" network?

It would depend on if the asus can extend a guest network over a VLAN across the wired network. Many APs are built to leverage guest networks as only a wireless function, can’t map to VLANs.

VLANs segment multiple Ethernet networks on the same switch. These VLAN networks can’t talk to each other without a router, so in the case of a guest VLAN it forces traffic to the router where you can then decide if you want to allow access to your internal network or not.

[Chip]

OP here. I haven't abandoned this thread, have just been chewing thoroughly on my options and working on improving my limited networking knowledge.

Some mesh systems can allow the router and the satellite nodes to broadcast wifi guest network with LAN isolation. I know that ASUS AiMesh generally cannot broadcast guest network from the nodes - the sole exception is the ZenWifi AX Mini XD4, which has more advanced AiMesh. Other brands like Netgear or TP-Link might be different. Read the reviews and specs carefully.

Thanks. It's clear now that my understanding of a guest network was flawed. I thought that devices on that network could see each other, but not devices on the main LAN. This apparently isn't true for ASUS and maybe most guest networks. No device on the guest network can see anything but the internet. Someone please jump in if this is incorrect. If it is correct, I no longer have the need for multiple guest networks. I was merely using them to isolate devices on those networks from each other.

I would definitely want the Smart TV on the guest network. It's a Samsung and I've been thoroughly unimpressed with their firmware updates. So it appears that buying two ASUS AiMesh routers wouldn't allow this, as the node router near the TV wouldn't be broadcasting the guest network. Correct? I realize the ZenWiFi system would work in this regard, but I'm thinking it might be overkill.

I also need the guest network for, um, guests. The current router doesn't have sufficient coverage for their needs. This is pointing me back in the direction of one of the other simple mesh systems that many have advocated. Let's assume TP-Link Deco M5 for now. It appears that it can use the Cat5e that I have in place as a wired backhaul and that I can place the third AP wherever necessary to optimize coverage (using wireless backhaul). And that the guest network is broadcast by all of the nodes. Correct?

I would consider Tivo and smart TV to be IoT devices and do not trust their security. Also, some IoT devices will not function properly if on a guest network that is isolated from the LAN e.g. wifi cameras connected to an NVR; controlling devices with a smart home speaker; casting media to speakers/TV, wifi home security system, etc..

I keep all my untrusted devices on a dedicated segmented LAN just for IoT devices. My trusted high value devices, e.g. PC, smart phones, tablets, NAS, are on a separate segmented LAN that the IoT devices cannot see.
This is what I mean by a triple NAT system

https://pcper.com/2016/08/steve-gibsons ... nsecurity/

I agree that the Tivo is an IoT device and that I should be concerned about its security. The only reason it's connected to the main LAN right now is that I'm using it to grab music from my PC and feed it into the audio system that's co-located with the Tivo. I've been wondering if there is a better way to do this. Is this something that could be done securely by moving the music to a USB stick connected to the RT-N66U?

I read the paper on Steve Gibson's IoT solution. I have great respect for Gibson. I used the original SpinRite way back when, and have regularly used Shields Up to check port security. It's just a little too complex for me to attempt right now. Maybe later.

Thanks again for the help.

[crefwatch]

My outlook on this is slanted by the fact that more than half of our home devices are hard-wired on Ethernet. As a result, besides the ASUS router I cited earlier, we have a TP-Link Switch. When we upgraded to 300 Meg (from many years of Verizon Fios 25 Meg) Internet, I had to buy a new switch with Gigabit ports. Switches are even more of a commodity than routers, and I saw no reason not to get a simple Managed Switch (for $25 more?) that falls back to unmanaged if you just plug it in. I don't need to set up VLANs, but maybe you want a switch that can isolate (VLAN) your second router that is running your IOT devices? That sounds maybe like using a steamroller to do the job of a hammer, but it's a reliable, professional solution.

I guess this would still require a third device, to provide better WiFi for human users at the other end of the house.

[Chip]

My outlook on this is slanted by the fact that more than half of our home devices are hard-wired on Ethernet. As a result, besides the ASUS router I cited earlier, we have a TP-Link Switch. When we upgraded to 300 Meg (from many years of Verizon Fios 25 Meg) Internet, I had to buy a new switch with Gigabit ports. Switches are even more of a commodity than routers, and I saw no reason not to get a simple Managed Switch (for $25 more?) that falls back to unmanaged if you just plug it in. I don't need to set up VLANs, but maybe you want a switch that can isolate (VLAN) your second router that is running your IOT devices? That sounds maybe like using a steamroller to do the job of a hammer, but it's a reliable, professional solution.

I guess this would still require a third device, to provide better WiFi for human users at the other end of the house.

Thanks. My limited understanding of network architecture is a hindrance here. Given what you described, is this a reasonable connection plan?

Cable modem->managed switch->mesh router->mesh node ---- mesh node <- creates main lan, one guest lan, whole house wifi coverage
Same managed switch->different router <- creates VLAN for IoT devices, hardwired to the router or within range of this router's wifi

The mesh router connects via the Cat5e to the mesh node next to the Tivo, which for now is hard-wired to the node (remember the Tivo creates the MoCA network and must be hard-wired).

Assuming this is reasonable, could I later isolate the Tivo on the VLAN by switching the Cat5e cable to the VLAN router and adding a hard-wired AP/switch near the Tivo? This would put the mesh system into full wireless backhaul mode. I think.

[crefwatch]

Please note that I’m only a self-taught networker. I have no credentials. I currently use an ASUS RT-AC68U router (henceforth called “the WAN router”) with Verizon FIOS 200 Meg Internet ( No TV.) I have TP-Link TL-SG1024DE smart switch, which may have more ports than you need. I have always had our router set for dynamic address assignment (DHCP), but a few devices work better (on Windows!) with fixed addresses. So the WAN router gives out .2-.199, and our printers are .203 and .204 fixed, for example.

Let’s suppose for a minute that all your IoT devices can reach the same one WiFi station. I’m proposing that you put a second router, set as an Access Point, to supply WiFi to those untrusted devices. The TP-Link switch can set up 20 VLANs, which can “overlap”. They are created using the physical port numbers on the switch. (So you don’t need to type in all the MAC addresses of the IoT devices, for example.) I’m proposing that you make one VLAN with just your WAN router and the Access Point router. You could make a second VLAN with just your TIVO and your WAN router. (I have not used the smart features of my new switch as yet.)

By the way, referring to IoT devices, by way of an old internet joke, Do you need to turn on your "connected" coffeemaker from your desktop or backyard? If so, isolating the coffeemaker will make it impossible to control it except from within the VLAN it's assigned to.

Here’s a discussion by someone whose SURF router does have VLAN built into it. And it apparently allows you to quickly place an SSID into its own VLAN. This would be very easy, and not require a separate ethernet switch. https://www.routersecurity.org/vlan.php

I will note that back when we only had 25 Meg FIOS, a lousy Verizon router, and a 100Meg-only switch, I found that streaming services worked better when I connected the smart TV directly to a LAN port on the router, rather than going through the switch. I suspect that my newer, Gigabyte switch would be able to handle this, but I haven’t tried. Here’s a simpler discussion of home VLANs with a switch: https://stevessmarthomeguide.com/vlans-home-networks/ This illustrates how your would isolate the Tivo with a switch.

Because I have never set up a “Mesh” system, I originally proposed that you run an ethernet cable to the far side of the house, and put a third router, also set as an Access Point, to serve trusted WiFi devices over there. As I think I wrote, that might cause slight roaming problems because of the second SSID. (I'm emphasizing that Mesh is a specific term, and it's not a generic word for extending WiFi around a big house. Sorry if you already know that.)

I’m committed enough to this thread that I bought a second RT-AC68U router, which I will also use for some research my wife wants me to do at a meeting venue she rents for her orchid organization. That’s why it took me so long to answer your last question. So I HAVE set up an ASUS as a Repeater, and also as an Access Point. It is, unfortunately, true that the ASUS router interface for those two modes has far fewer WiFi options than the same router does when in normal “WAN router” mode. For that reason, I found it was best to use the built-in (top left of login landing page ... ) Network Configuration dialog utility that comes with the ASUS router, when setting up AP Mode or Repeater Mode. And I immediately "saved" the router configuration to a file, just in case.

It’s necessary to download the ASUS Device Discovery utility, because some operating modes allow (for example) the Repeater Mode ASUS to get a DHCP address, and you need that dynamic address to login to the Repeater (as opposed to logging into the WAN router, which is likely to have the address 192.168.1.1.) This utility worked very well for me on Windows 10.

When configuring the ASUS as a Repeater or AP, be very careful when you type in the WiFi password. Because the regular WiFi tab is not available in these other modes, you may overlook that you made a typing error, and mistake a connection failure for a networking failure. When you don’t have the WiFi tab, you can correct passwords in the main status window, in the pane at the right of the screen.

[alexp]

I had the same Asus router and was considering similar plans due to poor Wi-Fi coverage in some parts of my ~4000 sqft home.

As the first step, I changed my router to “ TP-Link AC2600 Smart WiFi Router (Archer A10)“ which is just over 100$. After this, I saw great coverage all over the house and in my yard as well. Figured that Asus had a very pathetic Wi-Fi coverage.

Not answering your question but perhaps you can try this before going for more expensive and time consuming solutions.


-Alex

[Chip]

Please note that I’m only a self-taught networker. I have no credentials. I currently use an ASUS RT-AC68U router (henceforth called “the WAN router”) with Verizon FIOS 200 Meg Internet ( No TV.) I have TP-Link TL-SG1024DE smart switch, which may have more ports than you need. I have always had our router set for dynamic address assignment (DHCP), but a few devices work better (on Windows!) with fixed addresses. So the WAN router gives out .2-.199, and our printers are .203 and .204 fixed, for example.

Let’s suppose for a minute that all your IoT devices can reach the same one WiFi station. I’m proposing that you put a second router, set as an Access Point, to supply WiFi to those untrusted devices. The TP-Link switch can set up 20 VLANs, which can “overlap”. They are created using the physical port numbers on the switch. (So you don’t need to type in all the MAC addresses of the IoT devices, for example.) I’m proposing that you make one VLAN with just your WAN router and the Access Point router. You could make a second VLAN with just your TIVO and your WAN router. (I have not used the smart features of my new switch as yet.)

Thanks much for the detailed post and your continuing efforts to educate me.

Before your post I had just about decided to buy a new router (likely an ASUS AiMesh unit) and set up the RT-N66U as an access point at the other end of the house, connected with the existing Cat 5e cable I mentioned in my OP. This would be near the Tivo, and I would think (but don't know for sure) that I could connect the Tivo to a LAN port on the N66U (remember it has to be hard-wired to serve as the MoCA adapter). I'm assuming that I could set up a guest WLAN for the smart TV that would be propagated by the N66U, so I would get a strong signal at the TV. And that I would also have the main WLAN on the same SSID at both the primary router and the AP, enabling mobile devices to jump to the stronger signal as they move around the house. This is the solution advocated by Bengineer & ballons earlier in the thread. I know that these handoffs won't be nearly as seamless as with a mesh system, but I note that the ASUS software has a setting for "Roaming Assistant", that will cause the AP to disconnect clients with signal strengths below a user-defined threshold.

I realize that this doesn't address the Tivo security issue. For now that Tivo needs access to my primary computer, as that's where the music files reside that it fetches. I suppose at some point I can figure out how to do this differently, isolating the Tivo, but for now I can live with it.

By the way, referring to IoT devices, by way of an old internet joke, Do you need to turn on your "connected" coffeemaker from your desktop or backyard? If so, isolating the coffeemaker will make it impossible to control it except from within the VLAN it's assigned to.

I guess this is where your managed switch proposal comes into play. If I get an IoT device that I will want to access, or that needs access to other IoT devices, the ASUS guest network won't suffice, as it isolates each device on the network.

Here’s a discussion by someone whose SURF router does have VLAN built into it. And it apparently allows you to quickly place an SSID into its own VLAN. This would be very easy, and not require a separate ethernet switch. https://www.routersecurity.org/vlan.php

Here’s a simpler discussion of home VLANs with a switch: https://stevessmarthomeguide.com/vlans-home-networks/

Both of these links were very helpful, especially the second, which appears to diagram a version of your proposal above.

I’m committed enough to this thread that I bought a second RT-AC68U router, which I will also use for some research my wife wants me to do at a meeting venue she rents for her orchid organization. That’s why it took me so long to answer your last question. So I HAVE set up an ASUS as a Repeater, and also as an Access Point. It is, unfortunately, true that the ASUS router interface for those two modes has far fewer WiFi options than the same router does when in normal “WAN router” mode.

Will it allow & broadcast the same guest networks as the main router when set up in AP mode?

It’s necessary to download the ASUS Device Discovery utility, because some operating modes allow (for example) the Repeater Mode ASUS to get a DHCP address, and you need that dynamic address to login to the Repeater (as opposed to logging into the WAN router, which is likely to have the address 192.168.1.1.) This utility worked very well for me on Windows 10.

When configuring the ASUS as a Repeater or AP, be very careful when you type in the WiFi password. Because the regular WiFi tab is not available in these other modes, you may overlook that you made a typing error, and mistake a connection failure for a networking failure. When you don’t have the WiFi tab, you can correct passwords in the main status window, in the pane at the right of the screen.

Thanks for the tips. The password warning is apropos, since I use 32 character passwords. I saw a recommendation somewhere to initially set up the AP with a different SSID (but same PW) to test connection speed and coverage, then rename it to the same as the main router.

Do you have strong feelings about the capabilities of the RT-AC68U vs the RT-AC66U B1?

Thanks again!

[Chip]

I had the same Asus router and was considering similar plans due to poor Wi-Fi coverage in some parts of my ~4000 sqft home.

As the first step, I changed my router to “ TP-Link AC2600 Smart WiFi Router (Archer A10)“ which is just over 100$. After this, I saw great coverage all over the house and in my yard as well. Figured that Asus had a very pathetic Wi-Fi coverage.

Thanks, Alex. That's a good piece of information.

I'm thinking that I will buy a new router, and will also relocate it to a slightly more favorable position in the same room. That will only require a few internet cables and not much work. It won't be optimal, just better. Then I'll have the RT-N66U available to use an AP on the other side of the house if I still have signal strength issues.

[crefwatch]

Will it allow & broadcast the same guest networks as the main router when set up in AP mode?

Do you have strong feelings about the capabilities of the RT-AC68U vs the RT-AC66U B1?

I have zero experience with setting two access points or routers to the same SSID. But apparently it's possible. Here's one, conservative post that suggests a $400 management product, and one that says you can do it with no extra hardware. You are said to have to adjust the broadcast channels used by each access point. Note that in a crowded urban situation it might be harder to get fixed WiFi channels to work reliably, rather than auto selection. The WiFi spectrum can be very busy in a densely populated area.

https://www.madebywifi.com/blog/multipl ... e-network/

https://smallbusiness.chron.com/setting ... 68675.html

There are a lot of helpful replies in this discussion:
https://community.spiceworks.com/topic/ ... -same-ssid

I have no experience with the RT-AC66U. But it should be fine as your "second" router. I did find that I did NOT have to have the same firmware on my two identical 68U routers to make the second one work as an AP or as a Repeater. (I only delayed updating my WAN router because my wife does a lot of internet meetings and I did not want to disrupt her online work.)

Note that if you a buying a second router and want to save money, I would consider a reconditioned or renewed router from a reliable source.

To repeat two notes about my purchase decision, I needed a router with removable antennas, because of my WiFi home coverage strategy. That decision meant that I get better coverage (direct observation) by turning OFF the two beam-steering options in my WiFi page on the WAN router. That's also why I didn't search for a newer router with MIMO, because I believe that would have to be turned off too, IF that can be done. I believe this does not apply to your plan.

[xb7]

Will it allow & broadcast the same guest networks as the main router when set up in AP mode?

Do you have strong feelings about the capabilities of the RT-AC68U vs the RT-AC66U B1?

I have zero experience with setting two access points or routers to the same SSID. But apparently it's possible. Here's one, conservative post that suggests a $400 management product, and one that says you can do it with no extra hardware. You are said to have to adjust the broadcast channels used by each access point. Note that in a crowded urban situation it might be harder to get fixed WiFi channels to work reliably, rather than auto selection. The WiFi spectrum can be very busy in a densely populated area.

https://www.madebywifi.com/blog/multipl ... e-network/

https://smallbusiness.chron.com/setting ... 68675.html

There are a lot of helpful replies in this discussion:
https://community.spiceworks.com/topic/ ... -same-ssid

I have no experience with the RT-AC66U. But it should be fine as your "second" router. I did find that I did NOT have to have the same firmware on my two identical 68U routers to make the second one work as an AP or as a Repeater. (I only delayed updating my WAN router because my wife does a lot of internet meetings and I did not want to disrupt her online work.)

I recently bought a newer ASUS router, one that does wi-fi 6 and has a faster processor, etc than my RT-AC68U. I had originally thought I would connect the 68U via AIMesh, but have read enough reports about problems with AIMesh that I ultimately just set it up as a WAP (wireless access point). Using the same SSID. Doing some testing I've found that this works fine. Devices that are closer to the WAP don't get the benefit of wi-fi 6, but at this point that's not a big issue, and my modest experiments in 'hand-off' (from router to WAP or vice-versa) as I move around the house seemed fine to me.

As I think someone else mentioned, the one somewhat weird thing is trying to examine or modify settings on the WAP --- you have to go through some gyrations with an extra ASUS application on a one-time basis in order to get an IP address needed to get into the settings for the WAP. So a little more complexity to remember on that.

I think that you can choose to set your own broadcast channels or not, at your option. I went round the house looking at conflicts with neighbors on various channels and ultimately did explicitly set my 2.4 ghz channels on both router and WAP (different channels from each other too), but did not do so for 5 ghz, where there appeared to be minimal conflict.

[Chip]

I recently bought a newer ASUS router, one that does wi-fi 6 and has a faster processor, etc than my RT-AC68U. I had originally thought I would connect the 68U via AIMesh, but have read enough reports about problems with AIMesh that I ultimately just set it up as a WAP (wireless access point). Using the same SSID. Doing some testing I've found that this works fine. Devices that are closer to the WAP don't get the benefit of wi-fi 6, but at this point that's not a big issue, and my modest experiments in 'hand-off' (from router to WAP or vice-versa) as I move around the house seemed fine to me.

As I think someone else mentioned, the one somewhat weird thing is trying to examine or modify settings on the WAP --- you have to go through some gyrations with an extra ASUS application on a one-time basis in order to get an IP address needed to get into the settings for the WAP. So a little more complexity to remember on that.

I think that you can choose to set your own broadcast channels or not, at your option. I went round the house looking at conflicts with neighbors on various channels and ultimately did explicitly set my 2.4 ghz channels on both router and WAP (different channels from each other too), but did not do so for 5 ghz, where there appeared to be minimal conflict.

Thanks, that's all very helpful.

I haven't seen the reports about AiMesh problems, and I've read quite a few reviews and articles. Are there any in particular you would recommend? Not that it's particularly important right now, as the N66U isn't AiMesh capable.

Noted about the extra application required to configure the WAP. If I remember correctly the ASUS router software also provides a reminder about that extra application.

Yes, I believe broadcast channels can be set manually with the ASUS software, as well as radio power levels. One of the articles linked by crefwatch had some very good and detailed info on how to go about that process. Also, my understanding is that many more non-overlapping channels are available for 5 ghz, so not as difficult to set up as 2.4 ghz.

[xb7]

I haven't seen the reports about AiMesh problems, and I've read quite a few reviews and articles. Are there any in particular you would recommend? Not that it's particularly important right now, as the N66U isn't AiMesh capable.

My recollection is that I read about this a lot when looking at Amazon reviews for various AiMesh-capable ASUS routers.

But doing a hasty web search just now on the text "AiMesh problems", I quickly turned up a number of references.

I'm not saying that AiMesh is inherently a bad thing, just that a lot of people have seemingly concluded that it's not the most stable thing always, and in particular that certain hardware combinations seem to be more stable with it than others. But even having two of the same router isn't a guarantee. My recollection is that Amazon sells a pair of RT-AC68U routers to be paired with AiMesh, but that a lot of the reviews boiled down to "great router by itself, not so great when paired with AiMesh".

At any rate, this stuff steered me towards the less error-prone WAP approach, which again --- seems to be working fine for me. I think the one thing that I'm supposed to lose this way is a more "smooth transition" when being handed off from router to WAP or vice versa, but that doesn't seem to be a big deal. Oh, and with AiMesh you can directly tinker with the node rather than having to separately sign in via a different IP address to update firmware or review/modify settings, but that's not a big deal for something that I infrequently do.

[jebmke]

At any rate, this stuff steered me towards the less error-prone WAP approach, which again --- seems to be working fine for me. I think the one thing that I'm supposed to lose this way is a more "smooth transition" when being handed off from router to WAP or vice versa, but that doesn't seem to be a big deal.

I've been doing this with a spare router configured as a WAP for several years and don't have any big issues. But, I typically don't wander around the house with a device anyway. Once or twice a day I move with my iPad from one zone to another and it always acquires the stronger signal.

[xb7]

I've been doing this with a spare router configured as a WAP for several years and don't have any big issues. But, I typically don't wander around the house with a device anyway. Once or twice a day I move with my iPad from one zone to another and it always acquires the stronger signal.

That's a good point. Most of my wi-fi connections are from IoT devices, each installed in a specific location --- not moving. And when I'm actually looking at a phone or tablet in the house, I'm stationary. If I walk around the house with the device and start looking at it again, I'll likely be stationary again. And our laptops have ethernet connections (we rarely move 'em).

There are exceptions to this, but nothing that I've run into issues with. I guess the scenario of concern might be walking around the house listening to a (not downloaded) podcast, audiobook, music or similar and going from one device to the other. I seldom do this, don't know if there would be an audio-stutter or other issue as a result.

The other issue would be if, say, my tablet were connected to my router and I walked with it to a point where the WAP had the stronger signal but it held on to the weaker signal and had a slower and/or less reliable connection as a result. One can (and I did) explicitly set a threshhold in terms of -dBm signal strength for when the signal is handed off --- or rather, really, when the given device drops the connection, so that the other one can take over. A little research and maybe modest testing should get that to where it's reasonable.

[Chip]

But doing a hasty web search just now on the text "AiMesh problems", I quickly turned up a number of references.

Thanks. I guess I hadn't looked as much as I had imagined. One particularly thorough and scathing review is here:

https://www.smallnetbuilder.com/wireles ... ed?start=0

My summary of the review: AiMesh doesn't mesh. The review is two years old, so I suppose things could be better now but it doesn't appear that AiMesh is worth any sort of premium.

At any rate, this stuff steered me towards the less error-prone WAP approach, which again --- seems to be working fine for me.

That's where I'm headed. I just need to pick the new router.

[toast0]

But doing a hasty web search just now on the text "AiMesh problems", I quickly turned up a number of references.

Thanks. I guess I hadn't looked as much as I had imagined. One particularly thorough and scathing review is here:

https://www.smallnetbuilder.com/wireles ... ed?start=0

My summary of the review: AiMesh doesn't mesh. The review is two years old, so I suppose things could be better now but it doesn't appear that AiMesh is worth any sort of premium.

At any rate, this stuff steered me towards the less error-prone WAP approach, which again --- seems to be working fine for me.

That's where I'm headed. I just need to pick the new router.

AiMesh did recently get an update that lets you use only wired networking for backhaul. You still can't have the access points on different wireless channels though; although if you have 'tri-band' access points with two 5 Ghz radios, wired backhaul only mode enables using the second radio for client traffic. I don't know if it works better than having the devices in access point mode and on the same SSID but different channels, though. It's sort of nice poking at a single web page instead of three for my system. Although, actually it seems like my routers don't care for it, they've gone missing in action after I tweaked some settings. Back to AP mode I go, I guess.

[Chip]

Still haven't abandoned the thread.

I've done a fair amount of speed testing at various locations in the house and have spent way too much time reading router reviews.

Temporarily moving the RT-N66U to a better location within the same room gives a decent speed boost on the 2.4 GHz band, particularly for the test locations with marginal performance. There's a slight improvement on the 5 GHz band, but it's probably within the test error band.

For now I am going to buy the RT-AC66U B1 and see if the additional throughput of 802.11ac will get me to "good enough for right now" just using it as a standalone router. The reason I'm going this way is (as pointed out in this thread) that it appears difficult to implement a guest network that works with an access point, at least without buying the Ubiquiti equipment.

If this doesn't give me the coverage I need I will work out some sort of arrangement with the N66U and a managed switch (for my IoT concerns). I think that will involve pulling another ethernet cable, but I have an unfinished basement so that cable routing is manageable. I think I could even locate the N66U in the basement and still get a decent signal where I need it. Another option is buying another AiMesh capable router assuming Asus updates the firmware to allow guest networks on AiMesh nodes.

Some learnings from my speed testing: I noticed that one of my gigabit LAN ports on the N66U has for some reason downgraded itself to a 100 Mbps port. Unfortunately that was where my desktop was connected. I changed the port and more than doubled my download speed. The wireless speed testing is highly sensitive to the exact location of the test device. I could move a few feet on my deck and change speeds dramatically. This was probably due to a steel entry door that was in the way in one location. Plus it made a difference if I was standing so that I was blocking the signal with my body. I also learned to make sure and turn off mobile data on the phone I was using for testing. In the really low signal areas in the house I'm pretty sure that initially my phone was switching over to a cell tower. I had the same issue with 5 GHz vs. 2.4 GHz -- when the 5 GHz signal would fade out the phone would automatically jump to the 2.4 GHz SSID.

I would note that the 1-star Amazon reviews on the big names for consumer routers have a consistent theme of radio or total failures and execrable customer support. Also that both Netgear and TP-Link received poor Fakespot ratings for the routers I was considering. The Asus RT-AC66U received a good Fakespot grade, but there are still a fair number of reviews with reliability concerns.

Thanks to all who contributed. I'll update once I get the new router in place.

[Chip]

For now I am going to buy the RT-AC66U B1 and see if the additional throughput of 802.11ac will get me to "good enough for right now" just using it as a standalone router. The reason I'm going this way is (as pointed out in this thread) that it appears difficult to implement a guest network that works with an access point, at least without buying the Ubiquiti equipment.

I installed the RT-AC66U B1 yesterday and did some testing. It looks like the stronger signals allowed by the 802.11ac wireless standard will be sufficient for now. While there were several low throughput locations in the house, there were two where I felt I really needed an improvement. 5 GHz speed test results at those locations:

At smart TV: 35 Mbps with N66U (but highly variable), 65 Mbps with AC66U (signal strength -54 dBm)
Deck: 9 Mbps with N66U, 67 Mbps with AC66U

These results are fairly consistent throughout the house. There were a couple of locations where there was no usable signal from the N66U but I'm now seeing throughput of 30+ Mbps.

Real world testing is the next step but I feel pretty confident this is going to be sufficient. I should note that this solution is the one proposed by alexp earlier in the thread -- just get a router with a stronger signal. I just hope the AC66U is as reliable as the N66U, which had zero problems in 6 years of use.

I would also note that the ability to save ASUS router settings to a file, then upload them to another ASUS router made it incredibly easy to set up the new router. I probably spent 5 minutes physically placing the router and connecting cables, then another 5 uploading settings, then another 5 updating firmware. And that's all I had to do -- the upload contained all of the SSIDs, network passwords, MAC filters and other security settings. All of our devices reconnected immediately.

Thanks to all who weighed in on this thread. Though I went with a simple $100 solution I think I have a lot more networking knowledge now and will be much further along if I decide on further improvements.

Edit: typo

[xb7]

"Though I went with a simple $100 solution I think I have a lot more networking knowledge now and will be much further along if I decide on further improvements."

If you decide on those improvements relatively soon, certainly. Or perhaps your long-term memory for such details is better than mine. For something where I dive into a sea of relative complexity but then stop paying attention for several years --- I'll have forgotten a lot, plus things will have changed in the interim!

Best wishes for trouble-free wi-fi and internet in general going forward.

[marcwd]

This is remarkable.

I didn’t read every detail in this long thread, but it appears that despite all the discussion regarding mesh, AiMesh, backhauls of all types, etc, etc, the OP has found a satisfactory Wi-Fi solution for his two-story 3,600 sq ft home by the use of a single, well-located $100 router.

Did I miss something?

[Chip]

This is remarkable.

I didn’t read every detail in this long thread, but it appears that despite all the discussion regarding mesh, AiMesh, backhauls of all types, etc, etc, the OP has found a satisfactory Wi-Fi solution for his two-story 3,600 sq ft home by the use of a single, well-located $100 router.

Did I miss something?

Yes. The router isn't well located.

[Chip]

"Though I went with a simple $100 solution I think I have a lot more networking knowledge now and will be much further along if I decide on further improvements."

If you decide on those improvements relatively soon, certainly. Or perhaps your long-term memory for such details is better than mine. For something where I dive into a sea of relative complexity but then stop paying attention for several years --- I'll have forgotten a lot, plus things will have changed in the interim!

I've actually taken to writing up notes for things like this, using MS One Note. But the point you make about things changing is definitely true!

[marcwd]

This is remarkable.

I didn’t read every detail in this long thread, but it appears that despite all the discussion regarding mesh, AiMesh, backhauls of all types, etc, etc, the OP has found a satisfactory Wi-Fi solution for his two-story 3,600 sq ft home by the use of a single, well-located $100 router.

Did I miss something?

Yes. The router isn't well located.

Ok, so you could possibly further improve your now-satisfactory Wi-Fi signal by running the modem cable and relocating the router to a different spot in the house, yes?

[Chip]

Ok, so you could possibly further improve your now-satisfactory Wi-Fi signal by running the modem cable and relocating the router to a different spot in the house, yes?

Yes. In one of the earlier posts I mentioned that I had tested this with the old router by temporarily moving it to a more favorable location within the same room, which wasn't too difficult. 2.4 GHz performance in the worst areas improved a good bit; not so much for 5 GHz.

I had considered moving the router to the top of the entry hall closet, which is in the center of the main floor. It's probably close to an ideal location. But it would be a LOT of work. I would have to run both power and ethernet to that location, with appropriate wall boxes, as well as building and painting a nice shelf for everything. I'm a perfectionist, so we're talking a lot of work hours. Certainly more than the 15 minutes it took to get the AC66U working.

[meebers]

Over the next couple of days I am going to try and improve my either net connection. Modem is in the laundry room, office is in the furthest bedroom away approximately 65 ft LOS.

Modem connects to Router WAN, one port from the router runs the length (via cat 5e) to the office wall connection, patch cable then up to an ether net switch and one of those ports, patch cable run to the computer.

Just bought a 100 ft Cat 7 cable that is going to be direct connected to modem and directly connecting to computer. IF there is a noticeable difference, will run the cable in the ceiling I have a 940/940 fiber connection, which tests ~825/750. Router is a $50 T-Mobile [Asus AC 1900] which would have no effect on the either net connection?

Then start on the Wi-Fi next, the router so far reaches every part of the house but knocks down the speed to about ~50Mbps

[alexp]

@Chip - glad that the router upgrade worked for you.

@meebers - the cat5e cable should be able to handle 1Gbps speed. Will be interesting to find the results for your cat 7 experiment.

-Alex

[xb7]

I had considered moving the router to the top of the entry hall closet, which is in the center of the main floor. It's probably close to an ideal location. But it would be a LOT of work. I would have to run both power and ethernet to that location, with appropriate wall boxes, as well as building and painting a nice shelf for everything. I'm a perfectionist, so we're talking a lot of work hours. Certainly more than the 15 minutes it took to get the AC66U working.

Apologies if this comment is just obvious (NOT intending to patronize ... !)

If you have some sufficiently long ethernet cable around and an extension cord, I would definitely try temporarily putting the router where you contemplate having it with the wires just --- for a short test --- laying on the floor. It would be most unhappy to do all of the work that you describe, only to find that it makes little difference, or perhaps even makes for dead zones or some other less favorable outcome! It's hard to predict what's in your walls and how the signal will propagate through your house from any location short of, IMO, actually trying it.

If you don't have a sufficiently long cable (and don't need one), it's pretty cheap to buy a set of connectors ("ethernet couplers") to link multiple shorter ethernet cables together for a test, though in that case I would also test the chained cable in your current location to compare the cable itself against the speeds you're getting now in your current location with the cable you have there. I.e., to ensure that you're not losing much from the couplers. Someone with more experience in using ethernet cable in various ways would likely know the answer already, but me --- I would test, and especially if your chained cable is fairly long and/or has a mix of different types of cable (cat 5, 5e, 6, etc).

I might be projecting my own situation here, but I always seem to end up storing spare ethernet cables of various types and lengths, "just in case".

[Chip]

If you have some sufficiently long ethernet cable around and an extension cord, I would definitely try temporarily putting the router where you contemplate having it with the wires just --- for a short test --- laying on the floor. It would be most unhappy to do all of the work that you describe, only to find that it makes little difference, or perhaps even makes for dead zones or some other less favorable outcome! It's hard to predict what's in your walls and how the signal will propagate through your house from any location short of, IMO, actually trying it.

No apologies necessary.

If the AC66U hadn't worked out I would have thoroughly tested that location in the way you describe before starting any work. I didn't have ethernet cables of sufficient length but I could have put together enough RG-6 to move both the modem and the router. Fortunately I didn't have to take that step.