Linksys Guest Network

[jebise]

Keep in mind that Cisco designed the guest network. Cisco owned linksys when the guest network came out (for whatever that's worth).

Not worth a lot IMO, with the entire CCC ordeal, I have lost faith and there QA process is not very good either. I probably did double NAT the thing as you have to switch between Bridged and DHCP to set some of the guest features and QoS.

I already ordered the TP Link WDR3600 which is the only other router I could find under $60 that supported DDWRT and offered concurrent dual band.

My main router is running DDWRT and I like the control even if its harder to setup, on DDWRT the guest zone can access the router page, but thats not a big deal for me as my guest are the norm non techy but at least the guest AP is secured by WPA2 and a password unlike the linksys and if I really wanted to disable that I'm sure there is a way to do it. The EA2700 I find is too limited as explained above and in my previous posts.

 

[jlake]

Not worth a lot IMO, with the entire CCC ordeal, I have lost faith and there QA process is not very good either. I probably did double NAT the thing as you have to switch between Bridged and DHCP to set some of the guest features and QoS.

I already ordered the TP Link WDR3600 which is the only other router I could find under $60 that supported DDWRT and offered concurrent dual band.

My main router is running DDWRT and I like the control even if its harder to setup. The EA2700 I find is too limited as explained above and in my previous posts.

Oh I've double natted it all the time. It's a nice feature, but if you're not paying attention, it'll start moving you to different scopes. Happens to me all the time.

To be honest, there's no evidence whatsoever that CCC is insecure. It's no more insecure than online banking IMHO. There's actually evidence that it's more secure than traditional router GUI access.

If you want to talk about security flubs, take a look at the current mess with Asus and port 445. Or past asus flubs with asus AiCloud.

The funny thing is my ISP doesn't block port 445, but instead provides me with a router that blocks outbound 445 etc by default with a nice firewall for my security. Since I don't use the ISP router, I would never have known about the 445 mess because I'm too trusting and never do a port scan. Fortunately, I don't own one of the asus routers affected by the 445 openness.

 

[sinshiva]

All that does is get you to the login screen like you're at the super 8 motel. I would imagine that from that point on it is encrypted with same wireless security that you set up for your main wireless. I don't think it's unencrypted when you're entering your password.

Keep in mind that Cisco designed the guest network. Cisco owned linksys when the guest network came out (for whatever that's worth).

no, i don't think cisco had anything to do with it. the guest portal is pretty useless, it sounds like, if an attacker has very little roadblocks in the way of encryption at the interface

 

[jlake]

no, i don't think cisco had anything to do with it. the guest portal is pretty useless, it sounds like, if an attacker has very little roadblocks in the way of encryption at the interface

Well, you'd have to provide some evidence. If an attacker (your next door neighbor), gains access to the guest network, they would only be able to access the internet and not the LAN. I've got two neighbors in my neighborhood still using WEP. These routers are designed for home users. What you're describing even if true wouldn't result in a security breach to the home owners LAN.

Take a look at Asus port 445 or previous AiCloud if you want to talk about "real" security problems. Access to 445 could/would be catastrophic for many unsuspecting people. Much more severe than your neighbor stealing some internet speed from the guest network.

 

[sinshiva]

let me put it this way, even if the login session is over https, you're relying on a lot more to go right than setting keys on the interfaces

 

[jlake]

let me put it this way, even if the login session is over https, you're relying on a lot more to go right than setting keys on the interfaces

Again, you've got no evidence how it actually works. You're speculating.

The Asus 445 problem "should be" the number 1 topic in the forum. It's mind blowing that it's not. It's the elephant in the room. Nobody wants to talk about it. When is the last time you've seen a linksys with an open port exposing people's port 445 on LAN to billions of people across the planet?

 

[sinshiva]

that can be closed if samba is disabled iirc, but that i'm sure will be fixed. does linksys have perhaps an option to disable the guest page, but enable aes (only.) on newer models?

 

[L&LD]

jlake, are you also not speculating that the 'password', once entered gives us a WPA2 AES connection? And as correctly questioned by sinshiva, it seems like while entering that password, we're not encrypted.

Not ganging up on you. Just asking the pertinent questions.


Also, the Asus 445 problem is not an issue as RMerlin has explained - anyone enabling the feature that exposed the port would also put a password on it. The people who wouldn't would also be exposing their movie collection to the world, no biggie.

I agree it's a dumb problem on Asus' part - but it's not an elephant for me as I don't have anything facing the web except my browser.

 

[jlake]

Yes you can disable guest network on linksys. Even if your neighbor were to gain access to the guest network, it is isolated on a vlan. There is no access to the primary LAN.

I read both your responses on port 445, and to be honest, I find them disturbing. So we'll just have to agree to disagree.

 

[sinshiva]

sorry, i think you misunderstood me; i meant, for the guest wlan interface, can you disable the guest page, but enable manually configured keys for wpa2-aes. not disable the guest vlan 'switched virtual interface'.

 

[jebise]

sorry, i think you misunderstood me; i meant, for the guest wlan interface, can you disable the guest page, but enable manually configured keys for wpa2-aes. not disable the guest vlan 'switched virtual interface'.

On the EA2700 this is not possible which is why I created this thread.

 

[sinshiva]

just read the beginning of the thread, sorry; i'd say L&LD pretty much nailed it from the beginning.

 

[jlake]

just read the beginning of the thread, sorry; i'd say L&LD pretty much nailed it from the beginning.

Exactly. It's secure. Just as secure as Starbucks probably. And way more secure than Target.

Now please start a new thread about asus and port 445. All those poor unsuspecting main stream consumers that bought one of the asus routers off of Amazon with samba server that opens 445 for all the world to access their USB drive. They probably asked their neighbor geek, if samba was safe, and he replied "of course, samba is just local file sharing.....your NAT blocks port 445, so you have nothing to worry about."

 

[remixedcat]

So... wait!


You can't just use a guest WPA2 key instead of the splash screen? That's pretty bad

 

[L&LD]

Just as secure as Starbucks (probably). Lol... not saying much.

Don't drink their coffee and I don't use any 'open' WiFi connection.

Just bad/lazy network design (or maybe they don't care about their customer's security <= yes, that's it)?

 

[jlake]

Just as secure as Starbucks (probably). Lol... not saying much.

Don't drink their coffee and I don't use any 'open' WiFi connection.

Just bad/lazy network design (or maybe they don't care about their customer's security <= yes, that's it)?

I'm not sure if linksys considers "guests" customers. I kind of doubt it. I think their concern is for the homeowners (their customers) who bought the router on the main network. And in that sense, the isolated vlan works perfect and does its job. I suppose guests are not forced to use guest network anywhere....a home with linksys guest network , Starbucks, holiday inn. It's always optional.

I don't use captive portal either. But millions of people do everyday. DD-WRT supported captive portal for years. With the number of 4G LTE phones, tablets, USB modems, mifi, etc....that people have today, guest network is not even relevant for many people. I have 4G LTE verizon ipad so guest networks aren't even on my radar.

 

[L&LD]

Actually, I meant Starbucks don't care about their customers...

Just like Linksys, it seems, doesn't care about me, caring about the people I would want to connect to my systems as 'guests'.

 

[jlake]

Actually, I meant Starbucks don't care about their customers...

Just like Linksys, it seems, doesn't care about me, caring about the people I would want to connect to my systems as 'guests'.

They just figure if you don't trust the person to give your main network password, you don't care anyway.

My friends and family guests would be insulted if I asked them to use guest network. They always allow me access to their main network, so I do the same. The only person I would have use guest network is like a contractor or a politician. Or snowden. Lol

 

[jebise]

They just figure if you don't trust the person to give your main network password, you don't care anyway.

My friends and family guests would be insulted if I asked them to use guest network. They always allow me access to their main network, so I do the same. The only person I would have use guest network is like a contractor or a politician. Or snowden. Lol

It's not that I don't trust my family or friends, its just harder for them to connect to my main network because its a hidden SSID, really complex password etc. On the other hand the guest network is visible with a strong but not complex password that is easy to remember. It's more of a convenience for everyone. I trust my friends and family but can't say that about there wifi enabled devices, I have had a friend come over with an infected computer and there was no way i would let him connect to my main network. The guest network really comes in handy in these situations.

My friends and family wouldn't even know they are connecting to a guest network, well up until now with the way Linksys handles the guest network.

 

[jlake]

It's not that I don't trust my family or friends, its just harder for them to connect to my main network because its a hidden SSID, really complex password etc. On the other hand the guest network is visible with a strong but not complex password that is easy to remember. It's more of a convenience for everyone. I trust my friends and family but can't say that about there wifi enabled devices, I have had a friend come over with an infected computer and there was no way i would let him connect to my main network. The guest network really comes in handy in these situations.

My friends and family wouldn't even know they are connecting to a guest network, well up until now with the way Linksys handles the guest network.

I didn't realize that you were an SSID hider. Everything is crystal clear to me now. Your original post makes perfect sense to me now. Thanks.