Still trying to understand my Router setup

[Easto]

I'm going to try and keep this as short as I can. There are a few concepts regarding my Router's setup that I'm having a problem wrapping my head around. I'm sure I'm secure, except I think I may be unknowingly making it more complex that it needs to be. My Router Model is ASUS RT-AC3200.


When viewing the Network Map from the Router GUI I am presented with 3 tabs under "System Status", One for each Network speed connection (2.4GHz, 5GHz-1 and 5GHz-2). I have given each of them a separate SSID i.e. MyNet2.4, MyNet5_1 and MyNet5_2 (not the real SSID). Everything else is the same across all 3 of them i.e. Auth Method, Encryption and WPA-PSK key.


If I understand it correctly the WPA-PSK key will remain the same for each of them, this is my primary level Network Pwd? If I remember correctly, when I set one, it populated the remaining fields with the same key. I may be wrong, I'm trying to work from a very bad memory. Or should each speed have it's own separate WPA-PSK key? My thinking is that there is only 1 "Network" and the PSK would stay the same, but then how do you know what speed your attaching your device to?


I'll have a few more questions but I'm going to tackle one at a time so I don't get too confused.

[Philip]

The name of the network is the SSID.
The "password", or "passphrase" is the WPA-PSK (pre-shared key). It can be the same, or different for the different SSIDs, that's totally up to you.
In other words, in your setup you have 3 separate network names (SSIDs), all with the same password.

In a client device, you may have only one of those network names saved, in which case it would only connect to that one network, i.e. MyNet5_1 let's say. If the client device has more than one network name (SSID) saved, then it would connect to the stronger signal. You can always see which name/ssid you are connected to.

If one of those networks is intended as a "guest" network, I would change it's passphrase (WPA2-PSK) so that guests wouldn't know your normal passphrase, and I would use the Asus "Guest Network" tab, that allows you to disable access to your other LAN devices for guests (called "Intranet" in the Asus firmware).


There is another way to set it up with fewer network names, but it limits your choices a bit:
If you don't really care which frequency band your devices are using, you can name both the 2.4GHz and 5GHz networks with the same SSID name (and same WPA-PSK passphrase) - then client devices would only see one network, and will connect to either 5GHz or 2.4GHz, whichever signal is deemed stronger. Devices only capable of 2.4GHz would use that band. This simplifies setup, and only shows one network name to devices. The only downside is that some smart clients (Google Home, Alexa, etc.) may connect to a 5GHz band and not find smart devices on the 2.4Ghz band.

[Easto]

Thank you for the above, you cleared up virtually everything I was wondering about. I do have a handful of settings questions but for now the most important ones have been answered. But I do have a couple of more general questions regarding the features mentioned below.

If one of those networks is intended as a "guest" network, I would change it's passphrase (WPA2-PSK) so that guests wouldn't know your normal passphrase, and I would use the Asus "Guest Network" tab, that allows you to disable access to your other LAN devices for guests (called "Intranet" in the Asus firmware).

As stated, my SSID (for the purposes of this thread) are "MyNet2.4", "MyNet5_1" and "MyNet5_2". They are all sharing the same PSK. For this router I was able to create separate SSIDs for each GUEST account (3 of them). So for example, I have "MyNet2.4_Guest" as one Guest SSID, "MyNet5_1_Guest" for the other etc.... The Guest setup in the GUI gives me the opportunity to pick the Encryption, Authentication and assign a new PSK for that Guest SSID. On the same page there is the feature to Enable/Disable "Access Intranet" and it has been Disabled for each Guest account. It is my understanding that I can give someone my Guest SSID along with the corresponding Guest PSK and that enables them to access the the features granted while keeping them from seeing the Network SSID. Does that sound right?

[Philip]

Yes, sounds about right. The Guest network names/SSIDs will not be able to access your LAN/Intranet shared resources, provided that "access intranet" feature is set to disabled.

Note that all those networks/SSIDs will generally be "visible" to anyone prior to logging in, that doesn't mean they can access them, only that they'd be able to see all the Wi-Fi networks' names that are in range.
Also, usually people set just one "guest" network SSID/name, because, when you have this "Access intranet" feature disabled, the clients are isolated from each other, they can only access the internet but not share resources, that simplifies setup.

[Easto]

To explain myself and my practices...

I don't network any computers. Other than my wired PC, everything (TV, iPad, Phones, Wife's PC etc) are on a Guest account. Each Guest account is not accessible to the Intranet and is set to AP Isolated. I have all SSIDs set to "not visible".

[Philip]

You may be overcomplicating it a bit

It is not much more secure than just setting one guest network and having it AP isolated (intranet access disabled).

As to hiding SSIDs, it helps distract the casual Wi-Fi snooper, but it does not add that much value to securing your network, I don't even bother. As long as it is not the default SSID name, you are not giving up much information anyway. I have a neighbor with a Wi-Fi network named "FBI Surveillance VAN", another with two APs named "The Republic" and "The Empire", lol.

[Easto]

Don't worry, if I can overcomplicate or overthink anything... I'm your man. I was aware that hiding the SSIDs wasn't really that stealthy of a trick, but I figured why not. The "FBI" SSID much be known nationwide since I've actually known someone who did the same thing. He actually bragged about that by doing that nobody would really try and hack his network.

[Philip]

Yeah, there was a list somewhere on the web of the funniest/most creative SSIDs and I am pretty sure that "FBI" SSID was on it.

[obradka]

Q: A Wi-Fi router that consumes a lot of power?
Just relatives turn off the Wi-Fi at night, and I wonder how much this saves? i also thought - i have two routers at home at all if i turn off for the night how much is saved?

[Philip]

They don't use much electricity in general, just look at the power supply amperage for a general idea of maximum draw. It will depend on the number of clients, how far they are, how active is the connection transmission, etc. If you want to be more exact, you can buy one of those plug-in Kill-A-Watt meters, and see how many hWh it draws in 24 hours, or average it out over a week.

[obradka]

Yeah, there was a list somewhere on the web of the funniest/most creative SSIDs and I am pretty sure that "FBI" SSID was on it.

A typical router consumes approximately 5 watts (±1-3 Watts) of electricity per hour. It depends on the manufacturer and model. Mine winds up 600 watts of power per month, which the router consumes if it is used 4 hours a day.

[Philip]

Even with twice that consumption, considering average cost of 11-12 cents per kWh, monthly cost would be less than 20cents. To put this in perspective, if you turn off your water heater for one day you'd save money to run your router for over a year by my guestimate.