1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

How 'safe' is the guest network?

Discussion in 'ASUS Wireless' started by Pabla, Oct 19, 2019.

  1. Pabla

    Pabla Occasional Visitor

    Joined:
    Oct 28, 2018
    Messages:
    42
    Was planning on giving my tenants access to our home internet. Currently have them set on the configured guest network on my rt-ac3100. My main concern is security, as my whole security system is on the network. Is using the guest network option a good choice, while still keeping my main network secure? Or should I setup a second router on the network just for the tenants (may cause double NAT issues). Attached is my current setup for the guest network.
     

    Attached Files:

  2. L&LD

    L&LD Part of the Furniture

    Joined:
    Dec 9, 2013
    Messages:
    9,743
    First, that seems very generous of you! :)

    Secondly, I would not use the default guest network options in this situation, even as you have set them (they are correct, btw).

    I would follow the following link and properly set up an amtm and a swap file on a spare USB key.

    amtm Step-by-Step https://www.snbforums.com/threads/amtm-step-by-step-install-guide-l-ld.56237/#post-483421

    Then I would install YazFi and create a new subnet for your guests. :)

    https://www.snbforums.com/threads/y...-merlin-guest-wifi-inc-ssid-vpn-client.45924/

    This would be even more secure than using a second router just for the guests. ;)
     
    royarcher, a5m and Pabla like this.
  3. Pabla

    Pabla Occasional Visitor

    Joined:
    Oct 28, 2018
    Messages:
    42
    I was only going to give them access to my network if there was an easy and safe way.. doesn't seem like there is
    Thanks though for the links and info though! I will certainly still look into it :)
     
  4. OzarkEdge

    OzarkEdge Very Senior Member

    Joined:
    Feb 14, 2018
    Messages:
    1,669
    Location:
    USA
    Should you be concerned that their Internet usage would reflect on your ISP service account? You would not want to become suspect for their Internet activities.

    OE
     
    Pabla, Val D., dbareis and 1 other person like this.
  5. CaptainSTX

    CaptainSTX Part of the Furniture

    Joined:
    May 2, 2012
    Messages:
    2,072
    The two routers in a double NAT setup is simple and give you protection but only if the first router (Internet facing ) is the one that your tenants have access to. Devices on the first router won't be able to connect or see devices on the second router however the opposite isn't true.

    A double NAT setup won't have any measurable impact throughput at reasonably high speeds but it does make setting up a server on the second router more complicated.

    As others have pointed out there are other issues and another issue that you need consider is fair allocation of bandwidth. What happens if they stream several HD video sources and you also try and stream something? Do you have enough bandwidth to cover everyone?
     
  6. follower

    follower Senior Member

    Joined:
    Dec 1, 2014
    Messages:
    208
    A second router.
     
  7. Val D.

    Val D. Very Senior Member

    Joined:
    Jun 16, 2019
    Messages:
    625
    Location:
    Great White North
    This is the main reason to abandon the idea.
    @Pabla may get one day a copyright infringement notice because of something downloaded by his tenants.
     
  8. OzarkEdge

    OzarkEdge Very Senior Member

    Joined:
    Feb 14, 2018
    Messages:
    1,669
    Location:
    USA
    Or much worse when someone, anyone including their kids or guests takes to downloading child porn or browsing illicit/watched sites.

    OE
     
    Pabla and Val D. like this.
  9. Val D.

    Val D. Very Senior Member

    Joined:
    Jun 16, 2019
    Messages:
    625
    Location:
    Great White North
    Or even worse... home made kaboom devices, open threats to a politician... o_O:D
     
    OzarkEdge likes this.
  10. sfx2000

    sfx2000 Part of the Furniture

    Joined:
    Aug 11, 2011
    Messages:
    14,252
    Location:
    San Diego, CA
    How much do you trust them? The trust issue would also apply to the various IOT gadgets around the house - putting them into a sandbox where they can reach out to the internet for their cloud services, but no direct access back into the LAN/WLAN.

    Folks make a good case about what activities your tenants could do (kiddy porn, piracy, hacking, dark web, etc), and that would be traceable back to your WAN address, and without records/logs, it would be a serious challenge to support if the cops come knocking at the door.

    From a LAN side - the guest network is isolated from the primary network, and you can use AP isolation as well - so technically it is possible...
     
  11. Pabla

    Pabla Occasional Visitor

    Joined:
    Oct 28, 2018
    Messages:
    42
    Thanks for the input everyone! Haven't even thought about some of things mentioned, and because of that looks like I won't be giving them access after all!
     
    L&LD and #TY like this.
  12. HollowAlbert

    HollowAlbert New Around Here

    Joined:
    Sep 23, 2019
    Messages:
    2
    Could I just ask the thread in general a quick question... Why is there some need for a second router and NAT, or subnet etc? Obviously I understand the need to seperate guests in this example from the OP's network, but (and here's what I'm getting at) why isn't simply disabling the "Access the Intranet" option secure enough... Especially so if the guest network has different credentials etc than the OP's regular wifi network?

    I only ask because I got a distinct impression that the thread's concensus was, that disabling access to the Intranet, wasn't particularly effective at blocking guests from the OP's normal network activity, and thus protecting the OP's privacy/security etc on his regular network. Is that the case, or not?

    I was under the impression that the option of disabling Intranet access, was there precisely for this particular set of circumstances... Can you guys put me right, if I'm wrong, and full me in on whys and wherefores of this, please?
     
  13. Grisu

    Grisu Part of the Furniture

    Joined:
    Aug 28, 2014
    Messages:
    2,565
    Think the problem is not to isolate guests from his intranet (guest SSID should be fine for that) but that he doesnt know what his tenants are going to use on his line.
     
  14. Val D.

    Val D. Very Senior Member

    Joined:
    Jun 16, 2019
    Messages:
    625
    Location:
    Great White North
    Not really. It's a Guest Network. You invite guests, their kids bring tablets to watch YouTube, for example. They are around you, you know them well, they stay only temporary at your place, you expect what they are going to use the Internet connection for. With tenants you don't know, somewhere behind a closed door, is a bit different situation.
     
  15. CaptainSTX

    CaptainSTX Part of the Furniture

    Joined:
    May 2, 2012
    Messages:
    2,072
    Guest Networks work for wireless connections but they do not function on hardwired Ethernet connections.

    Also someone by having access to your network even as a guest has some clues that they could use to attempt access to your primary network.

    1. They know who the network is owner is so they can through guesses & social engineering try to determine the router's password.

    2. They know what the router's IP is.

    3. They know what SSID's are associated with the router.

    4. There is also the possibility that a guest user could crash the router and force a reset back to default settings.

    Items 2 & 3 can determined even if you don't have guest access but it is a short cut.
     
    Last edited: Oct 21, 2019
    L&LD and Val D. like this.
  16. Val D.

    Val D. Very Senior Member

    Joined:
    Jun 16, 2019
    Messages:
    625
    Location:
    Great White North
    Separating clients on wired connections is doable, but with the concerns above still not a good idea.