TransWikia.com

Is "guest network" feature on ASUS routers safe?

Super User Asked by Josh M. on December 24, 2020

My ASUS RT-AC68U router has an option to enable a “guest network”. I’m curious how “safe” this is. The config page claims that it only allows traffic through to the internet, so I assume it physically blocks traffic from the Guest network to any LAN port and only allows it to flow through the WAN port?

Note that what I mean is an OPEN guest network, no authentication.

Does anyone have any information on this and how safe/unsafe it is?

4 Answers

The question is actually quite good. I come here to see HOW is this feature working, what do we find under the hood because it DOES work perfectly as of now 2019/Apr/12 with the Asus firmware version : 1.1.2.3_674

There is no "leakage" between the Guest network and the regular Wifi/LAN. I have tried now pretty much everything like manually changing ip, scanning whole subnet and the separation is working so I wanted to understand HOW.

It seems Asus might made some kernel magic in the netfilter code because what it does:

Your router has a dedicated interface for this:

ra1       Link encap:Ethernet  HWaddr <MAC>
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:15136 errors:0 dropped:0 overruns:0 frame:0
          TX packets:11245 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:1960036 (1.8 MiB)  TX bytes:7742992 (7.3 MiB)

rai1 is probably the 5.0 Ghz wifi equivalent. Then in the ebtables bridge code I see:

Bridge chain: FORWARD, entries: 4, policy: ACCEPT
-i ra1 -j DROP
-o ra1 -j DROP
-i rai1 -j DROP
-o rai1 -j DROP

But that now just wouldn't make sense would it?! With this you clearly blocking all layer2 traffic between your LAN and guest network but I would assume that the Internet too since it's a generic forward rule.

The only security issue I found with this "separation" that if you client on the Guest network knows the IP of some other machines it can fool the router into making it think he is that other machine by changing the address but this will not affect the ARP table of any other machines on the network only the router.

They are all part of the main bridge interface br0. Maybe someone can enlighten us with the truth, until that let's just say it works!

Answered by sunflower on December 24, 2020

Be careful. My Assus is running in bridge mode.

When I connect via a SSID configured as guest network, I can still reach my internal network.

So first test this properly.

Would be better since the router is not filtering in bridge mode, it should not offer the option of configuring guest networks. Only offer it when being configured as a router.

Answered by TonAdam on December 24, 2020

As far as it's concerned, a "Guest" network is just a common feature among many routers or ISRs that will just create another subnet and aditionally a separate WLAN with it's corresponding ESSID restricting the broadcast domain and it won't route any traffic to the main network from it; this means you couldn't ssh 192.168.1.1 for example, from any host at, say, 192.168.0.0 (the "Guest" network). But it's worth noting that given the right conditions it won't prevent computers in the "Guest" network to access the main network or a DMZ through the WAN (i.e. using the NAT public address), or even from the internet if the firewall is open, among other things.

In simple words, it just isolates the main network from the guest network on the LAN port, so you could say it's safe and serves its purpose as it should.

Source: The Cisco NetAcad Training Pages

Answered by arielnmz on December 24, 2020

Ron was correct that this is an opinion-based question depending on how risk averse you are, but here are some factors to consider:

  1. How often do you manually check that your router firmware up to date, and patch it if it isn't? And auto-updaters aren't reliable in my experience, FWIW. That's probably your biggest risk if you enable a guest network: vulnerabilities are discovered and patched, which alerts malicious actors to the vulnerability, so they incorporate it into their toolkit, but you haven't updated your firmware so you're still vulnerable, and your neighborhood script kiddy gets onto your network.
  2. Do you have a good password for each of your router's admin accounts? Ideally one that was randomly generated by password management software, but at least one that doesn't return any hits when you do a google search for it? Someone on your guest network may be able to attempt to log into your router's control panel and a good password in the difference between them guessing right in a day and guessing right after 1000 years.
  3. How valuable is your home network? Does your always-on desktop have a hundred bitcoins on it? Do you regularly ignore whether the page you're on is http when it should be https? Are your medical and financial documents shared across your network? You need to honestly assess how bad it would be if they escaped the guest network and made it onto your regular one and was able to see your files and watch/modify your unencrypted traffic.
  4. What benefits are you getting from enabling the guest network? Do you want plausible deniability for when you get caught pirating movies and music? Are you uncomfortable sharing your WiFi password with guests? Or are your guests lazy and they hate using secure WiFi of any sort? Are you hoping to perform a "good deed" by giving free WiFi to neighbors and passers by? Weigh those benefits against the risks.

If ASUS implemented it flawlessly then it's safe to do, but nothing in computer security is actually flawless.

Answered by Aron Foster on December 24, 2020

Add your own answers!

Ask a Question

Get help from others!

© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP