Guest network access does not work with when mac filter enabled

[StanleeSPUDwowski]

I setup my ASUS RT-AC68p with both 2.4 and 5 setup for wireless access but hid the SSID. I also setup mac filters to apply to both of them. then i setup a guest network for 2.4 and 5 as well. I tested it by using a iphone that i didnt apply its mac address to the filter why can not can not connect to the guest network? when i disable mac filters it works fine. how can i get around this?

 

[netwrks]

I've seen the same on NG also. the Mac List Filter interferes with the Guest Wireless. The best security is a strong password. Mac filters and hiding SSID's are a waste of time. MAC Filtering is easy to bypass and should not be considered a security measure, as someone can sniff out a valid mac and spoof it.

 

[StanleeSPUDwowski]

ok thanks for the tip then what is the point of having the filter then? i mean i know if the MAC is spoofed and then the user can mask their device with the spoofed mac address. why have it then. strong passwords are a keysake, nothng is secure really. Password can be brute forced attack.

 

[CaptainSTX]

ok thanks for the tip then what is the point of having the filter then? i mean i know if the MAC is spoofed and then the user can mask their device with the spoofed mac address. why have it then. strong passwords are a keysake, nothng is secure really. Password can be brute forced attack.

I suggest you go to the site listed below and test your password. I think you are underestimating how much protection a strong password really offers.

www.grc.com/haystack.htm

My password with 14 characters in total including capital letters, numbers and a special characters is rated to take 15.57 thousand centuries assuming that the brute force attack can generate a hundred trillion guesses per second.

 

[netwrks]

I would go with the strong password, vs. a mac filter list. Just sayin'...

 

[StanleeSPUDwowski]

ok ok the century got me. yes i do use a strong character password for my password manager that is 14 people are amazed that are able to remember it just takes practice and photgraphic mem.

 

[StanleeSPUDwowski]

so if mac filtering is a waste and hiding the SSID is pointless what other contengencies should be used besides a strong password. if i use the 2.4 and 5ghz wireless what should i do for the Guest network to lock that down so i let users in when they need internet access.

 

[CaptainSTX]

so if mac filtering is a waste and hiding the SSID is pointless what other contengencies should be used besides a strong password. if i use the 2.4 and 5ghz wireless what should i do for the Guest network to lock that down so i let users in when they need internet access.

The simplest and in IMHO way to provide a secure guest network that totally isolates your primary network from an intrusion by a guest is to double NAT a second router behind your primary router. When I need to give someone temporary Internet access I have a Linksys 54G which I plug in.

With your guest network being in its own subnet there is very little chance that a guest will be able to gain access to your LAN assets.

As you have seen trying to run both a primary network and a guest network on the same router can cause some issues. If you use the two router solution you can still run MAC filtering on your primary router if it makes you feel that your network is more secure. You also have the option on your guest network router to block or filter sites without impacting users on your primary network. When my sister brought all her kids to visit I set my guest router to be B only which prevented her kids from using all my bandwidth to stream multiple videos day and night.

There are power users on this site that can help you write custom scripts and set up custom Iptables that can probably do most are all of what you want or need to setup a tight guest network on your primary router but I am a KISS type of guy.

 

[RMerlin]

With your guest network being in its own subnet there is very little chance that a guest will be able to gain access to your LAN assets.

He will have complete access to your whole LAN this way, this does not help in any way (aside from having firewall rules on every LAN client to reject that second subnet). For instance, try directly accessing the IP of the first router from behind the second router.

 

[CaptainSTX]

He will have complete access to your whole LAN this way, this does not help in any way (aside from having firewall rules on every LAN client to reject that second subnet). For instance, try directly accessing the IP of the first router from behind the second router.

I don't know how your network is setup but I just tested mine again and they are isolated.

Primary Router: 192.168.1.1

DHCP server 192.168.100 - 119

Secondary Double NATed router

WAN Static IP 192.168.1.5

LAN IP 192.168.199.1

DHCP Server 192.168.199.100 -119

Printer on this network is 192.168.199.60

WAN access to either router is disabled for administration.

When I run a ping from a PC attached to the primary router with IP 192.168.1.100:

Pinging the printer at 192.168.199.60 No response 100% packet loss

Pinging the double NATed router at its static WAN IP 192.168.1.5 No response 100% packet loss

Reversing the test and pinging from a PC 192.168.199.200 attached to the double NATed router:

Ping primary router at 192.168.1.1 No response 100% packet loss

Ping computer at 192.168.1.100 No response 100% packet loss

Ping printer at 192.168.199.60 4 responses less than 1 ms.

So why is my setup with a double NATed setup different from your setup?

As far as I can tell my networks are separate and isolated.

 

[StanleeSPUDwowski]

My setup is as follows. I have ISP - to Zywall USG20w then to the ASUS wireless rotuer RT-ac68p model. i have the zywall acting as the front end firewall/dhcp/vpn router the ASUS is now set as an AP mode instead of router mode therefore only Wireless network and guest network are useable. the only thing i want is if a user wants Internet access the guest network should be isolated this is what ASUS indicates is such. however i know when i have the mac address filtering on the guest network is not connectable unless of course the device is in the filter white list. this should not be the 2 networks need to be separate for wireless.

 

[CaptainSTX]

My setup is as follows. I have ISP - to Zywall USG20w then to the ASUS wireless rotuer RT-ac68p model. i have the zywall acting as the front end firewall/dhcp/vpn router the ASUS is now set as an AP mode instead of router mode therefore only Wireless network and guest network are useable. the only thing i want is if a user wants Internet access the guest network should be isolated this is what ASUS indicates is such. however i know when i have the mac address filtering on the guest network is not connectable unless of course the device is in the filter white list. this should not be the 2 networks need to be separate for wireless.

If you want to keep it simple try what I suggested. Connect another router to your Zywall and double NAT it. Again IMHO this will give you much more control than you get with a guest network setting.

My experience is that with the guest network enabled on Merlin's firmware and or ASUS' firmware your primary network isn't totally isolated and if you know the IP of a device on the primary network you can ping it from the guest network.

 

[RMerlin]

I don't know how your network is setup but I just tested mine again and they are isolated.

Primary Router: 192.168.1.1

DHCP server 192.168.100 - 119

Secondary Double NATed router

WAN Static IP 192.168.1.5

LAN IP 192.168.199.1

DHCP Server 192.168.199.100 -119

Printer on this network is 192.168.199.60

WAN access to either router is disabled for administration.

When I run a ping from a PC attached to the primary router with IP 192.168.1.100:

Pinging the printer at 192.168.199.60 No response 100% packet loss

Pinging the double NATed router at its static WAN IP 192.168.1.5 No response 100% packet loss

Reversing the test and pinging from a PC 192.168.199.200 attached to the double NATed router:

Ping primary router at 192.168.1.1 No response 100% packet loss

Ping computer at 192.168.1.100 No response 100% packet loss

Ping printer at 192.168.199.60 4 responses less than 1 ms.

So why is my setup with a double NATed setup different from your setup?

As far as I can tell my networks are separate and isolated.

Anything that's on the WAN side of the second router (including your primary LAN) is accessible to the second LAN just the same way as if it was on the Internet. Maybe your ping packets aren't getting returned, but I can tell you that the first LAN is definitely reachable from the second LAN. I actually had one customer with such a setup, and I had to configure some specific firewall rules to ensure that the downstream LAN wouldn't be able to reach the first LAN.

I have another customer who shares their office with other corporations in the same building. I isolated them behind their own router to prevent other tennants from accessing their computers and server, and my customer is still able to reach the printer that's located within the first LAN, and is shared amongst all tennants of the floor.

And finally, I frequently have such double NAT setups here at home when working on a router. My laptop that gets connected behind the second router has no problem reaching my primary machine on the primary LAN, so I can access my compiled test builds to flash them on the second router.

NAT isolates you on inbound connections. Not on the outbound (otherwise, the entire Internet would be unreachable to you).

 

[L&LD]

In addition to what RMerlin wrote below, I find that if the second router has a numerically higher IP address it can access the lower IP network, but not the other way.

Specifically, if the main router is 192.168.1.1 and the second router (double natted) is 192.168.2.1

Then, a device on the 192.168.2.x network can access the 192.168.1.x network, but a device on the 192.168.1.1 network cannot access the 192.168.2.x network.

(At least at default settings and without setting up Static Routes).

Anything that's on the WAN side of the second router (including your primary LAN) is accessible to the second LAN just the same way as if it was on the Internet. Maybe your ping packets aren't getting returned, but I can tell you that the first LAN is definitely reachable from the second LAN. I actually had one customer with such a setup, and I had to configure some specific firewall rules to ensure that the downstream LAN wouldn't be able to reach the first LAN.

I have another customer who shares their office with other corporations in the same building. I isolated them behind their own router to prevent other tennants from accessing their computers and server, and my customer is still able to reach the printer that's located within the first LAN, and is shared amongst all tennants of the floor.

And finally, I frequently have such double NAT setups here at home when working on a router. My laptop that gets connected behind the second router has no problem reaching my primary machine on the primary LAN, so I can access my compiled test builds to flash them on the second router.

NAT isolates you on inbound connections. Not on the outbound (otherwise, the entire Internet would be unreachable to you).

 

[CaptainSTX]

Interesting.

I have run a double NATed setup for various reasons for over five years and have never been able to utilize resources on either LAN without physically being connected to it.

Currently my primary LAN is 192.168.1.1 using a FIOS supplied Actiontec router. The only devices connected to this network are the STB and I can't see or manage them unless I am connected to this network. Nor can I use devices (storage, printers, streaming devices ) on my secondary LAN. The only way I can connect to this LAN from my secondary LAN or from the WAN is to enable remote administration over the WAN.

My secondary router double NATed is an N66U running Tomato. It is in the 192.168.199.1 -254 subnet. This is the LAN I use for everything except FIOS devices. It also routes all non video streaming traffic using a VPN client run on the router. Again I never been able to connect from this LAN to the 192.168.1.1 LAN. With the correct port forwarding turned on the primary Actiontec router I am able to run an FTP server on the N66U as well as remotely administer the router. Normally both these functions are disabled for security.

I also on occasion turn on a Linksys 54G in its own subnet for guest access.

Based on what you are telling me I will have to do some further testing to see that even if no routing tables are setup to see how to connect to devices on any or all the LAN subnets.

 

[RMerlin]

My secondary router double NATed is an N66U running Tomato. It is in the 192.168.199.1 -254 subnet. This is the LAN I use for everything except FIOS devices. It also routes all non video streaming traffic using a VPN client run on the router. Again I never been able to connect from this LAN to the 192.168.1.1 LAN. With the correct port forwarding turned on the primary Actiontec router I am able to run an FTP server on the N66U as well as remotely administer the router. Normally both these functions are disabled for security.

If you run a VPN client on the second router, then that'd be why - that tunnel totally bypasses (skips) your primary LAN, leading you outside the WAN of your primary server.

 

[CaptainSTX]

If you run a VPN client on the second router, then that'd be why - that tunnel totally bypasses (skips) your primary LAN, leading you outside the WAN of your primary server.

Thank you.

With the VPN client disabled it works as L&LD described.

I can PING and connect to devices in the lower numbered LAN from the higher numbered LAN but devices in the lower LAN can not connect to anything in the higher numbered LAN.

I guess that means that if you want to use a separate subnet to create a more secure guest network you need to set it up with a lower subnet than the primary network which you want to keep secure.

 

[L&LD]

Ah, VPN... I thought it may be acting differently because of the Tomato firmware at first.

Thanks for verifying it works the same way for you too (without VPN running).

 

[RMerlin]

Thank you.

With the VPN client disabled it works as L&LD described.

I can PING and connect to devices in the lower numbered LAN from the higher numbered LAN but devices in the lower LAN can not connect to anything in the higher numbered LAN.

I guess that means that if you want to use a separate subnet to create a more secure guest network you need to set it up with a lower subnet than the primary network which you want to keep secure.

High or low number does not mean anything - TCP/IP routing works based on binary masks, not on how high or low a value is.

The mechanic is that the clients behind the second router can reach those behind the first router because, from their own firewall's point of view, they are on the Internet. Clients on the first LAN cannot reach those on the second LAN, because they are blocked by the second router's firewall/NAT (because, once again, they are considered to be Internet-side).

 

[StanleeSPUDwowski]

If you want to keep it simple try what I suggested. Connect another router to your Zywall and double NAT it. Again IMHO this will give you much more control than you get with a guest network setting.

My experience is that with the guest network enabled on Merlin's firmware and or ASUS' firmware your primary network isn't totally isolated and if you know the IP of a device on the primary network you can ping it from the guest network.

how do you setup Double NAT? im straight using the Zywall now as the secuirty gateway and the ASUS as just an Access point? what would be the process to go thru to set this up. I would really like to use mac filtering on the ASUS for the wireless but for the guest wireless cant it be seperated if not then what is the best option to do. thanks