At office Wifi access
-
Did I misread your earlier post that the Guest Network worked on it's own IP Range, most likely outside your own network's IP Range?
How can that be if the Guest Network is getting it's IP from your DHCP server?
Also, This seems to make setting what IP ranges are allowed on the Guest Network pointless. Wouldn't you have to add your local network to that valid range?
-
@Dashrender said:
Did I misread your earlier post that the Guest Network worked on it's own IP Range, most likely outside your own network's IP Range?
It's not a guest network in this case. But a locked down guest access system. No need for guests to have their own network, just to keep them from accessing yours.
-
@Dashrender said:
Also, This seems to make setting what IP ranges are allowed on the Guest Network pointless. Wouldn't you have to add your local network to that valid range?
Where does it have you doing that?
-
Here is the default setup under Settings > Guest Control
I'm assuming these three subnets are listed by default because they are the most typical networks that one might have that are local. These lines I'm guessing are preventing guest users from being able to go to these IP addresses.
OK I can see how that is suppose to protect you, but there's a problem - you must be allowed to get to the DNS servers. Most companies use an internal DNS server, so your machines will probably be allowed to send DNS queries to those servers, unless the AP is doing DNS Proxy.
-
Couple things about the DNS...
- You would prefer if they went to Google or OpenDNS, not to internal. No need to hit an internal one.
- Hitting your DNS is a pretty trivial thing and in the docs it said that this is something that is allowed by the AP.
So I don't see this as an issue if it works as desired and/or as described.
-
No chances of any kind of DNS attack on your network? Or so minor you don't care?
Personally - yeah they should be able to be sent to something like google dns or opendns.
but I can see that that might not be desirable either if you want to allow some local access, for example to your mail server while on the guest network. -
@Dashrender said:
No chances of any kind of DNS attack on your network? Or so minor you don't care?
DNS attack meaning what? That someone that you let into your building is sitting in the lobby launching a DDoS on your DNS? If so, worst case, power off the AP for a minute.
Once someone is willing to do this, I think you have bigger concerns.
-
@Dashrender said:
Personally - yeah they should be able to be sent to something like google dns or opendns.
but I can see that that might not be desirable either if you want to allow some local access, for example to your mail server while on the guest network.If you are allowing SOME local access I think that "guest" is not what you want to be enabling. This is for guest access to the Internet, not for a partial LAN scenario.
-
@scottalanmiller is correct here. You can setup a guest network, that is completely separate, without having to deal with VLAN
I did this myself on my Ubiquity AP. It takes just seconds to setup (at least during the first setup), and I confirmed that guess have no access to my internal network.
-
