Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




517 posts

Ultimate Geek

Trusted

# 217839 14-Jul-2017 14:25
Send private message

I have a reasonably simple network setup at home, mostly using UniFi gear.

 

Starts in the workshop, where the ETP is. DV130 in bridge mode to a USG. From there into a US8-150W switch that has a few things plugged into it (RPi, NAS, UniFi CK, Cameras and AP). From there, cat6 underground to the house to an unmanaged AT9000/24 switch, which has the rest of the house stuff on it, including another UniFi AP for wireless access.

 

USG runs the dhcp, there is one wired network and one wireless network configured. Everything can talk to everything without issue. I'm not using any VLAN tagging and there is only one subnet (192.168.1.x)

 

I want to implement a guest network. I followed the UniFi example I found on their website, which basically creates another SSID using the cloud key controller, and makes it go through a portal before allowing internet access.  This now working without issue - no password at the portal, no access to the network or indeed the internet. The issue I am having is that anything connected to the guest network also has unadulterated access to everything on the original SSID and network - ie a guest can access the RPi, NAS etc.  I was under the impression from everything that I have read that this would not be the case - I mean, what's the point of the guest network if it provides the same access (but with less security) than the main SSID?

 

If anyone has done this themselves and has had a better result, or understands how this works better than I obviously do, I'd be very keen to hear about it.

 

Thanks.


Create new topic
22635 posts

Uber Geek

Trusted
Subscriber

  # 1822495 14-Jul-2017 14:31
Send private message

You need to make a vlan for it to seperate it out. The point of the guest access is to limit time connected to people that you give vouchers too or limit time like at a resturant.





Richard rich.ms

189 posts

Master Geek

Lifetime subscriber

  # 1822501 14-Jul-2017 14:36
Send private message

From memory: Using the cloud controller, go to settings > wireless networks. Click on the edit icon for the guest ssid and enable "Apply guest policies (captive portal, guest authentication, access)"

 

 

 

Then go back to the guest control and change the cidr under the post authorisation restrictions if needed,

 

 

 

 


 
 
 
 


28365 posts

Uber Geek

Moderator
Trusted
Biddle Corp
Lifetime subscriber

  # 1822505 14-Jul-2017 14:40
Send private message

You need to configure a new VLAN on your router, isolate that from your existing network with firewall rules and then use that VLAN for your guest network.

 

 


467 posts

Ultimate Geek


  # 1822506 14-Jul-2017 14:43
Send private message

The earlier post about making sure you have the guest options selected correctly is the answer.

 

You will find that guests can "discover" other network resources but will not be able to access them in any way.

 

Cheers

 

Matt


28365 posts

Uber Geek

Moderator
Trusted
Biddle Corp
Lifetime subscriber

  # 1822538 14-Jul-2017 15:10
Send private message

Mattmannz:

 

The earlier post about making sure you have the guest options selected correctly is the answer.

 

You will find that guests can "discover" other network resources but will not be able to access them in any way.

 

Cheers

 

Matt

 

 

Enabling the guest network settings will simply apply them - that will deploy L3 filtering in the radio.

 

None of that changes the fact that if you want to offer a guest network and protect your internal network that it should be on it's own VLAN.

 

 




517 posts

Ultimate Geek

Trusted

  # 1822586 14-Jul-2017 16:37
Send private message

Ok, thanks for the replies thus far.  I decided to have a poke at making a second network with a different VLAN. I can now see the three SSIDs from any mobile device.  However, while I can see the 'test' ssid, it isn't doling out any IPs and devices aren't able to connect to it so things have come to a grinding halt there and have me a bit confused.

 

 

 

Click to see full size

 

Click to see full size

 

Click to see full size

 

Click to see full size

 

Click to see full size

 

Click to see full size

 

 

 

Above are screens from the different configuration screens within the controller - I must admit this is becoming way more of a chore than I expected it to be.  @sbiddle, can you see what I am doing wrong per chance?

 

 

 

Thanks again

 

 

 

 

 

 

 

 


22635 posts

Uber Geek

Trusted
Subscriber

  # 1822594 14-Jul-2017 17:02
Send private message

check the vlan config on your switch in the controller has all set up on it, otherwise it will only pass what is selected.





Richard rich.ms

 
 
 
 




517 posts

Ultimate Geek

Trusted

  # 1822607 14-Jul-2017 17:41
Send private message

 Ah crap. The workshop switch (UniFi) is set to pass all VLAN tagging however the house switch (an unmanaged Allied Telesyn AT9000/24) is stripping it out from what I can gather.  on half a hunch, got up out of the warm house and went out to the workshop with my phone, told it to connect to the 'test' network, and hey presto, IP given and access working. Can still access the USG/NAS etc on the other network, but I haven't set any rules in the firewall blocking them yet, so that's understandable.

 

The AT9000/24 is supposed to be able to deal with VLANs etc, after having a look through the manual. It can be managed, but the first session needs to be a local connection and do you think I can find a serial cable anywhere? grrr. Might be one at work, but that isn't going to tell me anything until at least Monday night. There is a redundant cat6 cable running from the workshop to the house, I could possibly move the house AP over to that and bypass the house switch for wireless devices, but that will still leave an issue for some of the IoT wired devices that I have in the house that I want off the main network. New switch time? Not sure how her indoors will respond to that suggestion...

 

Putting aside the separate VLAN issue and going back to my original question - @Resnick, you mentioned cidr restrictions - is there a way to allow someone on the guest network (192.168.1.x) to be restricted to the gateway only? Ie blocking everything on 192.168.1.x except 192.168.1.1? That would probably solve my immediate issue of giving guests internet but not access to all my stuff.


189 posts

Master Geek

Lifetime subscriber

  # 1822630 14-Jul-2017 18:25
Send private message

That could be achieved with firewall rules as @sbiddle mentioned. Without having access to your network I couldn't specifically advise how to go about what you want to achieve as my setup was/is achieved with trial and error. More of the latter usually.

 

I simplified my setup a while ago so my kids could manage any problems if I was away for any reason. My unifi AP has a separate guest ssid setup with guest policies applied as per previous post . Left "as is", guests are unable access other network devices. I don't have any unifi switches as yet.


4243 posts

Uber Geek


  # 1822636 14-Jul-2017 18:42
Send private message

just jump on the AT switch and set up the guest VLAN. I think the 9000 even has a pretty gui. Otherwise the AT CLI is fairly easy to muddle your way around.
You simply need to set up a couple of trunk ports with your guest VLAN as a tagged VLAN and then leave your native VLAN untagged.

edit: yes it does have the nice GUI which makes it really easy to set up your ports - albeit slightly slower than the cli.
Just always remember to save the running config - it's like Cisco and you work on a live config until a reboot.



517 posts

Ultimate Geek

Trusted

  # 1822637 14-Jul-2017 18:47
Send private message

 Thanks to you both for that - I'll have to find a serial cable to enable access to the AT - it just sits there fat, dumb and happy unless to local into it and enable access initially.




517 posts

Ultimate Geek

Trusted

  # 1822692 14-Jul-2017 21:31
Send private message

Quick follow up - I have managed to make it work on one network, without any VLAN business.

In the Guest Policys Tab, under 'Post-Authorisation Restrications", I needed to add 192.168.1.0/24 - without anything in there wireless clients will get access to all networks.

I'll still look to get the VLAN business sorted, but in the mean time, I have got a working guest network.

189 posts

Master Geek

Lifetime subscriber

  # 1822735 15-Jul-2017 09:08
One person supports this post
Send private message

Ge0rge: Quick follow up - I have managed to make it work on one network, without any VLAN business.

In the Guest Policys Tab, under 'Post-Authorisation Restrications", I needed to add 192.168.1.0/24 - without anything in there wireless clients will get access to all networks.

I'll still look to get the VLAN business sorted, but in the mean time, I have got a working guest network.

 

 

 

Good work cool Have a look at this unifi thread. It gives you an idea of what is achievable through the UAP controller gui and is handy if you want to give guests access to a single network location (eg printer). Without setting up VLAN's you wont have enterprise grade guest network security as others here have said.

 

This is a cut and paste from the unifi wireless forum of guest wlan rules (allowed subnets = pre-authorisation access)

 

According to EBTABLES rules on AP for GUEST WLANs:
1) DHCP requests will be permitted
2) DNS requests to ANY ip (i.e. ALL UDP traffic to port 53) will be permitted
3) mDNS traffic will be denied (all UDP traffic to port 5353)
4) All MULTICAST traffic will be denied
5) Only after that all traffic to restricted subets will be denied
6) Everything else will be permitted.
All this means that if your internet gateway's IP is inside one of the "restricted subnets" then you need to add it's IP to a list of "allowed subnets" (with /32 mask).


436 posts

Ultimate Geek
Inactive user


  # 1824037 17-Jul-2017 20:13
Send private message

Make sure you are aware of your responsibility in running a guest network (for your own protection)

 

 

 

Things like but not limited too:

 

 - cannot be used for DoS or DDoS attacks (both bandwidth and connection limits)

 

 - cannot be used by the kids next door to hit porn sites

 

 - cannot be used for piracy

 

 - cannot be used by the local pedo to hit kiddie porn

 

 - cannot be used by your friendly neighbourhood spammer

 

 




517 posts

Ultimate Geek

Trusted

  # 1824050 17-Jul-2017 20:42
Send private message

Thanks for the concern - ended up running two guest networks: one that needs a wpa to access (guests we know and like but don't want their devices to interact with our home network and also has IoT stuff on it) and a second one for kids that utilises the hotspot function and one-time use passes (do you chores, get a pass for 30mins access. We're also rural, on a narrow road with no reason to stop in front of our place, and over 150m to the neighbours so I'm pretty sure we're good

You raise valid points for someone running an open guest network in an urban setting though.

Create new topic



Twitter and LinkedIn »



Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Chorus to launch Hyperfibre service
Posted 18-Nov-2019 15:00


Microsoft launches first Experience Center worldwide for Asia Pacific in Singapore
Posted 13-Nov-2019 13:08


Disney+ comes to LG Smart TVs
Posted 13-Nov-2019 12:55


Spark launches new wireless broadband "Unplan Metro"
Posted 11-Nov-2019 08:19


Malwarebytes overhauls flagship product with new UI, faster engine and lighter footprint
Posted 6-Nov-2019 11:48


CarbonClick launches into Digital Marketplaces
Posted 6-Nov-2019 11:42


Kordia offers Microsoft Azure Peering Service
Posted 6-Nov-2019 11:41


Spark 5G live on Auckland Harbour for Emirates Team New Zealand
Posted 4-Nov-2019 17:30


BNZ and Vodafone partner to boost NZ Tech for SME
Posted 31-Oct-2019 17:14


Nokia 7.2 available in New Zealand
Posted 31-Oct-2019 16:24


2talk launches Microsoft Teams Direct Routing product
Posted 29-Oct-2019 10:35


New Breast Cancer Foundation app puts power in Kiwi women's hands
Posted 25-Oct-2019 16:13


OPPO Reno2 Series lands, alongside hybrid noise-cancelling Wireless Headphones
Posted 24-Oct-2019 15:32


Waikato Data Scientists awarded $13 million from the Government
Posted 24-Oct-2019 15:27


D-Link launches Wave 2 Unified Access Points
Posted 24-Oct-2019 15:07



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.