What's new
  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

How is guest network isolated from Intranet?

Should mean that they can access your internet, but have no access to any of your network services. (ie: network shares, homegroup, etc..)
 
I can't respond for the original poster, but I thought we were talking about "how" that is accomplished.

It's doesn't appear to be a different subnet as some routers do it. It's seems to be an assignable isolation method.
 
I haven't looked at how it worked, but it could possibly be through ebtables, since the guest networks do have their own MACs.
 
Contacted Eric/Merlin about this today and got the same hint about ebtables.
First of all, I'm no expert, so I hope somebody could explain my obeservation to all of us:

Each Guest network appears as an interfrace (ifconfig) wlX.Y (X is 2.4/5GHz, Y is number 1,2 or 3).

ebtables -t broute -L returns the following for each interface:

Bridge chain: BROUTING, entries: 3, policy: ACCEPT
-p IPv4 -i wl0.1 --ip-dst 192.168.1.0/24 --ip-proto tcp -j DROP


ebtables -t filter -L returns the following:

Bridge chain: FORWARD, entries: 2, policy: ACCEPT
-i wl0.1 -j DROP
-o wl0.1 -j DROP


ebtables -t filter -L is identical for both eth0, eth1 and wl0.1.
Marks with 0x6 and accepts.

Correct me if I'm wrong, but it looks to me like the filter will drop all bridge traffic to wl0.1, and as the ebtable manpages points out, the BROUTING DROP means that the traffic from wl0.1 will be routed instead of bridged.

I kind of lost the track after this step, but packets should sent to iptables for routing. There is always a possibility that no extra security steps are needed (as packets can follow regular routing).

Some useful links about Linux bridging:
http://ebtables.sourceforge.net/br_fw_ia/PacketFlow.png
http://ebtables.sourceforge.net/br_fw_ia/br_fw_ia.html#section2
 
I would love to see a Switch option for each LAN port to control if it is Guest or Not. It seems to me to be an easy thing to add. My old Linksys had such an option on the wired ports.

Question since I'm a bit new to routing tables and all. Best I can tell the "Firewall" is basically a set of rules based on IPtables, etc.
Is ebtables basically the same thing as IP tables?

I will be reading more into ebtables, I'm just trying to understand this whole thing. I don't want to side track the thread, but after having dd-wrt setup with the IP-tables wide open I had someone logged into the terminal of My PC. It could have been a fluke, or something completely else, but I immediately removed dd-wrt as it doesn't have a "Firewall" and I didn't feel secure.
 
I, for one, wouldn't find functionality for dedicating lan ports to the guest network useful. I've never had a guest that wanted to use a wired port, they're usually laptops, tablets, smartphones, etc.

Do you have visitors that bring cabled systems over to your place? Or have things that you connect with a cable that you don't want on your home network?

Just curious what you're thinking about here. I'm not attacking you, just wondering what sort of device you're considering? Most consumer devices these days use wireless, at least at my house *smile*. I do have a Verizon Network Extender that could be on a guest network, but I have a wireless bridge for connecting it, so that's not an issue.
 
My main reason for using the Guest mode would be for my son who is gaming on his computer. His computer does not need to access anything on the network, just the internet.
I can get him a wireless card, that is the no brainer solution, but because he has a wired port, and because I think it would provide some usability to others, I suggest it.

I might be a bit paranoid, but I don't like anything that doesn't need to be intranet worked to be on my intranet. Example, my camera system doesn't need to access my intranet so I'd prefer it act as a guest and push straight out to the internet.
 
My main reason for using the Guest mode would be for my son who is gaming on his computer. His computer does not need to access anything on the network, just the internet.
I can get him a wireless card, that is the no brainer solution, but because he has a wired port, and because I think it would provide some usability to others, I suggest it.

I might be a bit paranoid, but I don't like anything that doesn't need to be intranet worked to be on my intranet. Example, my camera system doesn't need to access my intranet so I'd prefer it act as a guest and push straight out to the internet.

On your son's computer, I find it helpful myself to be able to transfer files amongst the wired computers here that I admin. It would be a pain not to be able to do that. But even though I understand "least privilege", I might not set up my home network that way. I suppose that you could change that designation as you need to, but that's a bunch of overhead for file transfers, or backups, or whatever.

Obviously I don't have a security camera system, just assumed that they would be wireless, too.

How about using a VLAN for these situations? Just a thought.
 
Yes, effectively I would be best to VLAN his computer from the rest of the network. I had installed DD-WRT and although I do networking and computers for a living, I had the settings were a little beyond me. I had everything working, two VLAN's a guest network for one port and one of the WiFi bridges and one that allowed for intera communications as well. My real issue was I felt like there was no "Firewall". No barrier between the internet and my computers. Again, My understanding and belief is that the Firewall isn't much more then routing rules for different ports, and routes.

Since Asus is a high performance networking and computer company, and would likely be used by gamers, I would think such an option may appeal to some of their customers.

What I'm picturing is Just a single configuration line or page with the four ports and a pair of radial buttons. Either the port is guest or not. If it's guest it follows the same rules as the guest mode for the WiFi does. Since This would be on the Eth0 side it would require it's own set but they are essentially a duplicate of the guest rules on the WL0.1 side.

Anyway's I'm reading through the ebtables page linked above and Trying to learn more about all of these settings.

I trained on Cisco CCNA years ago, but never touched a real box after that. And with that Firewalls, such as junipers and sonic walls well the firewall part is all part of the black magic as far as I can tell.
 
I have a secondary router cascaded LAN-to-WAN to my primary router (Asus). The secondary router is on a different LAN segment and has no access to my primary intranet. Sometimes I accidentally connect to the secondary router when gaming. I don't even know the difference. The latency between the routers is negligible.

So you could always find a cheap refurb router and disable the wireless on it and then cascade it and put it on different lan segment for his xbox/ps3.

On some routers, UPnP does not work on the guest network. Not sure about the Asus.
 
That is not a terrible idea. I had a Netgear WNDR3700 and a WND3500 before. I planned to have one on each level of my house to give me good coverage, since the WNDR3700 was in a wire closet the signal was weak.
Unfortunately I sold them both. And the real kicker, other then I felt I never got enough money is the person gave me negative review on Ebay because the power cable would loose connection if pulled on the wrong way....

Maybe I'll be in the market for one that I can WW-DRT and create a Vlan. This might really be the best solution.

Alternately I have been toying with the idea of using a Odroid-X2 I have sitting around, into a router. This Just might be the right time for it, Then I can learn the iptables/ebtables my self.
 

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Back
Top