What's new

Guest network for wired devices

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

toaruScar

Regular Contributor
I have a device in my network that I don't fully trust but earns me passive income. I want to isolate this device with only internet access. This divece is hooked directly to the ethernet port of my ZenWiFi XT8, and has no Wi-Fi capabilities.
I think a guest network meets all my requirements here except it's only for wireless devices. There're guest Wi-Fi options for each of the 3 bands of Wi-Fi, so I reckon guest network is configured on per-interface basis, and the ethernet port my device is hooked to is just another interface, so in theory could also be easily(?) configured.

Is there a way, for example, some command line magic I can configure a guest network for a ethernet port on the device?

P/s: I tried to search for posts about VLAN here but most of the replies were about using guest network instead. So I decided to ask about guest network here as well, so it sounds like a XY problem now.
 
I have a device in my network that I don't fully trust but earns me passive income. I want to isolate this device with only internet access. This divece is hooked directly to the ethernet port of my ZenWiFi XT8, and has no Wi-Fi capabilities.
I think a guest network meets all my requirements here except it's only for wireless devices. There're guest Wi-Fi options for each of the 3 bands of Wi-Fi, so I reckon guest network is configured on per-interface basis, and the ethernet port my device is hooked to is just another interface, so in theory could also be easily(?) configured.

Is there a way, for example, some command line magic I can configure a guest network for a ethernet port on the device?

P/s: I tried to search for posts about VLAN here but most of the replies were about using guest network instead. So I decided to ask about guest network here as well, so it sounds like a XY problem now.

A recent suggestion here was to use a second router in Media (wireless) Bridge Mode to connect its LAN-only clients to your main router's isolated guest WLAN. Only practical if you have an old/spare router on hand that supports Media Bridge Mode.

OE
 
Last edited:
A recent suggestion here was to use a second router in Wireless Bridge Mode to connect its LAN-only clients to your main router's isolated guest WLAN. Only practical if you have an old/spare router on hand.

OE
Thanks for the suggestion, but the added delay is undesirable here. 20ms of delay is a threshold lower than which I try to keep the connection, and the current unsecured setup is already at 17ms.
 
@toaruScar, have you already tried it?

Depending on your WiFi Environment, you may be pleasantly surprised. :)

If you have tried it, did you test all available Control Channels for best responsiveness?
 
@toaruScar, have you already tried it?
Thanks for bringing this up.
My esitimation is based on the ping result between two ZenWiFi XT8 nodes that are connected using the 5GHz-2 band Wi-Fi. And the ping result is
Code:
31 packets transmitted, 31 packets received, 0% packet loss
round-trip min/avg/max = 1.395/2.868/5.120 ms
 
You're assuming the worst. :)

Besides, two nodes are different from a router in Media Bridge mode.
 
You're assuming the worst. :)
I'm a bit lost here as to how this could be the worst case scenario. Maybe there's too much overhead for the ICMP pakets generated by ping to go back and forth between internet layer and link layer on the routers, so that the result RTTs are not an accurate estimation of the delay in real life situation?

Anyway, I don't have an extra wireless router laying around. So this route does not work here.
 
You don't need an 'extra wireless router laying around'. Just pick up an RT-N12 D1 to do some testing with. Connect it to an (isolated) Guest network and let the 'not really welcome, but profitable', device access the internet as it needs to for around $30 or so.
 
Just pick up an RT-N12 D1 to do some testing with.

No Media Bridge in stock FW. Only Repeater Mode and it doesn't work reliably. Needs Tomato for Wireless Ethernet Bridge. I have 2 of those in my cottage as APs. Reliable little N300 router, but not ideal for the idea above.
 
I have a device in my network that I don't fully trust but earns me passive income. I want to isolate this device with only internet access. This divece is hooked directly to the ethernet port of my ZenWiFi XT8, and has no Wi-Fi capabilities.
I think a guest network meets all my requirements here except it's only for wireless devices. There're guest Wi-Fi options for each of the 3 bands of Wi-Fi, so I reckon guest network is configured on per-interface basis, and the ethernet port my device is hooked to is just another interface, so in theory could also be easily(?) configured.

Is there a way, for example, some command line magic I can configure a guest network for a ethernet port on the device?

P/s: I tried to search for posts about VLAN here but most of the replies were about using guest network instead. So I decided to ask about guest network here as well, so it sounds like a XY problem now.
Do you have any other devices on your modem? Plug it into that and it won't be able to get on your network through the WAN.
 
Do you have any other devices on your modem? Plug it into that and it won't be able to get on your network through the WAN.
My router does the PPPoE to access the Internet, and the modem is in bridge mode. And my ISP does not allow multiple PPPoE connections from one subscriber account. So unfortunately it won’t work.
 
I have a device in my network that I don't fully trust but earns me passive income. I want to isolate this device with only internet access. This divece is hooked directly to the ethernet port of my ZenWiFi XT8, and has no Wi-Fi capabilities.
...

Is there a way, for example, some command line magic I can configure a guest network for a ethernet port on the device?

...
I'm not sure of how to break one of his ethernet ports out of the vlan the router FW created, making it a separate vlan on it to add to br0.
If nothing else was connected by ethernet to that router, then wouldn't he be able to log in and issue

ebtables -I FORWARD -i vlan1 -j DROP
ebtables -I FORWARD -o vlan1 -j DROP


to achieve the desired goal ? It would isolate ALL wired devices from each other and the wireless interfaces as well as from the router.

With his router, I'm not sure how he would make the changes persistent across reboots.
 
Last edited:
I had forgotten about this .
A year or so back , my daughter had a little NanoPi Box she was convinced she needed to have hooked up to get a monthly check. But she didn't really have a spare ethernet connection. She was wanting a bigger router or some way to make it work for her.

Before booting it up ,
I hooked a USB to ttl serial connector in the the serial port on it. (don't connect the Vcc connection)
Then I added a $6.00 RTL8188CU wifi adaper to the usb port on it letting it boot up.
Then in the putty terminal window I issued
nmcli
It might have been "sudo nmcli" if the login name was fa instead of pi.
I followed the onscreen prompts to setup access to her guest nework and it worked for her.
It connected wirelessly on a guest network there for quite a while till the campaign ended.

Do not reboot the device or it will save the ~/.bash_history and they will see that there was some meddling being done.
And don't connect it through the TOR network or they will drop you from the campaign.
Just sync the filesystem . Let things settle a bit before pulling the power to it. It uses a journaled filesystem and seemed to always recover from unexpected power failures. When she was done with it, she brought it back to me and I started putting it to use toying around with it as a USB duplicator.
 
Last edited:

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top