(Not) sharing your home network with guests

Could I ask what your solution is to this concern illustrated by +Troy Hunt​​​​​​​​​​​?

So far I've been running some insecure protocols in my home network, typically: NFS without authentication, I don't like this very much as a starting point, as a result I've shared this network over Wi-Fi with almost no-one.

For my next place, a larger apartment with very thick walls where I'll hopefully have more guests, I plan to use two Wi-Fi hot-spot with roaming to cover every room well.
For guests Wi-Fi, I'm thinking about a few approaches, like:

Option 1:
Using a (3rd) dedicated Wi-Fi router for guests: good thing is that I can plug it directly to my ISP Ethernet who generously assign another public IP address to every new MAC making a DHCP request.

Pros: complete isolation, ability to disable very easily.
Cons: no Wi-Fi roaming for guests, no access to Android TV Chromecast for casting.

Option 2:
Using a (3rd) dedicated Wi-Fi hot-spot, not acting as a router and connected to another Ethernet card to a Linux machine acting as NAT router for both the home and guests network.
Via ebtables (Linux Ethernet bridge management tool), allow each Android TV and Chromecast connected to the home network to appear on the guest network as well.

Pros: good isolation, ability to cast media from the guest network and connect to desired devices on the home network as well.
Cons: no Wi-Fi roaming for guests

Option 3:
Attributing an internal IP in http://10.0.0.0/24 to any unknown MAC address (guests) and http://192.0.0.0/24 for known (home network) MAC addresses. Wi-Fi is roaming between the two access points, sharing Wi-Fi password with guests.
Using a Linux machine as router, allow http://10.0.0.0/24 IPs to communicate with selected http://192.0.0.0/24 devices (Android TV and Chromecast) and not others using iptables filtering.

Pros: great Wi-Fi coverage via roaming, ability to cast media and connect devices between guests and home networks (needs verification if the cast protocol is happy with the routing situation)
Cons: no real network isolation, low security (can be overridden by setting the IP address manually), could break some broadcast/multicast discovery protocol and introduce weird behaviors, the Wi-Fi password is still being stolen and shared by Windows 10 Wi-Fi sense.

Option 4:
Same as previous, with Wi-Fi roaming over two access points, however sharing only a guest SSID terminated with _optout for Wi-Fi sense, and using a different password than the one I use myself.
Since even WPA2 sniffed Wi-Fi can be decrypted, provided you already have the password, it's not a good idea to share it with anyone.
https://supportforums.cisco.com/document/100611/80211-sniffer-capture-analysis-wpawpa2-psk-or-eap

Pros: same but solves Windows 10 Wi-Fi sense as well as captured Wi-Fi decryption issues.
Cons: same, and still no real network isolation or security.

What do you think?

#supercurioBlog #network #security #wifi



Troy Hunt: No, you can’t join my wifi network

Source post on Google+

Published by

François Simond

Mobile engineer & analyst specialized in, display, camera color calibration, audio tuning

24 thoughts on “(Not) sharing your home network with guests”

  1. You could use 802.1x authentication for everyone. Provided you have access points that support roaming and putting users on separate VLANS, you can have users authenticate using 802.1x with a freeradius backend. You can have your own username and password that puts you on your own home VLAN and You can have a "guest" username and password that puts users on a VLAN that NATs out to the second public ip address you have. 802.1x users negotiate their own keys, so even users with the same username and password use different keys which would deal with the sniffing concern. Using 802.1x, a user has to authenticate BEFORE a VLAN is assigned, so freeradius can send an attribute back that decides the user's VLANs after a user is authenticated.

  2. +Colin Joseph The solution you describe seems pretty neat!
    I like very much the idea of authentication managed via a freeradius server instead of the various access point themselves as described here http://freeradius.org/enterprise-wifi.html, instead of PSK.
    Unfortunately, one of the Wi-fi AP I'll use is a Netgear R6300 that has no Entreprise Wi-Fi nor VLAN capability. Last time I tried, DD-WRT ran very poorly on it (very slow wireless speed)

    In case I decide to upgrade to more capable Wi-Fi and switches equipment I'll use the proper way as you mentioned 🙂
    In the meantime, I'll continue exploring other options compatible with consumer hardware.

  3. +Rennie Allen that is the first option I list in the OP, with its pros and cons.

    Note: my ISP doesn't provide a modem but actually better: an Ethernet jack which DHCP assign public IP addresses.
    You can connect a switch to it and each real or virtual machine gets its own public IP, which makes option 1 even easier to implement.

  4. +François Simond​ just to be extra secure, you should make sure the switch you use has strict port isolation. I don't see why anything beyond this is needed (if you are welcoming blackhats into your home, you're giving them physical access and you're toast no matter what you do, so you have to trust your guests).

  5. +François Simond​​ how can you get a malware infestation on your network, ftom something a guest does on the guest network? I agree I don't trust an $80 router to do strict isolation. However, an industrial quality Cisco 1Gbps switch that I buy second hand off eBay and update the firmware from Cisco's site, I do trust.

  6. +Rennie Allen the guest network isolation usual capability prevents guest wireless devices to see each other, so media casting won't work.
    It also doesn't prevent wireless devices to talk to wired ones, so none of the feature I'm seeking are provided.

    Well, of course, looking for solutions with simple and affordable equipment doesn't present the same challenge as if you buy industrial hardware offering enterprise features already.

  7. +François Simond​ no, that is not typical, that is actually extremely unusual. I have visited hundreds of companies and used their guest networks and they almost never allow adjacent devices to see each other, but even so, it still doesn't affect you as long as you don't connect to the guest network (why would you?)

  8. If you don't isolate the guests from each other, they can get infections from each other, but that still doesn't affect your network. An isolated network achieves your goal, end-point isolation protects your guests from each other (which is a good idea, but not strictly required to meet your stated goals).

  9. I wish chromecast had 802.1x support…

    Anyway chromecast guest mode doesn't require to be on the same network, it should work with isolated APs. Haven't tried though..

  10. Just tell everyone to bring their own 3/4G with their device. (sim)
    Works here, because most isp's still have unlimited data available, prices vary from 15 euros a month up to 40-50 depending on bandwidth.

  11. +jani koskela oh funny, Telia is in Sweden as well but their mobile data contract are segmented by monthly quotas instead of bandwidth as listed here:
    Finland:
    https://www.sonera.fi/kauppa/liittymat/nettiliittymat/liikkuva-netti
    Sweden:
    http://www.telia.se/privat/telefoni/abonnemang-kontantkort/produkt/mobilabonnemang#/specifikation

    I didn't expect that from the same operator in two countries next to each others!
    I'm moving to Sweden tho and thinking about how to share a 500/100 broadband since the mobile contracts are not unlimited 😉

    Edit: and wow, despite the unlimited data the prices are pretty low.

  12. They actually have quotas in talk+data packages, listed here: https://www.sonera.fi/kauppa/puheliittymat/sopiva+minulle with from only 2 to 20GB a month, but unlimited still available with extra fee.

    Sonera has been talking about abolishing unlimited/cheap data for years and they have been gradually raising prices and lowering data caps. Other operators gladly follow since they don't have to get the blame..

    Another thing which I require is getting a public non-natted ip, available for free (via separate apn) from elisa/saunalahti, for yet another extra fee from sonera and nowadays dna filters almost all ports <1025.

  13. You make an excellent point actually. I would like to achieve the same. I run DD-WRT on my APs (both linksys broadcom devices). They should support VLAN tagging along with WiFi roaming. This would allow me to isolate the WiFi guests from my home network.
    I'm waiting for my new switch with VLAN support to arrive to test it though.
    A few links that made me believe this is indeed possible:
    http://phil.lavin.me.uk/2012/10/creating-a-guest-wifi-with-802-1q-vlan-tagging-in-pfsense-and-dd-wrt/
    http://www.dd-wrt.com/wiki/index.php/WDS_Linked_router_network
    http://www.dd-wrt.com/wiki/index.php/VLAN_Support

    Obviously I don't know what hardware you're using, and if it supports VLAN tagging, but some third party firmware might solve that 🙂

Leave a Reply to François Simond (supercurio) Cancel reply