At office Wifi access
-
@Dashrender said:
In theory.
One could say the same thing about the routing or VLANs, though. They isolate the traffic "in theory." But in reality, the theory holds. I don't see any reason to be concerned here. It looks like a well thought out security mechanism. I would test it and not use it for military secrets or anything. But for a normal business on a scale where this would work, it seems like a simple, logical approach.
What about it causes concern?
-
@scottalanmiller said:
@Dashrender said:
Agreed - looks like UNBT is just setting up VLANing inside the APs, but otherwise just using the standard network fabric - of course you either have to have two interfaces on the router/firewall one for each IP range, unless the router/firewall supports multiple IPs non VLAN'ed on a single interface.
Often they do.
My routing on a stick comment was based on this, not the UNBT stuff. I took your meaning to be that many routers support single interface routing.
Although I see why you say it's not really routing on a stick because the traffic from network A (A and B being inside your network) and the internet, but not from A to B
-
@Dashrender said:
Although I see why you say it's not really routing on a stick because the traffic from network A (A and B being inside your network) and the internet, but not from A to B
Exactly. The one side of the router would be multi-homes but not routing between subnets on that side (if it did that, just skip the routing altogether) and instead only from multiple "inside" routes to a single external route.
-
@scottalanmiller said:
@Dashrender said:
In theory.
One could say the same thing about the routing or VLANs, though. They isolate the traffic "in theory." But in reality, the theory holds. I don't see any reason to be concerned here. It looks like a well thought out security mechanism. I would test it and not use it for military secrets or anything. But for a normal business on a scale where this would work, it seems like a simple, logical approach.
What about it causes concern?
Actually, now that I've looked at the configuration of the guest network, that network can be limited to only the specified IP range, so yeah, it's less of an issue. If that limitation wasn't there, a person could make an association, then after the association was live, manually change their IP to one on the production network and Bob's your uncle.
-
@Dashrender said:
Actually, now that I've looked at the configuration of the guest network, that network can be limited to only the specified IP range, so yeah, it's less of an issue. If that limitation wasn't there, a person could make an association, then after the association was live, manually change their IP to one on the production network and Bob's your uncle.
Right. I would agree that they could if the restrictions were not in place.
-
I have a UBNT Router and AP (UniFI). I have two SSIDs - one for the 'business' side of my home network, and another for the Kids. I have the Kids side limited to 1MBs to not saturate the main network. Work before Mindcraft.
-
OK I'm blind, I can't find the bandwidth limiting section in the controller software. And my screen does not look like those above. I'm on version 4.6.6
-
One other option that's worked for me previously is to get a cheap consumer connection and have guest / employees use that for their phones and want not. Bonus: you get an additional connection to use for testing / failover / whatever else you might need.
-
@Dashrender Should be under Settings > User Groups. Then under Wireless Networks pick the user group for the guest network.
-
@johnhooks said:
@Dashrender Should be under Settings > User Groups. Then under Wireless Networks pick the user group for the guest network.
Thanks, that seems convoluted, but gives me what I want.
-
@Dashrender No problem. Ya it would be nice if you could just set it on the guest network.
-
This post from a few years ago seems to indicate that the Guest WiFi network still gets an IP from your normal DHCP server. Now you're really trusting the AP to make sure that traffic on that SSID is only forwarded to the Default Gateway, and not allowed on the local network.
-
@Dashrender said:
This post from a few years ago seems to indicate that the Guest WiFi network still gets an IP from your normal DHCP server. Now you're really trusting the AP to make sure that traffic on that SSID is only forwarded to the Default Gateway, and not allowed on the local network.
No, not really. DHCP itself cannot be any form of security. That would be security through obscurity. You were never depending on that at all. You have a security mechanism that you need to trust the same as a router or a VLAN. I don't see any new concern here, just better design.
-
Did I misread your earlier post that the Guest Network worked on it's own IP Range, most likely outside your own network's IP Range?
How can that be if the Guest Network is getting it's IP from your DHCP server?
Also, This seems to make setting what IP ranges are allowed on the Guest Network pointless. Wouldn't you have to add your local network to that valid range?
-
@Dashrender said:
Did I misread your earlier post that the Guest Network worked on it's own IP Range, most likely outside your own network's IP Range?
It's not a guest network in this case. But a locked down guest access system. No need for guests to have their own network, just to keep them from accessing yours.
-
@Dashrender said:
Also, This seems to make setting what IP ranges are allowed on the Guest Network pointless. Wouldn't you have to add your local network to that valid range?
Where does it have you doing that?
-
Here is the default setup under Settings > Guest Control
I'm assuming these three subnets are listed by default because they are the most typical networks that one might have that are local. These lines I'm guessing are preventing guest users from being able to go to these IP addresses.
OK I can see how that is suppose to protect you, but there's a problem - you must be allowed to get to the DNS servers. Most companies use an internal DNS server, so your machines will probably be allowed to send DNS queries to those servers, unless the AP is doing DNS Proxy.
-
Couple things about the DNS...
- You would prefer if they went to Google or OpenDNS, not to internal. No need to hit an internal one.
- Hitting your DNS is a pretty trivial thing and in the docs it said that this is something that is allowed by the AP.
So I don't see this as an issue if it works as desired and/or as described.
-
No chances of any kind of DNS attack on your network? Or so minor you don't care?
Personally - yeah they should be able to be sent to something like google dns or opendns.
but I can see that that might not be desirable either if you want to allow some local access, for example to your mail server while on the guest network. -
@Dashrender said:
No chances of any kind of DNS attack on your network? Or so minor you don't care?
DNS attack meaning what? That someone that you let into your building is sitting in the lobby launching a DDoS on your DNS? If so, worst case, power off the AP for a minute.
Once someone is willing to do this, I think you have bigger concerns.
