Question Why are SOHO routers adding advanced features like Wifi Guest Networks, Wired VLAN, and even Dual-WAN, but no "Wired Guest Network"?

[VirtualLarry]

Like dual-WAN, it would use VLAN support of the wired switch chip, to create one or more ports of an "Isolated VLAN", that couldn't access your LAN resources (like a NAS), but could only access the WAN. Possibly, it would have it's own WIRED GUEST DHCP/IP subnet too.

Basically, the wired equivalent of a Guest WIFI w/client isolation. Not quite the same as a true DMZ port, as it would still utilize NAT and SPI.

This would be a godsend to those of us working on relative's PCs, that might have viruses on them that could spread over the network.

Edit: They could also promote that setting as for "Smart TVs", such that, if hacked, couldn't be used as a staging platform to attack the rest of your network. Of course, by the same token, playing videos off of the NAS would also be off-limits to a Smart TV plugged into "Guest WIRED port".

 

[mxnerd]

Market segment.

 

[mv2devnull]

Probably.

Could also ... Ubiquiti routers ER-X and ER-poe5 differ. Both have a switch chip.
On ER-X you can configure VLAN filter on each port of the switch.
On ER-poe5 you can't. The router has an interface, where you can set VLANs, and switch is on that interface. "Unmanaged switch".

If a SOHO router is built like ER-poe5, then filtering per switch port is not feasible.

 

[ch33zw1z]

I guess it's because wifi is the main consumer care, and anyone wanting to isolate lan traffic probably isn't buying a Soho device anyways.

As mv2 pointed out, the er-x is probably the only exception (known to me), where it has 4 usable ports and you can add vlans and firewall config to isolate traffic.

For Soho lan guest config, just get a bridge and join the guest wifi with it, plug in wired devices to the bridge.

Edit: I guess it's worth noting I recently setup a guest wifi with an er-x and uap-lr wap. I followed a guide that had me allow ports 53 and 67 for dns and DHCP, I guess if I want to, I could allow another port to allow a NAS connection. I'm wondering if any Soho devices get that granular

 

[mxnerd]

Googled. Not tested. Do not want to screw up my own router.

If you have Tomato USB flashable routers or its derivative firmwares (Advanced Tomato, FreshTomato), you can do the following.

Build Secure VLAN Networks with ‘Shibby’ Router Firmware | hobo.house

==

Or do what ch33 suggested.

 

[ch33zw1z]

Googled. Not tested. Do not want to screw up my own router.

If you have Tomato USB flashable routers or its derivative firmwares (Advanced Tomato, FreshTomato), you can do the following.

Build Secure VLAN Networks with ‘Shibby’ Router Firmware | hobo.house

==

Or do what ch33 suggested.

That's a pretty good link! I didn't read *all* the way thru yet, but it's laid out nicely. part of my reasoning for the guest wifi thing was partly to test how it would work if i put all my IoT devices on an isolated vlan. I always like tomato (preferred over ddwrt), so it's nice to know there's options if I bail on UBNT stuff someday.

 

[SamirD]

There are actually some specialized routers out there that do this. They're designed for creating 'hotspots', so are commonly known as 'hotspot routers' with a 'captive portal'. Older Meraki devices could also do this.

 

[ch33zw1z]

There are actually some specialized routers out there that do this. They're designed for creating 'hotspots', so are commonly known as 'hotspot routers' with a 'captive portal'. Older Meraki devices could also do this.

And they could isolate LAN traffic with some ease?

 

[mv2devnull]

"... Tomato firmware ..."

In other words, the hardware is not the real issue, but the soft/firmware?

VLAN support of the wired switch chip

What is actually physically different between unmanaged and managed network switches?

The latter obviously has/runs firmware with UI, but does the "switch chip", "ports and fabric", differ?
How much "wiring" does it take to (re)direct packets via "programmable filter"?

If custom firmware can apply a per-port filter to cheap consumer switch chip, then that hardware is already sufficient, although probably not optimal.

 

[SamirD]

And they could isolate LAN traffic with some ease?

Very easy. It was just an option to select in the software/setup.

 

[ch33zw1z]

Very easy. It was just an option to select in the software/setup.

Ok, you were saying hotspot traffic, which is typically wifi traffic. Not many consumer devices will manage LAN traffic easily.

 

[SamirD]

Ok, you were saying hotspot traffic, which is typically wifi traffic. Not many consumer devices will manage LAN traffic easily.

Nope, these are not consumer devices. I'd see them installed in hotels to segregate the lan traffic between individual guests. They were specific units. I know about the Meraki units because that's what I set up at our hotel back in the day. I could segregate traffic in wifi, on the lan, or both.

 

[ch33zw1z]

Nope, these are not consumer devices. I'd see them installed in hotels to segregate the lan traffic between individual guests. They were specific units. I know about the Meraki units because that's what I set up at our hotel back in the day. I could segregate traffic in wifi, on the lan, or both.

Ah, I thought we were discussing consumer devices to make traffic management more consumer friendly

 

[SamirD]

Ah, I thought we were discussing consumer devices to make traffic management more consumer friendly

Larry's original question was why these type of features aren't on most consumer routers for the wired lan, and the answer is probably simply no demand, and then they're suddenly competing with hotspot routers.

 

[Genx87]

A wired guest LAN would require the capability to switch VLANs based on the client, or at the very least configure a static VLAN. Most switches at home lack this capability. And people would not know how to properly configure the switch even if they bought one that can. Wireless is easy. The switching\VLAN\routing is happening inside the WAP for a guest network.

Most smart TVs are on wireless. I place mine on their own wireless network and use my firewall to segregate them from the rest of my wired and wireless networks.

 

[Jorgp2]

Adding an additional WLAN doesn't cost any additional money.

Adding the ability to configure VLANs (Guest network) would either require the end user to buy a switch that supports VLAN Trunks, or only allow setting the native VLAN on the router switch ports. Both would probably cost the manufacturer more money than its worth in customer support time.

 

[VirtualLarry]

The thing is, Asus routers (some of them, my AC68U-family included) support "Dual WAN", which uses the VLAN capability of the integrated Gigabit ethernet switch ports, to implement a port-based VLAN for the secondary WAN port. If they can do that, then isn't it just a configuration change, and maybe some more IPTABLES entries, to implement a WIRED GUEST LAN PORT?

 

[Jorgp2]

The thing is, Asus routers (some of them, my AC68U-family included) support "Dual WAN", which uses the VLAN capability of the integrated Gigabit ethernet switch ports, to implement a port-based VLAN for the secondary WAN port. If they can do that, then isn't it just a configuration change, and maybe some more IPTABLES entries, to implement a WIRED GUEST LAN PORT?

Wat?

They might be using an access VLAN on that switchport. But there's also chips that do both switching and routing, in which case every port belongs to the router.

You missed the part where the manufacturer would have to explain to end users how VLANs work though. That's not something that should be done for a plug in and go home router.

If you want VLANs get a prosumer/pro router and a switch.

 

[mxnerd]

Average consumers do not need VLAN stuff, it's for the pros or business.

If you want pro/business devices at consumer price, get UBNT or Microtik.

Even TP-Link or Netgear have cheap smart switches that support VLANs.

Don't expect ASUS/D-Link, etc to offer consumer Wi-Fi routers with VLAN support any time soon.

 

[Rifter]

Wat?

They might be using an access VLAN on that switchport. But there's also chips that do both switching and routing, in which case every port belongs to the router.

You missed the part where the manufacturer would have to explain to end users how VLANs work though. That's not something that should be done for a plug in and go home router.

If you want VLANs get a prosumer/pro router and a switch.

Agreed, leaving Vlans off home gear is a good idea. Buying a switch that supports them isnt even expensive anymore anyways.

 

[mv2devnull]

You missed the part where the manufacturer would have to explain to end users how VLANs work though. That's not something that should be done for a plug in and go home router.

I'm sloppy. Took this long to read the actual thread title:

Why are SOHO routers adding advanced features like Wifi Guest Networks, Wired VLAN, and even Dual-WAN, but no "Wired Guest Network"?

Router routes. Basic router has two ports for two networks: LAN and WAN.

Router can have more than ports for more than two networks. The ports are either physically distinct or implemented as VLANs.
The "WAN-side" and "LAN-side" relate to (firewall) access control.

The "Guest Network" or "DMZ port" are all about providing simple, usable UI. Markings on ports, defaults, checkboxes on dashboard. Hiding nitty-gritty details.

If the router has distinct ports to "LANs" and/or VLAN support, then the backend is there. To allow low level access to them without simplified UI too is against the plug-n-play. Consumer devices love to hide and limit options. Why explain VLANs, if you can have "Select this to make green port a separate guest network"?

If the separation is via VLAN, then yes, somebody has to explain VLANs because the other end of wire (switch) needs to tag and forward those VLANs.
If the separation is by physical ports, the user may, or may not need additional unmanaged switches.

 

[froggx]

The thing is, Asus routers (some of them, my AC68U-family included) support "Dual WAN", which uses the VLAN capability of the integrated Gigabit ethernet switch ports, to implement a port-based VLAN for the secondary WAN port. If they can do that, then isn't it just a configuration change, and maybe some more IPTABLES entries, to implement a WIRED GUEST LAN PORT?

ASUS routers support per port VLANs in hardware, but they don't make it obvious how to set it up. In the GUI you can go to LAN>IPTV, set it to manual, and assign VLAN ID and priority to Ports 3, 4, and WAN. Full customization requires people to SSH in and use robocfg, which I'm assuming was intentionally complex on ASUS's part to protect most users from themselves.

Personally it doesn't make sense to me to have somewhere to enable a "wired guest LAN port" on a home router. I haven't had a guest ask me if they could borrow a LAN port since, well, ever...

 

[VirtualLarry]

Personally it doesn't make sense to me to have somewhere to enable a "wired guest LAN port" on a home router. I haven't had a guest ask me if they could borrow a LAN port since, well, ever...

Well, in my line of hobby, I work on people's PCs, that MAY be "infected", and I don't want them on the same physical LAN as my personal boxes, so I would prefer a walled-off (firewall, VLAN, etc.) connection, for them to plug into. (Not all client machines have wifi, and if I'm doing an OS upgrade/re-install, I may want the speed of a wired connection, with a USB dongle.)

 

[froggx]

Well, in my line of hobby, I work on people's PCs, that MAY be "infected", and I don't want them on the same physical LAN as my personal boxes, so I would prefer a walled-off (firewall, VLAN, etc.) connection, for them to plug into. (Not all client machines have wifi, and if I'm doing an OS upgrade/re-install, I may want the speed of a wired connection, with a USB dongle.)

I get you. That use case didn't occur to me even though I have a similar line of hobby. I never grew out of USB boot disks myself. Routers are becoming more popular targets since most comps get auto security and AV updates, often as soon as threats pop up, while many home users think of a "router update" as buying a new one. Sorry, I went OT...

Also I was slightly incorrect about what I said about VLAN's on ASUS routers. To use 'robocfg' to customize ports you need to flash to the Asus merlin-wrt firmware first (which can also be used to add some AV software and other security things). It's a bit more involved than a simple "guest lan port" switch, but it's the best way I know to do such a thing on my ac-66u, so it should work just as well on that ac-68u you mentioned.

Back on topic, mayhaps there isn't a 'guest lan port' on consumer routers specifically so that I could get the warm, fuzzy feeling of success for accidentally figuring out some workarounds and scripts to coax such a feature out of a $20 router (but I bet it goes back to market segmentation and not having to explain .1q to home users).

 

[SamirD]

Well, in my line of hobby, I work on people's PCs, that MAY be "infected", and I don't want them on the same physical LAN as my personal boxes, so I would prefer a walled-off (firewall, VLAN, etc.) connection, for them to plug into. (Not all client machines have wifi, and if I'm doing an OS upgrade/re-install, I may want the speed of a wired connection, with a USB dongle.)

For a use case like this, I don't allow systems like this to have any type of Internet access, period. I'll use some dumb/cheap router I have lying around to create a network if it needs one, but generally, a system won't get Internet access unless it is clean and locked down, which at this point can be connected to the main lan.

Now this is for our own systems--if it is someone else's, I would definitely have a separate vlan or even physical lan.