Setting up a Guest WiFi Network on ASUS RT-N66U

I've been using an ASUS RT-N66U in a small office as purely an access point in ROUTER MODE (as a switch and access point) connecting the device to the LAN on one of its LAN ports and DHCP disabled.  This is shown in the first figure attached: Office Network Original Diagram.

Now a Guest Network is desired.
I see that the RT-N66U has a number of Operation modes available:
- ROUTER MODE which normally expect a WAN connection and doublessly provides NAT.
- REPEATER MODE to extend a wireless network.  No NAT.  Appears to be of no interest here.
- MEDIA BRIDGE MODE with two RT-66U devices.  Appears to be of no interest here.

So rather than continuing to use the router mode with no WAN connection, I opted for the ACCESS POINT MODE with a WAN port connection to the LAN.  
And, I set up a Guest Network which is supposed to not allow connection to the LAN devices but only the internet.
This variation is shown in the second diagram: Office Network Diagram Guest Network.

The situation when this is done is allowing connection to the LAN devices from the Guest Network.  I need to fix it so Guest access to the LAN devices doesn't happen.

In some instructions there is shown a mode that will deny access to the LAN it appears.
In the firmware we have (the latest installed) there is Enable MAC Filter instead.  If we set it to Accept, it is supposed to allow connection to the network of any listed MAC addresses.  But does this mean internet access or LAN access or both?  It's not clear.  Accept with no addresses on the list seems to stop WAN/Internet connection.  I think this is simply a typical MAC address filter and nothing more - having nothing in particular to do with the Guest/LAN access.

Under the Wireless Professional settings there is a "Set AP Isolated" Yes/No and instructions say:
"If want to limit guest to all devices behind router, connect by wireless .. choose Yes."
Setting this to Yes appears to disable Guest access to the internet.
Obviously the English isn't so good.  One would hope to interpret this as:
"If want to limit guests from all devices on the LAN, connect by wireless .. choose Yes."

Very confusing....  I somewhat expect that having the LAN on the WAN side of the RT-N66U has something to do with this but it's a bit of a surprise in Access Point mode.  It's the connection I would have expected had this been but a new installation.

I might add that I don't want to mess with the current LAN configuration as the VPN is working well for file access from afar.  So, no router / dual NAT cascading with everything at the 2nd level as that would disrupt the current scheme.

Also, as one would expect, the LAN wireless clients need to be on that same subnet - except for the Guests and for them I don't care.  Either they can be on the same subnet but have no subnet access other than the gateway OR be on another subnet with no inter-subnet access.
Since I manage this remotely at some distance, I want to be able to access everything as I do now.

I'm hoping that someone understands the RT-N66U well enough to shed some light.  Otherwise, I can see ways to "solve my problem" so that isn't so much what I'm looking for here.  I'd like to just use the RT-N66U..... THAT's the problem.
LVL 27
Fred MarshallPrincipalAsked:
Who is Participating?
masnrockConnect With a Mentor Commented:
There are a few ways you can go about it:

1) Do mostly what Dr. Klahn said. That Comcast modem has 4 ports on it, so you don't need the cheap hub that's mentioned. DHCP would serve the AP that's for the guest wireless, while the modem would serve as a passthrough for the Netgear.

2) Same as number 1, except instead of enabling DHCP on the modem, give the router for the guest wireless its own public IP address (this assumes you have some addresses available).

3) Create a separate subnet on one of the interfaces on the Netgear, and don't let it communicate with the existing one. Buy an AP to attach to that interface for that subnet. If you don't want to deal with configuring VLANs on the switch, attach that interface directly to the correct patch panel port that you're dedicating exclusively to the guess network AP.

4) Create a VLAN on the Netgear (you will also have to some configuration on the Cisco switch) and replace the existing Asus with a UniFi AP (I pick this model since it's not an expensive unit by any means that would help you accomplish your goal), and have the AP set so that there is the existing staff network, and the guest network (which you need tell which tagged VLAN to place users onto). They'd exist on separate subnets that you don't have to allow to communicate with one another.

Personally speaking, I'd go with options 3 or 4. However, options 1 and 2 are the simplest.
Dr. KlahnConnect With a Mentor Principal Software EngineerCommented:
In these situations, I generally tell the client to buy a second WiFi router/access point.

Assume internet connection via a cable modem with DHCP enabled.  Plug a cheap 4-port hub into the cable modem.  Now plug both WiFi routers into the hub.  Each will get an address from the modem via DHCP for its internet-facing side.  One router services the guest network, one router services the business LAN.  Either network can be subverted with no effect on the other network.  As long as each router has its firewall enabled, neither can leak information to the other network.

Note that this configuration is secure only so long as you keep the WiFi passwords secret.
Fred MarshallPrincipalAuthor Commented:
It appears using the ASUS RT-N66U and adding a Guest network is out of the question in view of our configuration.  
Yes, I know how to do these things.  Although you give some good information about the ports on the modem (I'm not there to see it).    

It's not clear why you mention the Cisco switch in 3.
It's not clear why you would replace the ASUS.  Why not just leave it alone as it is in the first diagram?

If I put the guest router on the modem with its own public address (which is really what I'd favor doing) then I'd want a router with a half-way decent firewall that can be accessed remotely.  Any suggestions for such a wireless router?  My sense is that almost any commodity router will do.
Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!


You could techinically do the guest network and isolation as long as you ran the ASUS in Access Point mode, but I would never recommend it. Not because of wanting to drive up the cost up or adding more stuff, but more in keeping things well segregated. In the most ideal scenarios, you'd rather have people on separate subnets or VLANs if possible. Also would show a much stronger control for any compliance that your client may deal with (I know you cited they're small, but not sure if they have to deal with anything like PCI).

With the first 3 options, you can use your existing ASUS. However, you'd need to get an additional wireless device because you'd be using separate wireless devices for the staff and guests.

Option 3 I mention the switch because you'd have to deal with VLAN configurations on it if you connect the AP for the guest network (be it the ASUS or another device) to it. If you bypass the switch totally and go straight to the patch panel for the guest subnet, then there's no need to change anything on the switch.

Option 4 is the one where you'd take out the ASUS totally because UniFis are capable of seeing multiple VLANs over the wire.

I forgot to answer one of your questions from your original post: The MAC filter you were mentioning is just a plain MAC filter, that would deny access to the wireless network in general. And I believe that is in general, not a per network filter (based on the documentation for the Netgear).
Fred MarshallPrincipalAuthor Commented:
Masnrock:  heh... I agree totally with that segregated approach!  Yet, I was starting with what I had.

Thanks for the clarification re: the switch.  Yes, I was intending to connect separately.  It makes little sense for me to put one cable into a switch in order to run one cable out.  One to many is more normal switch application, eh?  Well, unless one needs port monitoring, SNMP, etc.

I started this question because I'd implemented what's in the "original" diagram but with a Guest network configured in the RT-N66U.  That worked but allowed Guest access to the LAN.  When I think about it, all Guest traffic would have to run over the same wire so it's hard to imagine any internal router mechanism that could keep them separate .. being on the same subnet.

I then tried connecting the WAN/Internet side of the RT-N66U to the LAN as shown in the ALT 1 diagram with the RT-N66U in Access Point mode.  So, I believe no NAT, etc. but still have the issue of all the traffic showing up on that wire.  So this case also didn't separate the LAN from the Guest network.  I believe the proper functional block diagram for the RT-N66U is as if the router has a number of VLANs: one for each wireless signal and connects them to the internal LAN switch EXCEPT the Guest network which is isolated from that switch.  Then, assuming NAT, the traffic goes to the WAN port on the WAN subnet and must go upstream to the gateway without interaction.

Had I been willing to run everything though the RT-N66U and allow double NAT then it likely would have worked just fine.
Just info.

Fortunately the users have a wireless router already available...
Fred MarshallPrincipalAuthor Commented:
Thank you all for the suggestions!
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.