Linksys Guest Network

[jebise]

So I'm just configuring my Ea2700 and find the guest network troubling. I see it's an open network that anyone can connect to. This doesn't seem like it's secure enough, even though it asks to login before it will grant Internet access. Anyone can connect to the network and run a packet sniffer to figure out the password?

Am I just paranoid?

 

[L&LD]

How can they connect to the network if they need a password?

And if they don't need a password, how can they connect to 'sniff the password'?

If you're running WPA2 AES with a long/strong password - I would think you're okay.

 

[jebise]

Thats the thing, the guest network is open (no password what so ever). Anyone can connect to it and get an IP Address, it's just they won't be able to browse the internet unless they type in the correct password in a web portal. Similar to coffee shops where the network is open but then redirects you to a web portal where you have to "sign in".

 

[remixedcat]

Can you set the guest network to instead have a key? or both?

I have both a key and a captive portal on my guest network. I have a Cisco Meraki MR12 AP.

 

[L&LD]

If you can't set a WPA2 AES password manually; this is where I would be returning the EA2700.

 

[jlake]

Thats the thing, the guest network is open (no password what so ever). Anyone can connect to it and get an IP Address, it's just they won't be able to browse the internet unless they type in the correct password in a web portal. Similar to coffee shops where the network is open but then redirects you to a web portal where you have to "sign in".

Guest network is isolated on a vlan on 192.168.3.1. It's not on your main network of 192.168.1.1. Just has access to port 80 from what I remember (assuming you know the guest network password).

 

[L&LD]

Not sure about the security of the vlan settings (specifically), but from 192.168.3.1 you can get to any device on the 192.168.1.1 network.

Doesn't seem so secure to me at this point (but the vlan and/or firewall settings may have taken care of this obvious security 'hole').

 

[jlake]

Not sure about the security of the vlan settings (specifically), but from 192.168.3.1 you can get to any device on the 192.168.1.1 network.

Doesn't seem so secure to me at this point (but the vlan and/or firewall settings may have taken care of this obvious security 'hole').

You can't get from guest network 192.168.3.x to 192.168.1.x on linksys routers. Won't happen. Guest network can only use the internet (assuming you know guest network password).

Router has a separate guest network dhcp table/ device list that shows anyone on guest network. So if your neighbor's name is frank, and you see "frank's ipad" on your guest network , it's probably time to make your guest network password a little harder to guess.

Guest network on linksys is simply so you can give your guests internet and so you don't have to give your guests your main network password so they don't have access to your file sharing stuff etc... I wouldn't try to over think it. If you don't have any guests, then turn it off.

If you need a better solution for guest network ,then you can buy a dirt cheap router and cascade it LAN to WAN on a different subnet with ap isolation enabled.

Linksys newer routers won't allow you to access their GUI if you're on a different LAN segment.

 

[L&LD]

jlake, curious how Linksys prevents going from 192.168.3.1 to 192.168.1.1 is this something you have tested and verified?

On any SOHO router I've used (various, including a Linksys but without Guest ssid) I can type in a device's IP address from the higher numbered network and access the lower numbered one.

So, is this something in the vlan setup or a special rule in the Firewall?

 

[jebise]

I just connected my Nexus 7 to the guest SSID which again is open. I can see my tablet has an IP address but it doesn't show in the router logs. As soon as I typed in the password in the web portal it showed up in the logs. No option to secure the guest network SSID which I find really limiting.

Oddly enough my guest network is on 172.25.xxx.xxx, not sure why maybe coz i'm in bridged mode and guest network settings are not visible.

I tried to access the EA2700 webpage but got a server error page saying connection refused so it seems to be "secure" in that sense. I still don't like the idea of an open network even if its a guest network because its still handing out IP Address.

 

[sinshiva]

so, linksys firmware doesn't let you set a password for the guest ap? how about on later models? sounds like they took the term 'guest' a little too literally

 

[L&LD]

If your main equipment is on the 192.168.x.x (or the 10.x.x.x) subnet and your guest network is on the 172.25.x.x subnet they should be safe from each other.

Still, I agree with you that with an open network, anyone can connect and figure out the password eventually. Worse, all your guests are completely open to interception if/when they check their email, log on to forums, do any banking, etc..


Even if the main network is a different subnet, I would still be returning this router for this reason alone.

 

[jlake]

jlake, curious how Linksys prevents going from 192.168.3.1 to 192.168.1.1 is this something you have tested and verified?

On any SOHO router I've used (various, including a Linksys but without Guest ssid) I can type in a device's IP address from the higher numbered network and access the lower numbered one.

So, is this something in the vlan setup or a special rule in the Firewall?

Yes, I've tested and verified with guest network.

But even if you're not on a guest network and you're on a cascaded router on something like 192.168.5.1, you can't get to main router GUI on 192.168.1.1. Which is actually smart. At some point, around 2011, Linksys considered it to be a "bug" and they changed their firmware(s). Or maybe they considered it to be an undesirable feature to be able to come from e.g. 192.168.5.x to access main router GUI at 192.168.1.1.

I'm not network savvy enough to know what the "official correct behavior" should be. But if I cascade a router LAN to WAN and put it on 192.168.5.1, I definitely don't want it to have access to router GUI on 192.168.1.1.

I'm pretty sure Asus routers allow you to come from 192.168.5.x to router GUI on 192.168.1.1. So in that sense, I consider linksys routers to be more secure.
I've tested a handful of newer linksys routers, and can confirm you will be blocked, but older linksys routers will definitely allow you to come from 192.168.5.x and gain access to the linksys router GUI at 192.168.1.1 (just like the Asus).

 

[jlake]

so, linksys firmware doesn't let you set a password for the guest ap? how about on later models? sounds like they took the term 'guest' a little too literally

It's the complete opposite. Linksys routers guest network require you to have a password. You cannot run a guest network on linksys without a password.

 

[L&LD]

It's the complete opposite. Linksys routers guest network require you to have a password. You cannot run a guest network on linksys without a password.

But a guest password (Linksys style) is different than a WPA2 AES password we set ourselves. The difference is that the connection is encrypted with WPA2.

Anything passing through the air between client and the Guest Linksys network will be free for all to see.

 

[jlake]

If your main equipment is on the 192.168.x.x (or the 10.x.x.x) subnet and your guest network is on the 172.25.x.x subnet they should be safe from each other.

Still, I agree with you that with an open network, anyone can connect and figure out the password eventually. Worse, all your guests are completely open to interception if/when they check their email, log on to forums, do any banking, etc..


Even if the main network is a different subnet, I would still be returning this router for this reason alone.

Yeah the default is 192.168.3.1 for guest network. But I can tell the OP double natted his linksys because the linksys detected the double NAT (with a daemon) and automatically moved his guest network to 172.x.x.x. as a precaution to avoid IP address conflicts.

Keep in mind, linksys routers a designed for mainstream consumers. They aren't designed for router geeks. They're basically idiot proof.

 

[sinshiva]

i think it's cool that linksys has bridging setup right for the guest ap, actually, but i'd also be concerned for the security of my guests, too

 

[L&LD]

jlake, Until they build a better idiot.

 

[jlake]

But a guest password (Linksys style) is different than a WPA2 AES password we set ourselves. The difference is that the connection is encrypted with WPA2.

Anything passing through the air between client and the Guest Linksys network will be free for all to see.

All that does is get you to the login screen like you're at the super 8 motel. I would imagine that from that point on it is encrypted with same wireless security that you set up for your main wireless. I don't think it's unencrypted when you're entering your password.

Keep in mind that Cisco designed the guest network. Cisco owned linksys when the guest network came out (for whatever that's worth).

 

[L&LD]

jlake, that makes sense. Though it still leaves me uneasy.

If I had a Linksys right now I would be trying to crack the guest network.