How to secure my LAN from the Guest Network

[digital68]

We have 3 Asus RT-AC87U conected by wire, we try all kind of setups to avoid this problem with no solution.

The Guest Network uses the same IP Range of the LAN instead of a subnet so the UBS Drives, Printers and Computers on the LAN Network are always visible form the Guest Network Users even if you disable the Intanet, in few words the Disable Access to Intranet does not work. The Lan (Main) Network it is always gives access to all the Guest Network Users.

We try setting them up as Routers - no fix the problem
We try setting them up as AP Mode- no fix the problem
We try setting them up as Bridge - no fix the problem and is even worse because evrithing runs under the 5G

People are printing on our printers from their personal cell phones and tablets. They also have access to our file server.

How could I fix this problem?

 

[Nullity]

We have 3 Asus RT-AC87U conected by wire, we try all kind of setups to avoid this problem with no solution.

The Guest Network uses the same IP Range of the LAN instead of a subnet so the UBS Drives, Printers and Computers on the LAN Network are always visible form the Guest Network Users even if you disable the Intanet, in few words the Disable Access to Intranet does not work. The Lan (Main) Network it is always gives access to all the Guest Network Users.

We try setting them up as Routers - no fix the problem
We try setting them up as AP Mode- no fix the problem
We try setting them up as Bridge - no fix the problem and is even worse because evrithing runs under the 5G

People are printing on our printers from their personal cell phones and tablets. They also have access to our file server.

How could I fix this problem?

Are all RT-AC87U's offering WiFi?

Ultimately, we need more information about your network topology (ex. are the devices cascaded or centrally connected?) before we begin offering options.

 

[CaptainSTX]

Try installing the router you want to provide guest services as the front first router connected to the Internet. The WiFi on this router will be used for guest access.

Install your additional 2 AC87Us double NATed behind this router first router in a different subnet. The second and third router will be connected by running an Ethernet cable from a LAN port on the first router to the WAN port on the second router. The third router can either be run double NATed or as an AP connected to the second router. Turn off the permission for access from the WAN to administrative functions on the second and third router if you have double NATed it.

 

[L&LD]

People are printing on our printers from their personal cell phones and tablets. They also have access to our file server.

How could I fix this problem?

Turn off the guest network(s) and change all ssid's and passwords and only give them to devices that need them. DO THIS NOW.

Tell us how you are wiring your three routers and suggestions will follow.

What firmware is running? Was a reset to factory defaults performed if the firmware has ever been upgraded? Have you used a backup config file to restore settings after resetting to factory defaults?

http://www.snbforums.com/threads/no...l-and-manual-configuration.27115/#post-205573

The above link give in more detail the steps you should have followed (or should follow now) to get the latest stable firmware for your hardware and ensure that you are starting from a clean state with no possibility of phantom issues hiding behind improper upgrading and/or setup of your routers.

 

[System Error Message]

first thing i would do is install something like openwrt because you can create zones/groups for your wifi. Couple this with vlan and smart switches.

A guest network on a consumer router expects that router itself to be the main router otherwise the traffic will just leak.

I would segment on both layers 2 and 3 at least because some things will traverse on layer 3, A simple network topology for this would be a router followed by smart switch and the APs. The entire network should use active vlans between the network gear and the main router would need to support this. The router would need to have a seperate DHCP instances running on each vlan providing different IP networks and the switches on the network should not switch between VLAN, Since consumer routers have switch chips in them this can be difficult. This is why business APs do not have switch chips in them.

Swap the AC78U for ubiquiti APs or better as long as it supports at least 2 SSIDs and VLANs. Make sure it lets you choose how you want to route traffic. Consumer routers with Openwrt can do this too.
You will need a smart switch and a router that supports VLANs.
Set up 2 active vlans on your network, one for LAN and one for guests. Have DHCP give a different IP network to each VLAN, configure and treat the VLAN as an interface and not the physical ports.

To prevent leakage avoid any inter vlan routing in any network gear and dont allow any sort of routing or forwarding on the physical interfaces, make sure its all VLAN interfaces. On the side towards the clients you will have to use passive VLANs so that means 2 SSIDs (1 for each VLAN). On the router and APs, see if you can configure VLANs on the switch chip if not then disable switching and make all the traffic go through CPU. On some routers like the ones with broadcom SoC that use only the integrated ports, this may be less limiting.

The issue with the AC78U is that it has various chips that handle things so it makes to possible for leaking to happen or even poor performance from internal bottlenecks. If you are a business or higher than the last thing you want is for bugs from consumer routers to interfere even if you cant get a business AP with MU-MIMO. What makes the AC87U internally bottlenecked is the internal design and that when you overclock it nothing gets faster. Throughput would still be the same and the responsiveness too. If you really want MU-MIMO other than the AC87U the rest from ASUS use broadcom's SoC which is much better. The AC3200 and 5300 have different physical radios so you can perform layer 1 segmentation as well (often meaning physically segment your network) assuming you can bridge each wifi seperately to seperate interfaces.

 

[mcsquared]

@System Error Message "....I would segment on Layers 2 and 3 at least because some things will traverse on Layer 3". This an interesting thread for me as I am trying to do something similar to the OP .
Are you saying that two routers , one behind the other with the WAN side of router two set to the subnet of router one's LAN side will still allow leakage from router one to router two ? I know that the LAN behind router two will be able to access the LAN behind router one but surely not vice versa ?

 

[System Error Message]

the routers wont leak layer 2 but whether they leak layer 3 simply depends on whether you use NAT or routing. Upon seeing the TCP specification layer 3 information is stored in it so if you have a NAT it wont replace the network information in it which is why NAT detection easily works on TCP. IGMP proxy and upnp need to be configured properly. As to whether layer 3 inter routing is allowed depends on setting static routes with the capability to drop.

To prevent leakage just have a good router that supports active VLANs and that allows rules. A lot of consumer routers or all of them dont support active VLANs on LAN, only WAN for internet connectivity.

So if you configure everything right and leakages do happen than it would be a bug in the firmware or a flaw in the design as with the case with the AC87U (the configs dont involve the accelerator units so they assume layer 2 is all visible and not isolated).

 

[yorgi]

If you put the 3 routers and connect them LAN to WAN and give them all a different IP address and have the first one for guest network
router 1 192.168.1.1
router 2 192.168.2.1
router 3 192.168.3.1
Put the printers and file servers on router 3
router 3 can see 2 and 1 and router 2 can see 1 but router 1 cant see 2 or 3. therefore they cant share any files or print on any printer.
Also networking wont work between the routers unless there are static routes.
It can get complicated but I can't see why that won't work for you without having to get new switches or more routers.
This way there is no leakage. Each router has its own network and DHCP range, but they all work from the same modem.