I’ll be quick here guys, I am in need of one of you smart people to help me out. Long story short, I have an ASUS AC5300 running the latest Merlin firmware. We have lots of roommates and I need them to be isolated on their own, denied access to my LAN. I need isolation because I have a brand new unRaid server build and they need to not have access to my data on it or from any of my personal PCs. Here is the thing, When I set the Asus to AP mode because I need my pfSense instance to handle all the DHCP and all, all isolation between to two WIFI SSIDs is lost. This means the roommates can access my shares, cast to my personal TV because they obviously don’t know which one in the list is theirs, it’s a real shit show. In routing mode, the guest WIFI is fully isolated from the main LAN and the main WIFI. If I run the Asus in Router mode, I then lose all access to my main network from the regular WIFI. So basically, I am stuck here.
Here are the two solutions I can think of but I need help to know if this can even be done.
Asus in APMODE but somehow be able to isolate the guest network from the lan. I know merlin can do a whole lot more than is exposed to the UI but I don’t have any idea how I would go about doing any of that. If I can VLAN tag all the traffic coming from the guest WIFI then the pfSense can handle that no problem while the normal WIFI would be untagged and be handled normally.
Asus in router mode and somehow allow normal traffic from the regular wifi the ability to pass through to the regular lan. Maybe have the Asus give out IPs in a different pool on the same subnet for the main WIFI. I read somewhere of someone doing something very similar to this with another ASUS router running Merlin and they did have to SSH into the Asus and work some kind of voodoo magic. I have done a few simple things via SSH but I just don’t know what I can do there.
The main thing, this stupid Asus thing cost like $400 when I got it and it’s still a very capable WIFI AP. I do not want to trash the darn thing and buy some enterprise level thing to be able to VLAN tag the different SSIDs and will liely perform much worse if my research into it is to be believed. I also really would like to have access to my normal LAN from my phone and other wireless devices like laptops. I also don’t want to have to set up a second cheap and likely crappier AP with a second SSID just for the roommates.
Advice, help, anything guys. I am still very much in the newbie stage here and am learning all the time. I just don’t know enough about these things to be able to do what I want sometimes.
Thanks in advance for any help you guys can give me. I am kind of frustrated to my wit’s end here.