Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




740 posts

Ultimate Geek

Trusted

#217839 14-Jul-2017 14:25
Send private message

I have a reasonably simple network setup at home, mostly using UniFi gear.

 

Starts in the workshop, where the ETP is. DV130 in bridge mode to a USG. From there into a US8-150W switch that has a few things plugged into it (RPi, NAS, UniFi CK, Cameras and AP). From there, cat6 underground to the house to an unmanaged AT9000/24 switch, which has the rest of the house stuff on it, including another UniFi AP for wireless access.

 

USG runs the dhcp, there is one wired network and one wireless network configured. Everything can talk to everything without issue. I'm not using any VLAN tagging and there is only one subnet (192.168.1.x)

 

I want to implement a guest network. I followed the UniFi example I found on their website, which basically creates another SSID using the cloud key controller, and makes it go through a portal before allowing internet access.  This now working without issue - no password at the portal, no access to the network or indeed the internet. The issue I am having is that anything connected to the guest network also has unadulterated access to everything on the original SSID and network - ie a guest can access the RPi, NAS etc.  I was under the impression from everything that I have read that this would not be the case - I mean, what's the point of the guest network if it provides the same access (but with less security) than the main SSID?

 

If anyone has done this themselves and has had a better result, or understands how this works better than I obviously do, I'd be very keen to hear about it.

 

Thanks.


Create new topic
23395 posts

Uber Geek

Trusted
Subscriber

  #1822495 14-Jul-2017 14:31
Send private message

You need to make a vlan for it to seperate it out. The point of the guest access is to limit time connected to people that you give vouchers too or limit time like at a resturant.





Richard rich.ms

197 posts

Master Geek

Lifetime subscriber

  #1822501 14-Jul-2017 14:36
Send private message

From memory: Using the cloud controller, go to settings > wireless networks. Click on the edit icon for the guest ssid and enable "Apply guest policies (captive portal, guest authentication, access)"

 

 

 

Then go back to the guest control and change the cidr under the post authorisation restrictions if needed,

 

 

 

 


 
 
 
 


29039 posts

Uber Geek

Moderator
Trusted
Biddle Corp
Lifetime subscriber

  #1822505 14-Jul-2017 14:40
Send private message

You need to configure a new VLAN on your router, isolate that from your existing network with firewall rules and then use that VLAN for your guest network.

 

 


470 posts

Ultimate Geek


  #1822506 14-Jul-2017 14:43
Send private message

The earlier post about making sure you have the guest options selected correctly is the answer.

 

You will find that guests can "discover" other network resources but will not be able to access them in any way.

 

Cheers

 

Matt


29039 posts

Uber Geek

Moderator
Trusted
Biddle Corp
Lifetime subscriber

  #1822538 14-Jul-2017 15:10
Send private message

Mattmannz:

 

The earlier post about making sure you have the guest options selected correctly is the answer.

 

You will find that guests can "discover" other network resources but will not be able to access them in any way.

 

Cheers

 

Matt

 

 

Enabling the guest network settings will simply apply them - that will deploy L3 filtering in the radio.

 

None of that changes the fact that if you want to offer a guest network and protect your internal network that it should be on it's own VLAN.

 

 




740 posts

Ultimate Geek

Trusted

  #1822586 14-Jul-2017 16:37
Send private message

Ok, thanks for the replies thus far.  I decided to have a poke at making a second network with a different VLAN. I can now see the three SSIDs from any mobile device.  However, while I can see the 'test' ssid, it isn't doling out any IPs and devices aren't able to connect to it so things have come to a grinding halt there and have me a bit confused.

 

 

 

Click to see full size

 

Click to see full size

 

Click to see full size

 

Click to see full size

 

Click to see full size

 

Click to see full size

 

 

 

Above are screens from the different configuration screens within the controller - I must admit this is becoming way more of a chore than I expected it to be.  @sbiddle, can you see what I am doing wrong per chance?

 

 

 

Thanks again

 

 

 

 

 

 

 

 


23395 posts

Uber Geek

Trusted
Subscriber

  #1822594 14-Jul-2017 17:02
Send private message

check the vlan config on your switch in the controller has all set up on it, otherwise it will only pass what is selected.





Richard rich.ms

 
 
 
 




740 posts

Ultimate Geek

Trusted

  #1822607 14-Jul-2017 17:41
Send private message

 Ah crap. The workshop switch (UniFi) is set to pass all VLAN tagging however the house switch (an unmanaged Allied Telesyn AT9000/24) is stripping it out from what I can gather.  on half a hunch, got up out of the warm house and went out to the workshop with my phone, told it to connect to the 'test' network, and hey presto, IP given and access working. Can still access the USG/NAS etc on the other network, but I haven't set any rules in the firewall blocking them yet, so that's understandable.

 

The AT9000/24 is supposed to be able to deal with VLANs etc, after having a look through the manual. It can be managed, but the first session needs to be a local connection and do you think I can find a serial cable anywhere? grrr. Might be one at work, but that isn't going to tell me anything until at least Monday night. There is a redundant cat6 cable running from the workshop to the house, I could possibly move the house AP over to that and bypass the house switch for wireless devices, but that will still leave an issue for some of the IoT wired devices that I have in the house that I want off the main network. New switch time? Not sure how her indoors will respond to that suggestion...

 

Putting aside the separate VLAN issue and going back to my original question - @Resnick, you mentioned cidr restrictions - is there a way to allow someone on the guest network (192.168.1.x) to be restricted to the gateway only? Ie blocking everything on 192.168.1.x except 192.168.1.1? That would probably solve my immediate issue of giving guests internet but not access to all my stuff.


197 posts

Master Geek

Lifetime subscriber

  #1822630 14-Jul-2017 18:25
Send private message

That could be achieved with firewall rules as @sbiddle mentioned. Without having access to your network I couldn't specifically advise how to go about what you want to achieve as my setup was/is achieved with trial and error. More of the latter usually.

 

I simplified my setup a while ago so my kids could manage any problems if I was away for any reason. My unifi AP has a separate guest ssid setup with guest policies applied as per previous post . Left "as is", guests are unable access other network devices. I don't have any unifi switches as yet.


4544 posts

Uber Geek

Trusted

  #1822636 14-Jul-2017 18:42
Send private message

just jump on the AT switch and set up the guest VLAN. I think the 9000 even has a pretty gui. Otherwise the AT CLI is fairly easy to muddle your way around.
You simply need to set up a couple of trunk ports with your guest VLAN as a tagged VLAN and then leave your native VLAN untagged.

edit: yes it does have the nice GUI which makes it really easy to set up your ports - albeit slightly slower than the cli.
Just always remember to save the running config - it's like Cisco and you work on a live config until a reboot.



740 posts

Ultimate Geek

Trusted

  #1822637 14-Jul-2017 18:47
Send private message

 Thanks to you both for that - I'll have to find a serial cable to enable access to the AT - it just sits there fat, dumb and happy unless to local into it and enable access initially.




740 posts

Ultimate Geek

Trusted

  #1822692 14-Jul-2017 21:31
Send private message

Quick follow up - I have managed to make it work on one network, without any VLAN business.

In the Guest Policys Tab, under 'Post-Authorisation Restrications", I needed to add 192.168.1.0/24 - without anything in there wireless clients will get access to all networks.

I'll still look to get the VLAN business sorted, but in the mean time, I have got a working guest network.

197 posts

Master Geek

Lifetime subscriber

  #1822735 15-Jul-2017 09:08
Send private message

Ge0rge: Quick follow up - I have managed to make it work on one network, without any VLAN business.

In the Guest Policys Tab, under 'Post-Authorisation Restrications", I needed to add 192.168.1.0/24 - without anything in there wireless clients will get access to all networks.

I'll still look to get the VLAN business sorted, but in the mean time, I have got a working guest network.

 

 

 

Good work cool Have a look at this unifi thread. It gives you an idea of what is achievable through the UAP controller gui and is handy if you want to give guests access to a single network location (eg printer). Without setting up VLAN's you wont have enterprise grade guest network security as others here have said.

 

This is a cut and paste from the unifi wireless forum of guest wlan rules (allowed subnets = pre-authorisation access)

 

According to EBTABLES rules on AP for GUEST WLANs:
1) DHCP requests will be permitted
2) DNS requests to ANY ip (i.e. ALL UDP traffic to port 53) will be permitted
3) mDNS traffic will be denied (all UDP traffic to port 5353)
4) All MULTICAST traffic will be denied
5) Only after that all traffic to restricted subets will be denied
6) Everything else will be permitted.
All this means that if your internet gateway's IP is inside one of the "restricted subnets" then you need to add it's IP to a list of "allowed subnets" (with /32 mask).


436 posts

Ultimate Geek
Inactive user


  #1824037 17-Jul-2017 20:13
Send private message

Make sure you are aware of your responsibility in running a guest network (for your own protection)

 

 

 

Things like but not limited too:

 

 - cannot be used for DoS or DDoS attacks (both bandwidth and connection limits)

 

 - cannot be used by the kids next door to hit porn sites

 

 - cannot be used for piracy

 

 - cannot be used by the local pedo to hit kiddie porn

 

 - cannot be used by your friendly neighbourhood spammer

 

 




740 posts

Ultimate Geek

Trusted

  #1824050 17-Jul-2017 20:42
Send private message

Thanks for the concern - ended up running two guest networks: one that needs a wpa to access (guests we know and like but don't want their devices to interact with our home network and also has IoT stuff on it) and a second one for kids that utilises the hotspot function and one-time use passes (do you chores, get a pass for 30mins access. We're also rural, on a narrow road with no reason to stop in front of our place, and over 150m to the neighbours so I'm pretty sure we're good

You raise valid points for someone running an open guest network in an urban setting though.

Create new topic





Twitter and LinkedIn »



Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Chorus completes the build and commissioning of two new core Ethernet switches
Posted 8-Jul-2020 09:48


National Institute for Health Innovation develops treatment app for gambling
Posted 6-Jul-2020 16:25


Nokia 2.3 to be available in New Zealand
Posted 6-Jul-2020 12:30


Menulog change colours as parent company merges with Dutch food delivery service
Posted 2-Jul-2020 07:53


Techweek2020 goes digital to make it easier for Kiwis to connect and learn
Posted 2-Jul-2020 07:48


Catalyst Cloud launches new Solutions Hub to support their kiwi Partners and Customers
Posted 2-Jul-2020 07:44


Microsoft to help New Zealand job seekers acquire new digital skills needed for the COVID-19 economy
Posted 2-Jul-2020 07:41


Hewlett Packard Enterprise introduces new HPE GreenLake cloud services
Posted 24-Jun-2020 08:07


New cloud data protection services from Hewlett Packard Enterprise
Posted 24-Jun-2020 07:58


Hewlett Packard Enterprise unveils HPE Ezmeral, new software portfolio and brand
Posted 24-Jun-2020 07:10


Apple reveals new developer technologies to foster the next generation of apps
Posted 23-Jun-2020 15:30


Poly introduces solutions for Microsoft Teams Rooms
Posted 23-Jun-2020 15:14


Lenovo launches new ThinkPad P Series mobile workstations
Posted 23-Jun-2020 09:17


Lenovo brings Linux certification to ThinkPad and ThinkStation Workstation portfolio
Posted 23-Jun-2020 08:56


Apple introduces new features for iPhone iOS14 and iPadOS 14
Posted 23-Jun-2020 08:28



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.