Ubiquiti AP Guest mode
-
OK someone here mentioned that UAPs have a guest mode.
I enabled it yesterday. It's not what I would call super straight forward on the setup - create a group and configure settings on that group to limit bandwidth throughput, then create a SSID and apply the newly created group to that SSID. Also while creating the SSID, check the box for Guest Access.
Again, not hard, just not super straight forward regarding the creation of a group for the purpose of limiting throughput.
Some information for those that didn't follow the previous thread. The Guest network works by using the same DHCP/DNS as your main wireless network (so make sure your DHCP address has enough free addresses for this) and then is suppose to limit traffic on the Guest network to the default gateway, and now allow those on the Guest network access to any IPs on your network.
To test the basic security I started off trying to ping IPs of devices on my local and VPN based networks. These did not respond. Next I installed Advanced IP Scanner (on a side note I used to use Angry IP Scanner but that thing still uses and requires local Java so it's now dead to me). I was/am given pause because Angry IP Scanner was able to gather IPs and MAC addresses from my wired and corporate wireless. I mean it found everything, my VOIP phones, computers and printers, etc.
I tried pinging many of those addresses (different ones from what I pinged before) and I still didn't get a response.
Any thoughts and or opinions on this and how it's related to security?
On surface this makes me not want to trust it and instead force myself to use a VLAN to get full separation - but maybe I'm jumping the gun - and so I'm asking you.
-
I am using a vLAN arrangement here. Mainly I think due to restrictions. My kids will have people over and I do not want them in my network. I also don't want their games sucking up all the bandwidth, so it is limited on speed.
Other notes and comments: paging @JaredBusch
-
@g-jacobse what mechanism are you using to limit their speed?
What is providing DHCP/DNS for their network, for your network?
-
I did set a limit of 5 Mb on the Guest network and tested that by downloading the Windows 10 ISO, and other than a few blips, the download hit 5 Mb and stayed there for 20+ mins. My connection is 50 Mb. I was pretty impressed by how simple setting up this limiting was (overall).
-
In this case, I created separate User Groups:
-
That was the same thing I did.
WOW, you're limiting them to less than 1 Mb download, that's pretty low. What is your connection?
-
My TWC connection is not the lowest plan they have,.. but I'm running a 6/1MB line. Thus far, even with working from home now it has been decent.
They mainly play Minecraft and such on their iPads and some Youtube videos.
Thus far, other than recent signal issues, it's worked nicely.
-
huh - a 6/1 connection, I haven't seen anything that small in years. That said though, I am looking for a second ISP connection for redundancy and the best I've found so far (on the cheap that is) is a 12/2 DSL.
Our normal lowest level cable modem around here is 20/2.
-
@Dashrender said:
huh - a 6/1 connection, I haven't seen anything that small in years. That said though, I am looking for a second ISP connection for redundancy and the best I've found so far (on the cheap that is) is a 12/2 DSL.
Our normal lowest level cable modem around here is 20/2.
Wow, my parents are still on 5/.5 ADSL the only thing that is offered where they are.
-
@coliver said:
@Dashrender said:
huh - a 6/1 connection, I haven't seen anything that small in years. That said though, I am looking for a second ISP connection for redundancy and the best I've found so far (on the cheap that is) is a 12/2 DSL.
Our normal lowest level cable modem around here is 20/2.
Wow, my parents are still on 5/.5 ADSL the only thing that is offered where they are.
OUCH! no wireless options eh? or just to expensive?
-
@Dashrender said:
huh - a 6/1 connection, I haven't seen anything that small in years. That said though, I am looking for a second ISP connection for redundancy and the best I've found so far (on the cheap that is) is a 12/2 DSL.
Our normal lowest level cable modem around here is 20/2.
While not trying to stray to far, the 6/1 seems to run us okay. We watch Netflix and I can still work, AND being on a VoIP call without to much lag or drop outs.
I have kinda looked at stepping up,.. but with the kids in school now,... not much of an issue.
@coliver said:
Wow, my parents are still on 5/.5 ADSL the only thing that is offered where they are.
Friend of mine across the creek in the next county has no options right now other than Satellite, and he also works from home. He kills his monthly plan every month and has overages. Cable and DSL are not possible (to rural), and Wireless isn't the best due to the amount of cliffs and trees.
-
@Dashrender said:
@coliver said:
@Dashrender said:
huh - a 6/1 connection, I haven't seen anything that small in years. That said though, I am looking for a second ISP connection for redundancy and the best I've found so far (on the cheap that is) is a 12/2 DSL.
Our normal lowest level cable modem around here is 20/2.
Wow, my parents are still on 5/.5 ADSL the only thing that is offered where they are.
OUCH! no wireless options eh? or just to expensive?
They could do satellite (which would be very expensive) but wireless internet in our area is next to impossible. Too many mountains and valleys.
-
@Dashrender said:
I tried pinging many of those addresses (different ones from what I pinged before) and I still didn't get a response.
My guess is it is showing MAC tables and is blocked from IP access.
-
@g.jacobse said:
My TWC connection is not the lowest plan they have,.. but I'm running a 6/1MB line. Thus far, even with working from home now it has been decent.
I was working on a 2/2 not that long ago and it was enough to get by.
-
@coliver said:
They could do satellite (which would be very expensive) but wireless internet in our area is next to impossible. Too many mountains and valleys.
And introduces horrific latency.
-
@scottalanmiller said:
@Dashrender said:
I tried pinging many of those addresses (different ones from what I pinged before) and I still didn't get a response.
My guess is it is showing MAC tables and is blocked from IP access.
You think it's pulling a MAC table from the switch? Do you consider this an issue? and how do you manually query for the MAC table?
-
@Dashrender said:
You think it's pulling a MAC table from the switch? Do you consider this an issue? and how do you manually query for the MAC table?
I'm not an expert on ARP but doesn't an ARP Probe return all ARP addresses in use?
-
Guest Access does not block you from seeing those devices, it just stops you communicating.
The only benefit for Guest Access to us, is that it stops other "guest" clients disturbing each other, the VLAN is the main way that we stop people interfering with the work network.
-
@Breffni-Potter said:
Guest Access does not block you from seeing those devices, it just stops you communicating.
The only benefit for Guest Access to us, is that it stops other "guest" clients disturbing each other, the VLAN is the main way that we stop people interfering with the work network.
Guest Access on the Ubiquiti AP should stop them from messing with anything on the network, no VLAN needed.
-
@scottalanmiller said:
Guest Access on the Ubiquiti AP should stop them from messing with anything on the network, no VLAN needed.
"Should" but doesn't, I can still see other devices on the network when it's enabled.
