(Not) sharing your home network with guests

Could I ask what your solution is to this concern illustrated by +Troy Hunt​​​​​​​​​​​?

So far I've been running some insecure protocols in my home network, typically: NFS without authentication, I don't like this very much as a starting point, as a result I've shared this network over Wi-Fi with almost no-one.

For my next place, a larger apartment with very thick walls where I'll hopefully have more guests, I plan to use two Wi-Fi hot-spot with roaming to cover every room well.
For guests Wi-Fi, I'm thinking about a few approaches, like:

Option 1:
Using a (3rd) dedicated Wi-Fi router for guests: good thing is that I can plug it directly to my ISP Ethernet who generously assign another public IP address to every new MAC making a DHCP request.

Pros: complete isolation, ability to disable very easily.
Cons: no Wi-Fi roaming for guests, no access to Android TV Chromecast for casting.

Option 2:
Using a (3rd) dedicated Wi-Fi hot-spot, not acting as a router and connected to another Ethernet card to a Linux machine acting as NAT router for both the home and guests network.
Via ebtables (Linux Ethernet bridge management tool), allow each Android TV and Chromecast connected to the home network to appear on the guest network as well.

Pros: good isolation, ability to cast media from the guest network and connect to desired devices on the home network as well.
Cons: no Wi-Fi roaming for guests

Option 3:
Attributing an internal IP in http://10.0.0.0/24 to any unknown MAC address (guests) and http://192.0.0.0/24 for known (home network) MAC addresses. Wi-Fi is roaming between the two access points, sharing Wi-Fi password with guests.
Using a Linux machine as router, allow http://10.0.0.0/24 IPs to communicate with selected http://192.0.0.0/24 devices (Android TV and Chromecast) and not others using iptables filtering.

Pros: great Wi-Fi coverage via roaming, ability to cast media and connect devices between guests and home networks (needs verification if the cast protocol is happy with the routing situation)
Cons: no real network isolation, low security (can be overridden by setting the IP address manually), could break some broadcast/multicast discovery protocol and introduce weird behaviors, the Wi-Fi password is still being stolen and shared by Windows 10 Wi-Fi sense.

Option 4:
Same as previous, with Wi-Fi roaming over two access points, however sharing only a guest SSID terminated with _optout for Wi-Fi sense, and using a different password than the one I use myself.
Since even WPA2 sniffed Wi-Fi can be decrypted, provided you already have the password, it's not a good idea to share it with anyone.
https://supportforums.cisco.com/document/100611/80211-sniffer-capture-analysis-wpawpa2-psk-or-eap

Pros: same but solves Windows 10 Wi-Fi sense as well as captured Wi-Fi decryption issues.
Cons: same, and still no real network isolation or security.

What do you think?

#supercurioBlog #network #security #wifi



Troy Hunt: No, you can’t join my wifi network

Source post on Google+