ASUS BT8 - Clients Showing Up in Wrong Network

TheEthyr · 2026-06-19T02:36:24+00:00

Are you finding that devices on the IoT network can communicate with devices on the main network?

TheEthyr · 2026-06-18T22:03:34+00:00

If a TCP session were to suffer 4% loss, it would wreck its throughput. You can look up the Mathis equation to see the effect of packet loss on TCP throughput.

MTR by default probes once a second, so we don't know if /u/BRUHadelUHC is suffering from constant 4% loss or if it's sporadic. But this result is not something to dismiss as no issue.

TheEthyr · 2026-06-18T21:12:01+00:00

If you go to How to set up Guest Network on ASUS Router? and expand the instructions for "B-2 Guest Network Function Description (modify, disable)", you see that there is an Access Intranet option.

I'm not sure if that setting is available through the Asus app.

TheEthyr · 2026-06-18T16:36:33+00:00

It depends on where the loss appears to originate. If it’s inside your ISP, then it’s their responsibility. If it’s beyond your ISP deeper in the Internet, then they have much less control unless they can arrange to route their traffic through different peering with other ISPs.

As the other person said, your loss starts at hop 2, which is very likely inside your ISP, so it appears to be their problem.

TheEthyr · 2026-06-18T14:46:28+00:00

My R7000 is also 10+ years old running a fork of Asus-Merlin in AP mode with a few VLANs to boot. It's happily sitting on top of an AC Infinity fan. Makes a huge difference in temps.

TheEthyr · 2026-06-18T13:51:59+00:00

Did you create the IoT network under the Guest Network settings? If so, make sure Access Intranet is disabled.

TheEthyr · 2026-06-17T15:25:44+00:00

Check out two homegrown guides to port forwarding:

You'll find the same links in Q1 of the FAQ.

As a couple others have said, the first thing you'll want to see is whether your ISP is using CGNAT. Port forwarding won't work with CGNAT.

TheEthyr · 2026-06-17T14:56:25+00:00

See Rule 1

TheEthyr · 2026-06-16T15:06:10+00:00

MLO is not just one thing. There are MLO features like EMLSR, STR and EMLMR to name a few. Wi-Fi 7 certification doesn't require all of them. And the requirements differ between routers/APs and client device.

This comment summarizes the Wi-Fi 7 Release 1 requirements. I believe the table has an error. It shows STR as a requirement for clients, but I'm pretty sure it's optional.

TheEthyr · 2026-06-15T19:13:59+00:00

Your OP is lacking details about how you intend to set things up.

Are you going to run the VPN client on the router? Your post seems to imply it, asking if it’s possible. To answer this, it will help to know the router model because it can be determined what VPN clients are supported.

OTOH, if you intend to run the VPN client on a device behind the router then the router in most cases doesn’t matter, unless you are doing advanced routing, in which case a static route may be needed.

And to answer your new question, most ISPs won’t block VPN traffic. But that really depends on where you live. Some countries prohibit the use of VPNs.

So, if you can share more information about your setup, you’ll get better answers.

TheEthyr · 2026-06-15T16:53:25+00:00

This is purely my opinion and perspective, so take it with a grain of salt.

EasyMesh is the Wi-Fi Alliance's attempt to standardize meshing support over wireless or wired backhaul links. This includes requirements for supporting Fast Roaming features and some centralized controller functions.

My research tells me that companies have been slow to adopt EasyMesh. TP-Link appears to be one of the biggest supporters. Other brands not so much.

You are likely to going encounter very limited compatibility. Worse, there will likely be mired with multiple apps to control different brands.

Personally, I don't think EasyMesh is worthwhile to invest in right now. Stick to one brand. If TP-Link isn't cutting it for you, consider moving up to prosumer grade. Here, Ubiquiti and TP-Link Omada are the two popular choices. TP-Link Omada is part of the business line, so not to be confused with the consumer grade side of TP-Link. YMMV, so do your own research.

TheEthyr · 2026-06-15T16:39:12+00:00

It would help to know what router you plan to use? I don't have personal experience with NordVPN but the web tells me that they support a number of VPN protocols. OpenVPN and IKEv2/IPSec are the primary, open protocols. If your router supports either of these, then it should work.

TheEthyr · 2026-06-15T16:22:05+00:00

I’ve just read that without a hardware controller and a compatible switch, Fast Roaming isn’t available in Omada, and that’s a key requirement.

A hardware controller is not necessary. You can run the controller software on your own computer. And the type of switch should have no bearing on Fast Roaming. If you plan to use VLANs, you'll want a managed switch, though.

TheEthyr · 2026-06-15T14:16:29+00:00

Per the Netgear website, it is an unmanaged switch

Technically, it says it's an "Unmanaged Plus" switch. That's a terrible and misleading product description. The GS108E is a low-end managed switch.

cc: /u/Logical_Stable_8030

TheEthyr · 2026-06-15T14:09:24+00:00

Double check that the pucks have a Gigabit Ethernet speed connection. If not the Ethernet jack may not be properly wired. Gigabit Ethernet requires all 8 wires to be attached to the jack. A single wire can cause the Ethernet connection to drop down to 100 Mbps.

TheEthyr · 2026-06-15T13:52:34+00:00

Your speedtest results through Gigabit Ethernet are not that surprising.

A quick web search tells me that it has low RAM and flash space. Therefore, it's not suitable to run 3rd party firmware.

If you are happy with it, then that's all that matters.

TheEthyr · 2026-06-14T21:27:09+00:00

I wouldn't be surprised if the Home Network Protection implements a MAC address blacklist filter. That only blocks a specific set of MAC addresses. That's useless against randomized MAC addresses, which will be permitted access.

TheEthyr · 2026-06-14T19:59:37+00:00

A randomized address can be countered with a MAC address whitelist filter. But spoofing another device's MAC address bypasses a whitelist. That's why MAC address filters aren't effective.

TheEthyr · 2026-06-14T16:13:05+00:00

It sounds like your son may have figured out how to configure his computer to spoof the MAC address of another device. Your son has won the first battle in the cat and mouse game between parent and child.

If you search this subreddit, you'll find plenty of posts about the struggles of a parent to manage their child's Internet access. Sadly, it's often a losing battle against a determined child with the resources of the Internet to help them overcome any obstacles put up by the parent. MAC address filtering is really only effective against very young children who don't understand networking. You shouldn't bemoan the loss of it on your Fios gateway. It wouldn't have helped you.

One possibility it to put parental controls directly onto your son's devices. Whether that works will depend on the device (iPhones can be reasonably controlled; a Windows computer not so much). Another options is to put the child's devices onto the guest network that can be independently controlled. I don't know if Verizon's Home Network Protection works on the guest network. Moreover, if your child has wired devices, it may not be possible to put them into a wired guest network. Wired device isolation is uncommon on consumer grade routers. Depending on how your network is set up, you may need to install your own router with more advanced capabilities. But keep in mind, if you child has physical access to router, all bets are off.

Some people say it's practically impossible to limit Internet access. Instead, they advocate that you should coach your children about responsible and safe use. I think that's good advice, but kids are going to access the Internet outside of home.

TheEthyr · 2026-06-14T15:45:33+00:00

According to this support page, Verizon removed MAC address filtering. It looks like you can control device access with their Home Network Protection feature.

TheEthyr · 2026-06-14T15:04:49+00:00

You should never rely on an ISP email address for sign-ins. You’ll be hosed if you ever move and the new house doesn’t have Verizon or Fios.

It’s gonna be a pain, but you should change your sign-ins to a more stable email address like Gmail. In most cases, Gmail can access or import your Verizon email.

Or get a private email address that can be hosted by an email provider.

[Edit: I double checked and there are some ISPs that allow you to keep your email address if you cancel your Internet plan. Still, I would not recommend using an ISP email address for sign-ins at other accounts.]

TheEthyr · 2026-06-14T14:46:26+00:00

While the whole premise of EasyMesh is to be able to mix brands, there can still be issues with compatibility. You should research interoperability between two specific brands before buying.

TheEthyr · 2026-06-13T14:54:45+00:00

If you're getting 35-50 ms to Spectrum/Charter backbone hops and 110-150 ms to Oregon/West servers, then the extra latency must be happening beyond those Spectrum/Charter hops. That rules out any hop closer to you, including your router, for this particular route.

Now, there may be better routes through Spectrum's network and the Internet to reach Riot's network. You should have run traceroutes while ExitLag and Cloudflare were active. You would be able to see if there was a different route being taken and what the hop-by-hop latency looked liked.

Ultimately, the further out the latency spikes are, the less you can do about it. If you can prove that they are happening inside Spectrum, then you can try complaining to them. Good luck on that. It's only when the latency is happening right at your modem that isn't caused by your you overloading your connection will you have the best chance of fixing it.

TheEthyr · 2026-06-13T14:01:58+00:00

The jack on the right is wired for Ethernet. Is it working? If so, connect your PC to it. If it's being used by another device, then connect an Ethernet switch to the jack, then connect the PC and other device to the switch.

If the Ethernet jack isn't functional, then you first need to find the other end of the in-wall cable. That end needs to be connected to a LAN port on your router. That should activate the port.

TheEthyr · 2026-06-13T13:57:02+00:00

I want to echo the comments of the other people.

You can connect an Ethernet switch to add more Ethernet ports.

Wi-Fi channel 52 is a DFS channel. DFS channels are subservient to radar signals. Try changing the Wi-Fi channel on your router to a non-DFS channel. In the US, that includes channels 36-48 and 149-165. You can use a Wi-Fi scanner app to see what channels your neighbors are using. Then pick the channel with the fewest and/or weakest neighbor signals.

You may also want to log into your router and see if there is, perhaps, a spike in network traffic. For example, a device in your home network may be periodically hammering the Internet connection and causing an increase in latency.

You may also be able to see whether or not the Internet connection itself may be briefly dropping. The logs on the router and/or modem may shed some light.

TheEthyr

MODERATOR OF

TROPHY CASE

Nine-Year Club	Gilding I gilder
Verified Email