380.70 RT-N66U, Guest network allowing full access to home network?

[n2ubp]

I thought a guest network connection was internet only?
Enabling network discovery on a Windows 8 laptop connected as a guest (should be internet only) is showing all devices on my home network?
Steve
N2UBP

 

[Diamond67]

Ap Mode? Intranet setting, disabled or not?

 

[n2ubp]

Ap Mode? Intranet setting, disabled or not?

AP mode attached to AC-68R thru a switch. Internet not disabled for this Guest instance.

 

[Diamond67]

AP mode attached to AC-68R thru a switch. Internet not disabled for this Guest instance.

With Wireless Router Mode there is this Intranet access setting (which you can switch on or off).

But, with AP Mode your clients will have full access to network.

edit: Google "ebtables guest isolation ap mode" or something like that.

 

[n2ubp]

So the note at the top of the Guest screen doesn't reflect reality when in AP mode.. okay.. new to me. thanks.

 

[Diamond67]

So the note at the top of the Guest screen doesn't reflect reality when in AP mode.. okay..

AFAIK, with AP Mode that's the case.

With Wireless Router Mode you can restrict the access by setting Intranet access to Off.

 

[RMerlin]

AP mode cannot restrict access, because an AP is nothing but a "bridge" into your network. Any access restriction has to be implemented by the main router itself.

 

[TikiG]

Is this the case with the regular AsusWRT as well.??? This does not seem to be well documented. Shouldn't the guest mode be totally disabled in AP mode to remove this confusion?

 

[Ryansr]

Thanks for this. Also was wondering about this. Glad that I'm always running in Wireless Router Mode instead of AP mode which I've tried a while back but didn't like the limited amount of controls it gave me.

 

[Ronald Schwerer]

Is this the case with the regular AsusWRT as well.??? This does not seem to be well documented. Shouldn't the guest mode be totally disabled in AP mode to remove this confusion?

Just a data point. For AiMesh, nodes do not propagate Guest SSIDs for exactly this reason. Since AiMesh is only configurable from the main router, this "feature" is also not obvious to users. But it protects against an unintentional security lapse.

 

[RMerlin]

Is this the case with the regular AsusWRT as well.??? This does not seem to be well documented. Shouldn't the guest mode be totally disabled in AP mode to remove this confusion?

Same case with stock firmware.

Guest networks are still useful even without the ability to prevent clients from accessing the LAN (note that Asus actually hides that specific setting while in AP mode). Guest networks still allow you to provide a different WPA2 key than the main one, they still have configurable time limits, etc... They're not as useful as in router mode but they still have their usefulness.

 

[TikiG]

Same case with stock firmware.

Guest networks are still useful even without the ability to prevent clients from accessing the LAN (note that Asus actually hides that specific setting while in AP mode). Guest networks still allow you to provide a different WPA2 key than the main one, they still have configurable time limits, etc... They're not as useful as in router mode but they still have their usefulness.

Okay that is reasonable, but shouldn't the notification in the box be amended when in AP mode. It should specify that "while in AP Mode the Guest Network does Allow local network access to all guests.".

Seems to be a security risk given the misinformation. I don't even know if it's fair to call it a guest network at that point. Just my take on the words meaning however...

Edited: added "local network access" for clarification