5

I'm trying to create an open, public WiFi network in my house for guests to use, as I am hosting a (somewhat) large party later tonight. However, none of my routers have any built-in guest networking features, and they do not support alternative firmware like DD-WRT.

Traditionally, what I've done is simply create a double NAT by connecting the WAN port of a second wireless router to a LAN port of my main router. The main router is secured with WPA2, while the second router (for the guest network) is left unsecured. See the diagram below:

enter image description here

My question though: is this setup actually secure? As in, is there any way for a guest device to access my computer, at 192.168.1.3, or monitor traffic on the main network? I tried pinging while connected to the guest network and it seems like the packets are not reaching computers on the main network, but is there a way to get around this? I read a few articles online about using Double-NAT as a way to create a guest wifi network, but none of them really go into detail about security.

Thanks in advance!

EDIT:

-I drew the diagram in Cisco Packet Tracer because I don't have another program for drawing these diagrams, but I'm not actually using Cisco hardware. The main router is a Verizon Actiontec; the guest network is a cheap Tenda.

tlng05
  • 10,244
  • 1
  • 33
  • 36
  • You have a Cisco switch there that supports VLANs. Just set a VLAN for guest networki/ports and they are then isolated from rest of the switched network. – Jari Huttunen Dec 20 '14 at 19:32
  • 3
    Holiday parties, eggnog, mistletoe, hacking your host's computers. I love this time of year! If you're really concerned about your guests (and I guess it's too late to uninvite them), maybe you could turn off your sensitive computers for a few hours. It would be simpler than redesigning your network and give you more time to make that party dip everyone raves about. Also make sure everyone's drink glass stays full and no none will be in any condition to hack anything. Happy Holidays! – Ron Trunk Dec 20 '14 at 19:43
  • @YaRi I drew the diagram in Cisco Packet Tracer because I don't have any other network-diagramming software, but I'm not actually using Cisco/Linksys hardware lol – tlng05 Dec 20 '14 at 19:56
  • @Ron I'm not super concerned about the guests tonight as they are generally people I trust, but I'm asking mostly for future reference. Happy holidays to you too! – tlng05 Dec 20 '14 at 19:59
  • 1
    The simple way to secure your network - turn off your computer and enjoy the party. Turn off the router too and your guests will have to talk to each other instead of updating their status. Life used to be simpler when you just had to count the silverware at the end of the evening. – Floris Dec 20 '14 at 22:56

2 Answers2

8

You've got it hooked up backwards if you want to secure your network against guests. Computers on the 192.168.0.0/24 network can freely access computers on the 192.168.1.0/24 network.

If you want to use double-NAT to create a guest network, you need to place the guest network closer to the Internet connection than the network you want to protect from them. Against casual attackers, NAT acts as a firewall with a "default deny" policy for inbound connections and "default permit" for outbound connections, so you need to put the computers you want to protect on the "inside" of the second NAT.

Against serious attackers, you want your public and private networks to meet only at your Internet connection, where you set up a proper firewall that blocks any communication between the two.

Mark
  • 34,390
  • 9
  • 85
  • 134
6

This is not secure, as you have not isolated the guest network. They are still able to reach your 192.168.1.3 client.

I guess the reason why it do not respond to ping, is because it is configured not to respond to ping. The host firewall on this computer probably block most of the traffic anyway.

If you want to isolate the wifi clients in a proper way (with the equipment you have), you connect the guest wifi router to the internet WAN port. And to a LAN port on the guest router, you connect your Main Router.

This way, your clients may only reach the Main Router external IP address.

But this solution has its own problems. If your malicious guests (who by the sound of it likes to play capture the flag on your network), are able to take over the router, they would also be able to intercept the traffic from your internal network. Other MitM tricks apply here as well, as they are located in an upstream network.

The proper solution to this problem, is to get a VLAN capable switch to segment your internal and guest network, and you need a firewall/router to block traffic passing these two segments.

Dog eat cat world
  • 5,759
  • 1
  • 27
  • 46
  • 1
    Maybe I'm not understanding you correctly, but if the main router is a client of the guest network, wouldn't that make the main router's Internet traffic vulnerable to ARP spoofing attacks? It would definitely make hosts on the private network unreachable though. – tlng05 Dec 20 '14 at 20:34
  • 1
    You are right, the drawback here is exactly that anyone can impersonate your main router. With your current equipment, you will have to choose between vulnerabilities. To mitigate these, you will need either a firewall with at least three interfaces, or switch with vlan support + a firewall. – Dog eat cat world Dec 20 '14 at 20:45