Solved

Setting up guest wireless on DLink is not giving security

Posted on 2014-09-17
20
48 Views
Last Modified: 2015-10-06
I have two D-Link AC1200 routers. One is the main, the second is in the boardroom with the LAN cable from the first, to the LAN port into the second. DHCP turned off on the second one.  This configures the boardroom DLink as a wireless access point.

When I enable the guest network on the boardroom router, you cannot reach the Internet.  Is this because it is designed to get an IP only from its own self? (I have DHCP turned off because it is just an access point).

When I plug the LAN cable into the boardroom DLINK's WAN port instead, turn on DHCP (different subnet), all functions work as normal.  However, when you connect to the guest wireless in the boardroom, you can't ping anything on that router, but you *can* ping any IP address on the other network.  Connected to guest, I can get onto a computer on the other subnet via the Windows run line: \\192.168.2.100, for example.

The tick boxes for "enable routing between zones" are cleared.

How do I prevent the guest network from seeing other subnets?  The main DLink router is a DIR-850L, and the secondary Boardroom router is a DIR-820L

Thanks.
0
Comment
Question by:DaveWWW
  • 8
  • 7
  • 5
20 Comments
 
LVL 42

Expert Comment

by:Davis McCarn
ID: 40330045
From your description, I think your best answer is going to be to buy another router for guest access because that DLink is insisting on using the WAN port.

But; otherwise, what is the subnet mask and did you turn off the NAT firewall? (Either would explain the \\192.168.2.100 issue)
0
 
LVL 16

Expert Comment

by:vivigatt
ID: 40330053
Guest Wireless on an AP that does not route anything seems quite strange to me.
Can you elaborate on your config, especially IP, type of gateway etc, on the 2 D-Links
0
 

Author Comment

by:DaveWWW
ID: 40330454
The current setup is now:
Main router 192.168.2.1.

Lan cable from router Lan port to wan port of secondary router in Boardroom, whose ip address is 192.168.3.1, dhcp on, guest network on.

Anyone connecting to the guest network gets ip 192.168.3.x.

Any guest cannot get a ping return when pinging 192.168.3.x. But they do get full connectivity including browsing PCs on 192.168.2.x. This very much surprised me.

Ideally, what I'd like is a second router in the boardroom where company people get onto the standard wireless and thus the entire company Lan. Guests connecting to the guest network in the Boardroom see only the Internet - everything else internally is blocked.
0
 
LVL 42

Expert Comment

by:Davis McCarn
ID: 40330530
What is your subnet mask and did you turn NAT back on?
If the subnet is 255.255.255.0, .2 should not be able to access .3
0
 
LVL 16

Expert Comment

by:vivigatt
ID: 40331412
Correct me if I am wrong.
What you want is:
- WLAN 1 (standard wireless 192.168.2.0/24) on your 2 WiFi routers
- Guest WLAN (192.168.3.0/24) on the second router

To have WLAN1 on both your routers, you  need a special configuration. If there is a wire between both routers, it is not the same thing than if both routers must use a wireless link. In the later case, you may have to use something like WDS, OLSR, B.A.T.M.A.N...

You could set your 2nd router as an access point only but then, I don't think that the guest network can work, since it requires routing capacities, dhcp etc...
0
 

Author Comment

by:DaveWWW
ID: 40336453
Vivigat, I'm not on site with the client right now, but Router 1 is set up with IP address 192.168.2.1, with dual band wifi, standard config all round.

Router 2 is set up in the boardroom with IP address 192.168.3.1, with a LAN port cable from router one plugged into Router 2's WAN port.  On router 2, Guest network is turned on.

Guests (on router 2) cannot ping any 192.168.3.x address, but they *can* ping any 192.168.2.x address.
0
 
LVL 16

Accepted Solution

by:
vivigatt earned 500 total points
ID: 40336670
It seems to my that your "Guest network" is isolated from (not routed) 192.168.3.x network, which makes sense for a guest network. My experience with guest networks is that they are totally isolated from the "non-guest" LAN
Now, 192.168.2.x being connected to the WAN port, it is considered to be "the Internet" for router 2 and thus, guest network and 192.168.3.x host can access it.
Actually, what you describes seems perfectly normal to me...
0
 
LVL 42

Expert Comment

by:Davis McCarn
ID: 40336820
If 192.168.2.1 is the router's ip, change the wan/internet port's subnet mask to 255.255.255.254 and that should fix it.  Every ip other than 192.168.3.1 will be on a foreign network.
0
 

Author Comment

by:DaveWWW
ID: 40337293
Change it on router 1 or router 2?
0
 
LVL 16

Expert Comment

by:vivigatt
ID: 40337543
Davis McCarn, I don't think it will work :
If you change it on router 2, on the WAN port, thinking that everything that is not 192.168.2.1 will be considered to be "the Internet", this will not be not correct, since 192.168.2.1/24 (aka 192.168.2.0/255.255.255.0) is already "the Internet" for Router 2 .
Furthermore, the nodes connected to the non-guest network on Router 2 may have issues connecting to hosts in the 192.168.2.x (remember, router 2 is connected to router 1 on its WAN port).

However, I am not sure what the OP actually wants...
Normally a "guest network" should allow only Internet access and no connection to your LAN/WLAN. If this is what you want, you may need to implement VLANs, since I am not sure that you can have a Guest Network working this way if the router is not directly connected to the Internet on its WAN port.
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 
LVL 42

Expert Comment

by:Davis McCarn
ID: 40337580
Router 2 and it will then be /31 vivigatt (only one ip not foreign).
0
 
LVL 16

Expert Comment

by:vivigatt
ID: 40337604
Yes, only one IP accessible to the WAN port, which would be a router IP. Routing should work, however if what the OP wants is to isolate completely guests from his LAN/WLAN, it wont help, will it?
0
 
LVL 42

Expert Comment

by:Davis McCarn
ID: 40337673
Yes, because any attempt to access 192.168.3.2 through .255 will fail.
0
 
LVL 16

Expert Comment

by:vivigatt
ID: 40337728
I don't get you...
192.168.3.x is already unavailable to nodes of the guest network. Where would the improvement be?
Currently, according to the OP, guest can access anything but the 192.168.3.x network. My understanding is that he wants guest to access only Internet and nothing in 192.168.2.x nor 192.168.3.x.
Actually, I can't see why setting the WAN link on router 2 to use a /31 netmask can change anything, (except that it adds one hop when trying to reach a node in 192.168.2.x network. Packets received by 192.168.2.1 will be routed by router 1, and they will be routed to 192.168.2.x as well. It is my understanding that they won't be routed to 192.168.3.x (and they already aren't) because router 2 is a NAT between 192.168.2.x and 192.168.3.x.
I think I missed something, I'll wait for the OP to clarify, I don't want to add confusion to this thread...
0
 
LVL 42

Expert Comment

by:Davis McCarn
ID: 40337806
1) We're getting pretty arcane her; because, 99.99% of the users on the planet would never have a clue they could access 192.168.2.2!  The whole question is borderline paranoia (though I do sympathize)
2) If the routers wan/internet subnet mask is 255.255.255.254 AND the gateway is at 192.168.2.1, the only address deemed local will be 192.168.2.1 (period).  Even if 192.168.2.2 responds to a ping, it won't be available because it is outside the scope of the network.
3) To Dave WWW:  Pinging is a long ways from R/W access.  Can you open the shares on the 192.168.2.xxx network?
0
 
LVL 16

Expert Comment

by:vivigatt
ID: 40337852
In your proposed setting, the WAN interface of Router 2 has the address 192.168.2.1 or 192.168.2.2 ?
I guess it has 192.168.2.2 because its gateway (192.168.2.1 then) must be in the same subnet.
Then 192.168.2.2 would be the address assigned to WAN port on router and it won't be in its own subnet!
Pretty weird!
dd-wrt firmware v24 sp2 does not allow me to set my WTR54G in such a way.
OTOH, using 255.255.255.252 as the subnet mask is legit. And then you have only 2 addresses in the subnet: 192.168.2.1 and 192.168.2.2. This might work better.
Yet, I still don't get what are the improvements compared to the current situation.
0
 
LVL 42

Expert Comment

by:Davis McCarn
ID: 40338073
You wouldn't be able to browse 192.168.2.3-255; geeze.
0
 
LVL 16

Expert Comment

by:vivigatt
ID: 40339654
DavisMcCarn, are you familiar with "guest networks" on small Wifi routers?
If seems to me that you aren't, and also that you do not understand what the OP wants.
Let me explain what I understood (and if I am wrong, well, I'll apologize):
Guest WiFi networks are secondary WiFi networks, on another subnet, that are isolated from your "private" LAN/WLAN, but that exist on the SAME router that manages your private (W)LAN.
In the OP config, the private LAN/WLAN on router2 is 192.168.3.x, the guest network is something else (192.168.47.x for instance, he did not say and this is not important) and guest nodes cannot access anything on 192.168.3.x, yet they can access "the Internet", which is exactely what a guest network is made for. Since "The Internet" for router2 is actually "router1", I can't see how setting a subnet zero (/31 subnet mask) changes the routing scheme. 31 bits prefixes are used for point to point links only, but routing will still work on router1 (and that's what the OP wants for his 192.168.3.x network: hosts on 192.168.3.x must be able to "browse" 192.168.2.x nodes).
With your proposed config you should be able to "browse" 192.168.2.3-254 from Guest and private WLANs: the packets will be sent from 192.168.3.x and 192.168.47.x, NAT'ed and received by router1 on 192.168.2.1. Router1 can actually route them correctly to 192.168.2.x and to whatever is behind its default gateway (to keep it simple).
And I don't think that you can easily set a 31bits prefix to the link  between router1 and router2 (in that way, not the other way, from router2 to router1).
Furthermore, I don't think that DLink routers accept 31bits prefix on their WAN link, which would make this solution useless even if it worked.

Here is what cisco writes about /31 masks:
 Using 31-Bit Prefixes on IPv4 Point-to-Point Links

RFC 3021 describes using 31-bit prefixes for point-to-point links. This leaves 1 bit for the host-id portion of the IP address. Normally a host-id of all zeros is used to represent the network or subnet, and a host-id of all ones is used to represent a directed broadcast. Using 31-Bit prefixes, the host-id of 0 represents one host, and a host-id of 1 represents the other host of a point-to-point link.

Local link (limited) broadcasts (255.255.255.255) can still be used with 31-bit prefixes. But directed broadcasts are not possible to a 31-bit prefix. This is not really a problem because most routing protocols use multicast, limited broadcasts, or unicasts.

More about 31bits prefixes here: http://www.ietf.org/rfc/rfc3021.txt
0
 

Author Comment

by:DaveWWW
ID: 40402728
Sorry, I've been away for some time and am just getting back to this.  A couple of points:

DavisMcCarn, re your previous comments, the idea of subnet isolation in a business is hardly 'borderline paranoia'.  It's simply prudent.  And yes, going to the run box and typing \\192.168.2.100 would bring up the first device with an assigned IP, along with its shares. Running a network scan on the other subnet would likely work too.  Guest networks exist for a reason.


Based on many of the comments, perhaps a workable approach is to turn off DHCP on the boardroom router, put everything on the same subnet, and turn on the guest network on the boardroom.  I say this because all computers would be on the same subnet, and because the guest network does not browse computers on the same subnet, problem solved, correct?
0
 

Author Closing Comment

by:DaveWWW
ID: 41027813
This was correct.  When using two routers, turning on the guest network on the inner router will allow it to access the router connected to the WAN.  I reconfigured the routers differently to avoid this.
0

Featured Post

New My Cloud Pro Series - organize everything!

With space to keep virtually everything, the My Cloud Pro Series offers your team the network storage to edit, save and share production files from anywhere with an internet connection. Compatible with both Mac and PC, you're able to protect your content regardless of OS.

Join & Write a Comment

Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now