Hello
Newbie question, just starting with HA and trying to figure things out.
Please forgive me if I am not using the correct terminology or posted in the wrong forum!
I have an Asus Router that can do three wifi networks (SSIDs):
“Home” (main wifi network for computers, Ipads, Rokus, Plex, Chromecast, etc) with wired ethernet drops in the main rooms + 2 Access points. Same SSID name for 2.4 and 5 GHz.
“Guest” (for guests) on 2.4 & 5 GHz
“IoT” that is 2.4 GHz only (for skybell, TP Link Kasa devices, future devices, myQ garage, etc)
I have HA running on a Raspberry Pi 4, that is physically plugged into an Ethernet port on a drop in another room and the router has assigned it a random IP address.
The Asus router is set up to assign DHCPs from 192.168.50.50 onwards.
My router is 192.168.50.1
Access point 1 is 192.168.50.10
Access point 2 is 192.168.50.20
Home server for Plex is at 192.168.50.3
Current HA IP address is 192.168.50.141 (random).
I’ve been told that I need to segregate the IoT devices onto a different network that is 2.4 GHz, thus the need for putting the kasa plugs and other devices onto the “IoT” SSID.
HA recognizes devices that are attached to the “Home” SSID, but does not recognize the devices that are set up with the “IoT” SSID. If I move a device from the “IoT” SSID to the “Home” SSID, then HA will recognize it (like the kasa plug).
Is there a way for HA to “see” the devices that are linked to the IoT SSID? And also see the devices that are on the “Home” SSID?
I have 6 Kasa plugs, and 2 of them are on the “Home” SSID, the other 4 are on the “IoT” SSID, and they work fine through the phone app which is connected via the “Home” SSID.
Should I assign the HA a IP address similar to my server (betweem x.x.50.1 to x.x.50.50?)
Since “Home” is taken by both 2.4 and 5.0 then i am guessing the ‘IoT’ is also a guest network. If so, in the guest setting can you try “Access Intranet” setting to enable.
It seems that your home network or HA is under the same network IP? or it has different IP channel divided into 2 different zones? If yes you need to move your HA into that IP channel.
For example 192.168.1.xxx and 192.168.2.xxx (again depending on your setup) the two networks won’t or should not be able to see each other.
Thanks so much! That did the trick! All the Kasa devices are now showing! I had to make one more configuration change in that the Access Point #1 also broadcasts the IoT SSID for devices. I turned off Access Point #1, enabled the “Access Intranet” Setting on the Asus router, and then rebooted the router and also rebooted HA. I then restarted Access Point #1 once HA recognized the Kasa plugs.
However, I do wonder about the security implications of the “access intranet” setting b/c isn’t the entire purpose to isolate IoT devices to their own SSID?
Yes you are correct, but advantage is you can disable/restrict/control the guest account without affecting the main network (eg you can enable mac filtering on “IoT” account). Your CASA wifi device can be set up to run local only without cloud so you can sit it on the same network as your HA. Don’t register it to a cloud account. Use app as guest then once the device link to your wifi it will be a local device. Your Asus might have a VPN server make use of that if you want to control your device away from home.
I have asus router, too. And i have a guest account for friends/visitors with intranet disabled. My ESPHome devices are connected to same WiFi as all other wifi devices (main). I don’t see any point in using separate wifi networks for these two things. I think that whole point of “guest wifi” is to turn off intranet access, so it’s meant to be in use by friends, visitors… in your house for internet acces, but not inside your private network.
If your devices are connected to first or second wifi really doesn’t make any difference, since both HAS to have intranet access enabled. To be honest, it’s just some more work for router, that’s all.
Ok, like @huu said: you can disable IOT network (but why would you want to do that?), and you can enable mac filtering on IOT account. True, but there’s always first wifi network without MAC filter, so if someone wants to connect/intrude and won’t be able to connect to IOT network he will connect to your first (main) network, right?
I could be wrong, though… so, if there’s any real advantage i’d like to hear it.
Actually, it has a point to do exactly the inverse of the “guest” network: allowing only intranet access, thus preventing those pesky wifi IoT devices to phone home.
Hm… how do you prevent a guest network to access internet? I don’t see any option in my asus… only thing close to it is “access time” - i don’t know what would happen if i set that to zero…? Is that it? In this case i take my words back…
But, then again… if i could prevent devices to go outside there’s no point in using mac filter… is it?
Newer Asus routers have that option on the guest network setting. I turned two older ones as access points, and they don’t have the “access intranet” option under the guest setting.
I appreciate everyone’s thoughts on this. As mentioned, a total newbie with this kind of stuff. Have a skybell, google minis, plus various other gadgets like the kasa plugs.
In my reading, I keep seeing advice to isolate all the internet of things devices onto a separate SSID for security purposes, so that’s what I did. If that makes no sense, then I will get rid of that extra SSID.
@sksjedi “Access intranet” setting is to enable/disable INTERNAL network access, not outside traffic (WWW).
Also: if anyone uses Asus AiMesh system (multiple routers, connected together) then only first guest account (left from three) allows this guest wifi to be available in all AiMesh devices (additional setting “Sync to AiMesh Node”), second and third are available only on master router (i know, stupid, but…).
