Super User Asked by Josh M. on December 24, 2020
My ASUS RT-AC68U router has an option to enable a “guest network”. I’m curious how “safe” this is. The config page claims that it only allows traffic through to the internet, so I assume it physically blocks traffic from the Guest network to any LAN port and only allows it to flow through the WAN port?
Note that what I mean is an OPEN guest network, no authentication.
Does anyone have any information on this and how safe/unsafe it is?
The question is actually quite good. I come here to see HOW is this feature working, what do we find under the hood because it DOES work perfectly as of now 2019/Apr/12 with the Asus firmware version : 1.1.2.3_674
There is no "leakage" between the Guest network and the regular Wifi/LAN. I have tried now pretty much everything like manually changing ip, scanning whole subnet and the separation is working so I wanted to understand HOW.
It seems Asus might made some kernel magic in the netfilter code because what it does:
Your router has a dedicated interface for this:
ra1 Link encap:Ethernet HWaddr <MAC>
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:15136 errors:0 dropped:0 overruns:0 frame:0
TX packets:11245 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1960036 (1.8 MiB) TX bytes:7742992 (7.3 MiB)
rai1 is probably the 5.0 Ghz wifi equivalent. Then in the ebtables bridge code I see:
Bridge chain: FORWARD, entries: 4, policy: ACCEPT
-i ra1 -j DROP
-o ra1 -j DROP
-i rai1 -j DROP
-o rai1 -j DROP
But that now just wouldn't make sense would it?! With this you clearly blocking all layer2 traffic between your LAN and guest network but I would assume that the Internet too since it's a generic forward rule.
The only security issue I found with this "separation" that if you client on the Guest network knows the IP of some other machines it can fool the router into making it think he is that other machine by changing the address but this will not affect the ARP table of any other machines on the network only the router.
They are all part of the main bridge interface br0. Maybe someone can enlighten us with the truth, until that let's just say it works!
Answered by sunflower on December 24, 2020
Be careful. My Assus is running in bridge mode.
When I connect via a SSID configured as guest network, I can still reach my internal network.
So first test this properly.
Would be better since the router is not filtering in bridge mode, it should not offer the option of configuring guest networks. Only offer it when being configured as a router.
Answered by TonAdam on December 24, 2020
As far as it's concerned, a "Guest" network is just a common feature among many routers or ISRs that will just create another subnet and aditionally a separate WLAN with it's corresponding ESSID restricting the broadcast domain and it won't route any traffic to the main network from it; this means you couldn't ssh 192.168.1.1
for example, from any host at, say, 192.168.0.0 (the "Guest" network). But it's worth noting that given the right conditions it won't prevent computers in the "Guest" network to access the main network or a DMZ through the WAN (i.e. using the NAT public address), or even from the internet if the firewall is open, among other things.
In simple words, it just isolates the main network from the guest network on the LAN port, so you could say it's safe and serves its purpose as it should.
Source: The Cisco NetAcad Training Pages
Answered by arielnmz on December 24, 2020
Ron was correct that this is an opinion-based question depending on how risk averse you are, but here are some factors to consider:
If ASUS implemented it flawlessly then it's safe to do, but nothing in computer security is actually flawless.
Answered by Aron Foster on December 24, 2020
Get help from others!
Recent Questions
Recent Answers
© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP