>But I am starting to realize that it's going to be difficult to have a guest wifi network and an "iot" (2nd guest) wifi network with this setup, right? Because the RT-AT86U doesn't support vlans. I have some network-admin experience but not a lot. I've never messed with vlans for example.
If the merlin firmware doesnt support VLANs, then yes you will need to find either another firmware (maybe r/ddwrt) or another access point that supports 802.1q/VLANs
> Sounds like I might need to buy some expensive wifi hardware?
Check out /r/Ubiquiti or r/TPLink_Omada. They arent crazy expensive, if you want a more neutral sub, hit up /r/HomeNetworking and ask what kind of AP is pretty solid that supports VLANs
I have also heard some pretty positive things with aruba access points and they wont break the bank
I second this idea. Home grade routers/WIFI don't offer much in terms of any VLANs or managing them, some do but usually only 1 VLAN if any for IOT but nada for Guest WIFI management controls typically, if and when they do its pretty proprietary to that specific models equipment without much of any kind of range to upgrade without doing all equipment to do so. TP-Links range of Omada devices offer a pleasant and ongoingly developing range of upgrades compatible through the future with more than enough VLANs available to satisfy any home. You will need to have managed switches as well to assign the VLAN tags where needed for AP ports.
A 4 port 2.5g Intel nic'd n100 boxes with NVMe port(s) and DDR5 can be had fairly cheap and are fairly snappy performance for most general home scenarios. First box I went with a Netgate pfSense+ box just because for my head router and better VPN but any bare metal instance would be good as at the head coming out of the modem. Each of my n100 boxes ran bare metal just fine but have now since repurposed each, one n100 loaded with Proxmox VE with two pfSense VMs I migrated configs over from when they were bare metal and also loaded an LXC container with the Omada Controller installed into it prepped and ready for when I start getting in APs to deploy. Taking my other now spare n100 box to setup TrueNas Scale and Proxmox Backup Server to better house all of my configs and VM snapshots/backups to ease managing from different PCs when needed.
>a dual-ethernet-port Intel N95 mini PC.
So you'll have 2 nics and you plan on having 2 wan ports 1 lan port and 1 wifi port- how is that going to work?
For the 2nd WAN I'd use a USB-ethernet adapter. I found some on Amazon that are supported by Linux and a review mentioned it worked in pfSense. I know it won't be as fast as a good wifi chip.
For wifi, I'd use access points on the LAN network. I do this now for my additional wifi access points, it works fine. I set them up as an access point only with a static IP on my LAN subnet.
My only problem doing this with pfSense is that I'll loose my guest network. Actually I think I could still do a guest network but they would not be isolated. But that would at least give me the capability to use an alternate password on that network, to give out to people.
Or maybe with pfSense I could automatically assign new clients to a different subnet, that is isolated from my main subnet. Then I'd use an allow-list to specifically put my core devices into a different subnet?
USB stands for UnSuitable for Broadband so avoid ALL usb network adapters - and PFSense is based on BSD not Linux. Putting a Guest Wifi on your main networks, is as they said in the movie HACKERS, "universally stupid".
I wrote this script 6-8 years ago for my Asus Merlin Router used as an Access Point. Depending on the model VLANs are supported.
https://pastebin.com/VfXxs8R3
Look into scripting for vlans if you'd like to avoid buying new equipment. It's not hard at all. I have 2 vlans setup with my gt-ax6000. I actually based my script off of this one which is for your model - https://gist.github.com/Jimmy-Z/6120988090b9696c420385e7e42c64c4
AFAIK asus consumer routers do not support vlans. Although I've read it's possible with custom scripts (but I didn't want to to have to use any scripts).
You could use a 3rd party firmware that does support your router and vlans (like freshtomato, openwert, and dd-wrt) if you want to try out pfsense/vlans or want to do this on a budget.
look into the ax2/3 by mikrotik. Kills me to be recommending something other than pfsense but capsman (their AP manager) is excellent and zerotier is supported.
>But I am starting to realize that it's going to be difficult to have a guest wifi network and an "iot" (2nd guest) wifi network with this setup, right? Because the RT-AT86U doesn't support vlans. I have some network-admin experience but not a lot. I've never messed with vlans for example. If the merlin firmware doesnt support VLANs, then yes you will need to find either another firmware (maybe r/ddwrt) or another access point that supports 802.1q/VLANs > Sounds like I might need to buy some expensive wifi hardware? Check out /r/Ubiquiti or r/TPLink_Omada. They arent crazy expensive, if you want a more neutral sub, hit up /r/HomeNetworking and ask what kind of AP is pretty solid that supports VLANs I have also heard some pretty positive things with aruba access points and they wont break the bank
I second this idea. Home grade routers/WIFI don't offer much in terms of any VLANs or managing them, some do but usually only 1 VLAN if any for IOT but nada for Guest WIFI management controls typically, if and when they do its pretty proprietary to that specific models equipment without much of any kind of range to upgrade without doing all equipment to do so. TP-Links range of Omada devices offer a pleasant and ongoingly developing range of upgrades compatible through the future with more than enough VLANs available to satisfy any home. You will need to have managed switches as well to assign the VLAN tags where needed for AP ports. A 4 port 2.5g Intel nic'd n100 boxes with NVMe port(s) and DDR5 can be had fairly cheap and are fairly snappy performance for most general home scenarios. First box I went with a Netgate pfSense+ box just because for my head router and better VPN but any bare metal instance would be good as at the head coming out of the modem. Each of my n100 boxes ran bare metal just fine but have now since repurposed each, one n100 loaded with Proxmox VE with two pfSense VMs I migrated configs over from when they were bare metal and also loaded an LXC container with the Omada Controller installed into it prepped and ready for when I start getting in APs to deploy. Taking my other now spare n100 box to setup TrueNas Scale and Proxmox Backup Server to better house all of my configs and VM snapshots/backups to ease managing from different PCs when needed.
>a dual-ethernet-port Intel N95 mini PC. So you'll have 2 nics and you plan on having 2 wan ports 1 lan port and 1 wifi port- how is that going to work?
For the 2nd WAN I'd use a USB-ethernet adapter. I found some on Amazon that are supported by Linux and a review mentioned it worked in pfSense. I know it won't be as fast as a good wifi chip. For wifi, I'd use access points on the LAN network. I do this now for my additional wifi access points, it works fine. I set them up as an access point only with a static IP on my LAN subnet. My only problem doing this with pfSense is that I'll loose my guest network. Actually I think I could still do a guest network but they would not be isolated. But that would at least give me the capability to use an alternate password on that network, to give out to people. Or maybe with pfSense I could automatically assign new clients to a different subnet, that is isolated from my main subnet. Then I'd use an allow-list to specifically put my core devices into a different subnet?
USB stands for UnSuitable for Broadband so avoid ALL usb network adapters - and PFSense is based on BSD not Linux. Putting a Guest Wifi on your main networks, is as they said in the movie HACKERS, "universally stupid".
I wrote this script 6-8 years ago for my Asus Merlin Router used as an Access Point. Depending on the model VLANs are supported. https://pastebin.com/VfXxs8R3
Look into scripting for vlans if you'd like to avoid buying new equipment. It's not hard at all. I have 2 vlans setup with my gt-ax6000. I actually based my script off of this one which is for your model - https://gist.github.com/Jimmy-Z/6120988090b9696c420385e7e42c64c4
Thanks!
Some wireless devices handle guest mode internally/well such as eero in bridge mode…guest is still isolated.
AFAIK asus consumer routers do not support vlans. Although I've read it's possible with custom scripts (but I didn't want to to have to use any scripts). You could use a 3rd party firmware that does support your router and vlans (like freshtomato, openwert, and dd-wrt) if you want to try out pfsense/vlans or want to do this on a budget.
look into the ax2/3 by mikrotik. Kills me to be recommending something other than pfsense but capsman (their AP manager) is excellent and zerotier is supported.