Guest Network: Not restricting local network access.

[Cloud200]

Hi,
I have a problem and wondering on how it can be solved.
I set up a guest network for when friends are over but just realized that the restriction to local network resources is not working.
I tested with both a NAS on my network as well as a USB drive connected to the AC56u

My current setup is as follows:

Ubiquiti Edgerouter as my gateway.
Asus RT-AC56u configured as an access point.

There are four different network names set up on the AC56u; one for each band and one for each of the guest network bands.

AP Isolated is not enabled on either of the bands.

I expected clients on the guest networks to be unable to access any resources on my LAN in the following ranges:
192.168.0.0/16
172.16.0.0/12
10.0.0.0/8
And that should include access to the USB ports be they configured for a shared drive or a shared printer.

If you need anything from me to help out with this just tell me what you need.

Thanks!

 

[RMerlin]

Guest restriction can't work properly while in AP mode, since the AP has no control over the traffic that goes through the main router.

 

[Cloud200]

Will it work if left in router mode but still not acting as a router?
IE. DHCP server turned off, and not acting as the default gateway?

Edit:
So I tried it but it seems to break more than it fixes.
Guest networks are unable to talk to the router now.
This prevents them from getting an IP address from the DHCP server. This I can probably fix by letting the Asus give out DHCP responses on the subnet but eh . . .

Might just be better to cave in and get a different access point.
Something that works properly with guest networks or assigns VLANs to an SSID.

 

[Rankdropper84]

My question is why do you have friends that when they come over you feel you must enable the guest network lol?

 

[Cloud200]

My question is why do you have friends that when they come over you feel you must enable the guest network lol?

I have personal things on my network such as family photos, videos, tax records, etc.

Said friends have children that come over and while I do let them have internet access, there is no reason to let them on my network unrestricted.

Family also come over and 30 or so people that range from my brother in law who is great to my cousin who the less I have in contact with the better, all clamour for access to my WiFi.

 

[bluonek]

My question is why do you have friends that when they come over you feel you must enable the guest network lol?

That's actually a really good question that has a really good answer. I do the same thing but it's not because I don't trust my friends per-se. It's because I don't trust their choices in apps installed on their device (iphone, andoid, laptop, etc). Even people with the best intentions are typically walking around with a portable trojan horse in their pocket and last I checked they don't make condoms for mobile devices!

 

[Rankdropper84]

That's actually a really good question that has a really good answer. I do the same thing but it's not because I don't trust my friends per-se. It's because I don't trust their choices in apps installed on their device (iphone, andoid, laptop, etc). Even people with the best intentions are typically walking around with a portable trojan horse in their pocket and last I checked they don't make condoms for mobile devices!

I appreciate the response. Also made me chuckle since I just fixed my friends laptop which I refused to connect to my network after seeing all the crap he has on it lol. Really would like to know how exactly a remote "hacker" could breach your network via a friends phone or computer. I would imagine a "hacker" or whatever only being able to gather small time details of your network like your public IP address, maybe your WiFi names etc right?

In order for someone to be able to breach your network via a "rogue app" as I will call it, wouldn't they have to have the ability to do real time packet sniffing on remote networks? If so I would imagine only rooted android phones would suffer.

I kind of turned this thread OT and I do apologize

 

[Rankdropper84]

I have personal things on my network such as family photos, videos, tax records, etc.

Said friends have children that come over and while I do let them have internet access, there is no reason to let them on my network unrestricted.

Family also come over and 30 or so people that range from my brother in law who is great to my cousin who the less I have in contact with the better, all clamour for access to my WiFi.

I see your point. If that was the case then I can see where they would be helpful. Not that I have ever thought about it until now but i always imagined guest networks to be mainly used as a measure to disable access to a routers webpage.

Out of curiousity, if you even want to share the info i guess, how are your important files networked? Like do you use samba FTP etc?

 

[Rankdropper84]

Hi,
I have a problem and wondering on how it can be solved.
I set up a guest network for when friends are over but just realized that the restriction to local network resources is not working.
I tested with both a NAS on my network as well as a USB drive connected to the AC56u

My current setup is as follows:

Ubiquiti Edgerouter as my gateway.
Asus RT-AC56u configured as an access point.

There are four different network names set up on the AC56u; one for each band and one for each of the guest network bands.

AP Isolated is not enabled on either of the bands.

I expected clients on the guest networks to be unable to access any resources on my LAN in the following ranges:
192.168.0.0/16
172.16.0.0/12
10.0.0.0/8
And that should include access to the USB ports be they configured for a shared drive or a shared printer.

If you need anything from me to help out with this just tell me what you need.

Thanks!

Wait. Are you saying that clients connected to the guest network can access files shared from your router? If so I may actually be able to help you out there....

 

[RMerlin]

Will it work if left in router mode but still not acting as a router?
IE. DHCP server turned off, and not acting as the default gateway?

Edit:
So I tried it but it seems to break more than it fixes.
Guest networks are unable to talk to the router now.
This prevents them from getting an IP address from the DHCP server. This I can probably fix by letting the Asus give out DHCP responses on the subnet but eh . . .

Might just be better to cave in and get a different access point.
Something that works properly with guest networks or assigns VLANs to an SSID.

A different access point won't resolve your issue. What will is to have your primary router be the one with guest networking support.

Even VLANs won't help you, since once that router sends the traffic upstream to your primary router, it will be back on the same VLAN as used by your modem/router.

 

[Rankdropper84]

OP should look into "nessus". It was only after scanning my network using it that i discovered anyone on my network can access my routers samba and ftp servers without a username and password.

 

[enr00ted]

My question is why do you have friends that when they come over you feel you must enable the guest network lol?

The most stupid and off-topic question I've read in a long time. Good job. Everyone has their reasons.

 

[Rankdropper84]

The most stupid and off-topic question I've read in a long time. Good job. Everyone has their reasons.

It had already been pointed out to me prior to you posting your comment. Had you have taken the time to read you would have known that. While I still feel like you could make a fair argument saying that Guest accounts are trivial for the fact that the person on your guest network would still be using the same shared public IP as others on the network and a simple port scan would show that you have some type of server up.

 

[Cloud200]

A different access point won't resolve your issue. What will is to have your primary router be the one with guest networking support.

Even VLANs won't help you, since once that router sends the traffic upstream to your primary router, it will be back on the same VLAN as used by your modem/router.

Right, that's why I would need to do this like a business:
Get a WAP that supports multiple SSIDs on VLANs as well as Client Isolation.
Connect the WAP to a trunk port on my switch.
Add a new VLAN to my router and create a few firewall rules to prevent access from the new VLAN to my other ones.
Trunk the new VLAN from router to the switch.

This will definitely get the job done but just requires me to invest in a new WAP as well as some time playing with firewall rules.

The other option is to get a WAP like a Ubiquiti that supports blocking access to a specific subset of IP ranges that you program it with.

Either way, it seems like I have to purchase additional hardware to get it working as I want it to.

Edit:
To Rankdropper84:
Something I learned a loooooong time ago was that security in a network should never have to be justified, only the lack of.

 

[Rankdropper84]

Right, that's why I would need to do this like a business:
Get a WAP that supports multiple SSIDs on VLANs as well as Client Isolation.
Connect the WAP to a trunk port on my switch.
Add a new VLAN to my router and create a few firewall rules to prevent access from the new VLAN to my other ones.
Trunk the new VLAN from router to the switch.

This will definitely get the job done but just requires me to invest in a new WAP as well as some time playing with firewall rules.

The other option is to get a WAP like a Ubiquiti that supports blocking access to a specific subset of IP ranges that you program it with.

Would your public IP not show that you have SMB or FTP or whatever it is that you use on your NAS? Have you ever looked into PFSense? That whole setup you just listed sounds like one confusing insecure, expensive mess to me. Feel free to reply to my post, or don't lol.

 

[PhilInWA]

Enforcing Some AP Guest Network Restrictions

I'm using an RT-N66 as an A/P and I need to restrict as much as I can access to the LAN. The following seems to do all but the AP and the Router. Called by start-services script. YMMV.

#!/bin/sh
# lanrestrict.sh
# Add LAN Restrictions to ASUS WRT when running as AP
# VER 1.1 20150123 PHI
#
logger $0 begins
router=`arp -a $(nvram get "lan_gateway")` # Get Router Info
lladdr="${router%%" at "*}" # Find beginning of at in arp line
macbegin=`expr "${#lladdr}" + 5` # Get beginning of mac addr
rtmac=`expr substr "$router" "$macbegin" 17` # Get router mac addr
logger Router mac address is $rtmac
# Insert chain in ebtables
ebtables -F FORWARD # Flush the chain first in case of re-running...
ebtables -I FORWARD 1 -o wl1.3 -j DROP
ebtables -I FORWARD 1 -i wl1.3 -j DROP
ebtables -I FORWARD 1 -o wl1.2 -j DROP
ebtables -I FORWARD 1 -i wl1.2 -j DROP
ebtables -I FORWARD 1 -o wl1.1 -j DROP
ebtables -I FORWARD 1 -i wl1.1 -j DROP
ebtables -I FORWARD 1 -o wl0.3 -j DROP
ebtables -I FORWARD 1 -i wl0.3 -j DROP
ebtables -I FORWARD 1 -o wl0.2 -j DROP
ebtables -I FORWARD 1 -i wl0.2 -j DROP
ebtables -I FORWARD 1 -o wl0.1 -j DROP
ebtables -I FORWARD 1 -i wl0.1 -j DROP
ebtables -I FORWARD 1 -d Broadcast -j ACCEPT
ebtables -I FORWARD 1 -s $rtmac -j ACCEPT
ebtables -I FORWARD 1 -d $rtmac -j ACCEPT
logger $0 ends
#

Note this idea came from Starfall's post at http://forums.smallnetbuilder.com/showthread.php?t=7021

 

[Rankdropper84]

Right, that's why I would need to do this like a business:
Get a WAP that supports multiple SSIDs on VLANs as well as Client Isolation.
Connect the WAP to a trunk port on my switch.
Add a new VLAN to my router and create a few firewall rules to prevent access from the new VLAN to my other ones.
Trunk the new VLAN from router to the switch.

This will definitely get the job done but just requires me to invest in a new WAP as well as some time playing with firewall rules.

The other option is to get a WAP like a Ubiquiti that supports blocking access to a specific subset of IP ranges that you program it with.

Either way, it seems like I have to purchase additional hardware to get it working as I want it to.

Edit:
To Rankdropper84:
Something I learned a loooooong time ago was that security in a network should never have to be justified, only the lack of.

I take security on my network pretty seriously, or so I think. I would love for someone to come out and just be honest and tell me why I am wrong if i am so. I just think all this is way overkill. If you want the best security for your network then just tell them that they can't use your WiFI. Or when you know you will be having company over just turn off your NAS drive. Want security? Doesn't get better than that. Outside of that you could also have your NAS drive turn off after X time in standby, mine is set to 3 minutes. Also have my NAS drives all username and password locked. The way I see it is in order for you to be able to access one of my NAS drives you would need to be able to access my router which if you can access that then I probably have bigger problems.

If I am wrong feel free to say it since I am always open to learning. TBH i will definitely be using a guest network for others for now since its a good idea. *Puts on flamesuit*

 

[jegesq]

This is silly. The OP has explained what his issue is. He doesn't need to justify trying to work out the security issue. And no one needs to tell you you're wrong either, because no one wants to have the argument. But just the same, the "solution" that he should turn off his NAS is a little like saying, "If you want real security, don't have a network", because that's the logical extension of the argument.

You want real security? Use Sneakernet only.

Sheesh.

 

[Rankdropper84]

This is silly. The OP has explained what his issue is. He doesn't need to justify trying to work out the security issue. And no one needs to tell you you're wrong either, because no one wants to have the argument. But just the same, the "solution" that he should turn off his NAS is a little like saying, "If you want real security, don't have a network", because that's the logical extension of the argument.

You want real security? Use Sneakernet only.

Sheesh.

More or less I was kind of hoping some network admin would step in. Either way the OP wants to just have his network secure when people come over for fear of some rogue app that will delete all his files. I suggested to just turn off his NAS while he has people over. Just seems crazy to me to spend all that time and effort and money to protect something that he probably wouldn't even use when people are over anyways.

I guess I don't like spending money where I feel it shouldn't be spent and figure others wouldn't either if they knew of a better option. If the OP is seriously scared of losing data his best bet IMO would be to setup some kind of firewall in between the modem and router, like pfsense

 

[jegesq]

OP has already described his situation and needs. Maybe he's concerned about guests connecting for extended stays, like family who visit for extended periods , making it not practical to turn a NAS on and off all the time. Maybe he's working remotely while his kids and their (tech-saavy) friends are using the guest SSID's, making a more secure guest network solution a real priority for him. Turning off a NAS might work for you, but it might not for someone else, hence the need for a more viable and secure solution.

Sneakernet: Google and Wikipedia are your friends.