I've been using an ASUS RT-N66U in a small office as purely an access point in ROUTER MODE (as a switch and access point) connecting the device to the LAN on one of its LAN ports and DHCP disabled. This is shown in the first figure attached: Office Network Original Diagram.
Now a Guest Network is desired.
I see that the RT-N66U has a number of Operation modes available:
- ROUTER MODE which normally expect a WAN connection and doublessly provides NAT.
- REPEATER MODE to extend a wireless network. No NAT. Appears to be of no interest here.
- ACCESS POINT MODE. No NAT I'd guess.
- MEDIA BRIDGE MODE with two RT-66U devices. Appears to be of no interest here.
So rather than continuing to use the router mode with no WAN connection, I opted for the ACCESS POINT MODE with a WAN port connection to the LAN.
And, I set up a Guest Network which is supposed to not allow connection to the LAN devices but only the internet.
This variation is shown in the second diagram: Office Network Diagram Guest Network.
The situation when this is done is allowing connection to the LAN devices from the Guest Network. I need to fix it so Guest access to the LAN devices doesn't happen.
In some instructions there is shown a mode that will deny access to the LAN it appears.
In the firmware we have (the latest installed) there is Enable MAC Filter instead. If we set it to Accept, it is supposed to allow connection to the network of any listed MAC addresses. But does this mean internet access or LAN access or both? It's not clear. Accept with no addresses on the list seems to stop WAN/Internet connection. I think this is simply a typical MAC address filter and nothing more - having nothing in particular to do with the Guest/LAN access.
Under the Wireless Professional settings there is a "Set AP Isolated" Yes/No and instructions say:
"If want to limit guest to all devices behind router, connect by wireless .. choose Yes."
Setting this to Yes
appears to disable Guest access to the internet
Obviously the English isn't so good. One would hope to interpret this as:
"If want to limit guests from all devices on the LAN, connect by wireless .. choose Yes."
Very confusing.... I somewhat expect that having the LAN on the WAN side of the RT-N66U has something to do with this but it's a bit of a surprise in Access Point mode. It's the connection I would have expected had this been but a new installation.
I might add that I don't want to mess with the current LAN configuration as the VPN is working well for file access from afar. So, no router / dual NAT cascading with everything at the 2nd level as that would disrupt the current scheme.
Also, as one would expect, the LAN wireless clients need to be on that same subnet - except for the Guests and for them I don't care. Either they can be on the same subnet but have no subnet access other than the gateway OR be on another subnet with no inter-subnet access.
Since I manage this remotely at some distance, I want to be able to access everything as I do now.
I'm hoping that someone understands the RT-N66U well enough to shed some light. Otherwise, I can see ways to "solve my problem" so that isn't so much what I'm looking for here. I'd like to just use the RT-N66U..... THAT's the problem.