Kitz Forum
Broadband Related => Broadband Hardware => Topic started by: ktz392837 on September 07, 2019, 05:54:48 PM
-
Does anyone know if I can isolate a WiFi user so they still get Internet access but they can't get access to other users on the network?
Thanks
-
Take a look at defining a Guest WiFi SSID and set up appropriate restrictions to keep the user isolated from the LAN.
-
Yes, it looks like you can define guest networks.
The screenshot is from my 8924 (same device but with addition of 5GHz wifi - firmware is identical) and it looks easy to do.
Go to 'Network Setting' and then 'Wireless' and you'll see the 'Guest/More AP' tab.
:)
-
Thanks for replies I wonder if I can define a different IP range for the guest network?
Its a pity the whole device seems to restart when you change virtually any setting it makes it difficult to experiment without occurring DLM wrath.
-
Its a pity the whole device seems to restart when you change virtually any setting it makes it difficult to experiment without occurring DLM wrath.
I wasn't aware of that "feature" with those devices. :-\
However, there is a way around it. Just disconnect the VMG8324-B10A from the incoming line and then make your changes. (Yes, the GUI will then constantly "nag" that it has a problem connecting to your ISP/CP but that can be ignored.)
-
Its a pity the whole device seems to restart when you change virtually any setting it makes it difficult to experiment without occurring DLM wrath.
I'm sure my one does not do that.
It might drop and reinstate the PPP session (but not the DSL link) for some changes but it doesn't usually need a full restart.
:)
-
Yes, it looks like you can define guest networks.
The screenshot is from my 8924 (same device but with addition of 5GHz wifi - firmware is identical) and it looks easy to do.
Go to 'Network Setting' and then 'Wireless' and you'll see the 'Guest/More AP' tab.
Quick read of the document suggests the built in Guest function isolates the client devices from each other, but doesn't specify if it also isolates them from wired devices.
-
Aesmith’s point is crucial of course.
The ZyXEL NWA3560-N WAPs, which I am using, have two separate functions: (i) isolate wireless stations from one-another, and (ii) a L2 isolation ACL feature which allows you to say “not allowed to talk to any wired or wireless node with the exception of x or y or z …” and you need this because if you want a particular node to be able to talk to the internet it will need to be able to talk to the default gateway ie the router and to a DHCP server, on-lan DNS server if applicable, and so on.
-
On my 8324:
I couldn't get this to work the WiFi client could still access www pages hosted on lan based clients so not isolated.
I tried the external guest option and even an acl item neither worked for me.
Unfortunately I am going to have to add specific firewall rules to each machine to deny access to the wifi device I want isolated. Far from perfect but the best I can do. I can't trust the router to do it.
-
IP firewalling isn’t going to work. As this is a layer 2 issue; a guest station can send non-IP Ethernet frames to another machine on the wired LAN and pester them that way.
Is there anything that can be done using VLANs with this router? Put the guest stations into a different VLAN and then have the router do VLAN remapping to get stuff to and from the internet?
Another alternative would be to put the guest machines on a different router in a different, routed IP subnet, firewalled off behind another NAT translator and in their own IP address range.
-
Thanks for reply it is good to know why at least the acl rules were not working but the wording on the guest WiFi setup on this router is a bit misleading.
There are some VLAN options on the router but whether all the required functionality is present I do not know and getting into the realms of completely not knowing what I am doing.
I wanted to set up two dhcp ranges on the router itself but I could only find a single range and the GUI is not really setup for multiple ranges anyway so seems to point to not possible.
The 2nd router is an idea but not sure I could get it to work (eg how do the 2nd router get internet access etc) it would be in the realms of my experience and capabilities of my equipment.
I am going to try adding rules to Windows and Linux firewalls to block all communication with the device. It is specific and a pain to keep track of and relying on me to remember to add the rules if I reinstall or other PCs are added to the network but without a better router I guess I am out of luck.
Perhaps when the new WiFi standard is out it is an excuse to look for something new and more configurable.
-
On my 8324:
I couldn't get this to work the WiFi client could still access www pages hosted on lan based clients so not isolated.
I tried the external guest option and even an acl item neither worked for me.
Unfortunately I am going to have to add specific firewall rules to each machine to deny access to the wifi device I want isolated. Far from perfect but the best I can do. I can't trust the router to do it.
My bold above - if they are www pages then I expect they would be accessible as they are on the internet (ie WiFi client goes out to the internet and back in again).
Or am I reading this wrongly?
:)
-
Sorry not clear it is www hosted on local machines not the internet eg DSLstats web interface so if the guest ap was truly isolating clients these shouldn't be accessible - a fundamental reason for using guest in the first place.
-
I've just taken a further look at the setup for this (see screenshot) and see it has a 'Guest WLAN' option with the further option to choose 'External Guest' or 'Home Guest'. Does even the External Guest option not properly isolate it?
:)
-
Unfortunately not External Guest was what I was using. Thanks for posting though.
I have ended up using ufw in Linux and Windows Firewall to block the IP address of the guest device. Far from ideal but I can at least trust it assuming I remember to add the rule if I do a full reinstall. Would have much more preferred it configured in the router.
-
An evil dhcp server on the guest ssid is a useful test case. This does not use IP. IPv6 infrastructure attacks are below IP too.
I would recommend testing, to convince yourself that you are in fact not protected.