How do I set up a guest WLAN?

4

1

I want to set up a guest wifi network that is separate from the network my family uses, so that guests can access the Internet but not my home network.

Note that the DSL router from the ISP is really stupid and doesn't give me any configuration options. It's got a hardcoded SSID and WPA passkey. This router contains the (unknown) DSL credentials so it must sit between the wall socket and the switch; I can't replace it but I could connect an additional router if I want.

I have a spare Linksys WRT54G router that I can set up, but it's not a model that supports custom firmware like Tomato so I have to make do with regular configuration options. I could connect this Linksys either to the ISP router directly, or to the switch, but I think that wouldn't make any difference.

How can I configure the network so that this Linksys only gets Internet access but doesn't see the home network (neither LAN nor WLAN)?

I could either hand out the ISP wifi credentials and use the Linksys to set up a family network.
Or I could use the ISP wifi for myself and set up the Linksys as a guest network.
Not sure which way is better.

Linksys currently not connected

Would it make sense to set it up like above, so that the Linksys acts as a sort of "one-way filter" that prevents the ISP router from seeing the rest of the network, but the network has Internet access? To achieve this, would it be correct to put a network cable from the ISP router's LAN port to the Linksys' WAN port?

Torben Gundtofte-Bruun

Posted 2013-09-17T06:59:18.567

Reputation: 16 308

1Use the Linksys as your protected wlan as the only foreseeable way of making the Linksys handle the guest wlan would be to use a vpn or setup a radius server for your home computers – 50-3 – 2013-09-17T07:07:20.820

If set-up as NAT, your linksys should prevent computers in the guest WLAN to access the home LAN, because you can't route Private-range IP networks. If it doesn, there may be a way to enforce access restrictions in its interface. – mveroone – 2013-09-17T07:28:13.430

Answers

5

Hook up the Linksys router's WAN port to a LAN port on the ISP-supplied router. Use the Linksys router's provided WLAN for your own use and give guests the credentials for the ISP-supplied router's WLAN.

This puts your own systems behind an additional level of NAT compared to the guest network, which means that your own hosts become to the guests what a normal home network is to the Internet. It also takes advantage of the fact that virtually any such router will consider the WAN side "untrusted". Guests may be able to access the Linksys router (they will certainly likely be able to know that it's there) but not anything behind it, assuming they don't manage to sneak through by directly modifying their local routing tables. (I doubt it'd help them, since they should hit the Linksys's firewall if they try, but it's hard to be 100% certain.)

The major downside to this approach would be that you are giving out the credentials you cannot yourself change. Another potential downside is precisely that it puts yourself behind two layers of NAT, which can conceivably cause problems with any services that rely on the ability to connect back to the originating host (peer-to-peer file sharing springs to mind as one possibility).

You'd end up with something similar to this:

                             +------------+
                             |  Internet  |
                             +------------+
                                    ^
                                    |
        +---------+          +------+-----+
        | Linksys +--------->| ISP router |
        +---------+          +------------+
              ^                     ^
              |                     |
        +-----+---------+    +------+--------+
        | Your network  |    | Guest network |
        |---------------|    |---------------|
        | Your host 1   |    | Guest host 1  |
        | Your host 2   |    | Guest host 2  |
        +---------------+    +---------------+

The better option would probably be to replace the Linksys with something that supports multiple independent local WLANs, hook that to the ISP-supplied router (configuring the ISP-supplied router for bridge mode if possible), and use only that for local access (your own and guests'), assigning one of its networks for your own use and another for guest use. This is probably a pretty common feature in small-business-range and up hardware, but not so common in consumer hardware. For example, the Cisco RV220W allows you to configure up to four independent wireless networks, each with its own SSID, security settings including encryption and key settings, and network segment isolation settings. That is, you can set things up such that when on one WLAN you can access everything, but if you connect to another, you can only pass through to the WAN, and in particular the guest WLAN cannot access the residence WLAN because the router or access point blocks such communication. I doubt it's bullet proof, but unless your threat model includes targetted attacks from government agencies, I think it would be pretty safe with such a setup (and if that's your threat model, you probably shouldn't have asked here in the first place...).

You'd end up with something like this:

                             +------------+
                             |  Internet  |
                             +------------+
                                    ^
                                    |
                             +------+-----+
                             | ISP router |
                             +------------+
                                    ^
                                    |
                             +------+-----+
                  +--------->| Your router|<----------+
                  |          +------------+           |
                  |                                   |
          +-------+-------+                   +-------+-------+
          | Your network  |                   | Guest network |
          |---------------|                   |---------------+
          | Your host 1   |                   | Guest host 1  |
          | Your host 2   |                   | Guest host 2  |
          +---------------+                   +---------------+

In each diagram, an arrow pointing toward another box means "uses the services of" the pointed-to box. (So e.g. "ISP router" uses the services of "Internet".)

I've done something very similar to the latter case myself with two WLANs on separate VLANs. I don't recall how the router handles the wired network connections, but I'm fairly sure those can also be assigned to chosen VLANs (and such a feature certainly seems reasonable to expect of such a product), which means that you can combine certain wired ports with a given wireless network for your residential network and run a guest network on a VLAN separate from that which you use. If you choose to go this route and the ability to combine and separate traffic on both wired and wireless networks is an important consideration for you, you should probably contact the manufacturers of some products you are considering and ask specifically about that capability.

a CVn

Posted 2013-09-17T06:59:18.567

Reputation: 26 553

Thank you! Your first illustration looks like my draft, and I understand that. (I hadn't thought of the concern about giving out hardcoded credentials.) For your second illustration, you only mention WLAN -- would guests on the guest WLAN be able to access the home LAN? – Torben Gundtofte-Bruun – 2013-09-17T08:11:40.023

To clarify, I'm not worried about government snoops. I merely want to offer an open guest network while preventing access to the home network. – Torben Gundtofte-Bruun – 2013-09-17T08:12:10.540

"would guests on the guest WLAN be able to access the home LAN?" That would depend on the router. With the RV220W, I'm pretty sure you can set it up so that the wired ports and one WLAN are on one VLAN and another WLAN is on another VLAN, ensuring separation. If this is an important consideration for you I'd suggest looking up a few small business range wireless routers in an acceptable price range, then contact the manufacturers and ask about multiple network segment and network segment isolation support. They should be able to answer that easily; it certainly isn't an unreasonable request. – a CVn – 2013-09-17T08:22:34.777

You could of course also build something like this yourself -- the RV220W runs its own software on top of some variant of Linux, so there's really no magic involved and assuming Cisco isn't violating the GPL in distributing its firmware everything should be available for you to make something similar yourself minus their administration interface and possibly some other peripheral things -- but buying a ready-made solution is often more practical. – a CVn – 2013-09-17T08:22:56.373

For other readers: The mentioned RV220W costs about €190 in Austria. I'd expected business equipment to be a lot more expensive.

– Torben Gundtofte-Bruun – 2013-09-17T08:41:02.453

1I think I'll go with your first alternative, as we seem to have the same idea about it. I'd need to see if I can change the ISP credentials though. – Torben Gundtofte-Bruun – 2013-09-17T08:42:21.303

Asked: 2013-09-17T06:59:18.567

Viewed: 3 895 times

Active: 2016-07-05T14:54:46.773