Tusitala
asked on
How to Create Separate Guest WiFi VLAN on Netgear R8000
Hi Experts,
I am following up with a new question on how to create a Guest WiFi VLAN to separate LAN/WAN traffic inside our home network.
After extensive online researching, I cannot seem to find any suitable step-by-step guides on how to achieve this with my router (Netgear R8000) and am hopeful someone would be able to help me through here.
Could someone please help with configuration steps?
Tala
2017-01-26_10-32-13.png
I am following up with a new question on how to create a Guest WiFi VLAN to separate LAN/WAN traffic inside our home network.
After extensive online researching, I cannot seem to find any suitable step-by-step guides on how to achieve this with my router (Netgear R8000) and am hopeful someone would be able to help me through here.
Could someone please help with configuration steps?
Tala
2017-01-26_10-32-13.png
ASKER
Hey thanks for the comment.
Ok so I was assuming from Joseph's previous comment that I could use VLAN as a work around, at least to separate our LAN traffic from wireless because that is how the person(s) made entry. As their MAC or IP address did not display on my router when I checked the Access Table, I assumed that they made entry another way. As I mentioned, we only found out by seeing their mobile device on our Windows network. From there, I could obtain a MAC address and the device names, but that is all. Again I assume that they used MAC spoofing to mimic one of our own MAC addresses when they did it.
Nonetheless, I guess from what you suggest, I need to flash our router with DD-WRT (any suggestions on which one to use would be great!) because we cannot live in peace knowing that somebody close by has hacked our infrastructure and appears to have done so for some time.
We do have a static IP address and some spare routers as well if there is another solution we could look into.
Ok so I was assuming from Joseph's previous comment that I could use VLAN as a work around, at least to separate our LAN traffic from wireless because that is how the person(s) made entry. As their MAC or IP address did not display on my router when I checked the Access Table, I assumed that they made entry another way. As I mentioned, we only found out by seeing their mobile device on our Windows network. From there, I could obtain a MAC address and the device names, but that is all. Again I assume that they used MAC spoofing to mimic one of our own MAC addresses when they did it.
Nonetheless, I guess from what you suggest, I need to flash our router with DD-WRT (any suggestions on which one to use would be great!) because we cannot live in peace knowing that somebody close by has hacked our infrastructure and appears to have done so for some time.
We do have a static IP address and some spare routers as well if there is another solution we could look into.
Let's try an experiment first: Enable your wireless networks except for the guest networks. Let me know whether or not the devices in question show up then. If so, that explains your entire problem of why you see them on the local network.
Also, how many characters were in your WPA2-PSK passphrase? I know you said it had been generated. You ideally want it to be at least 15 characters long with letters, numbers, and special characters. The key is that you can remember it, so base it off some phrase you would rememeber.
Also, how many characters were in your WPA2-PSK passphrase? I know you said it had been generated. You ideally want it to be at least 15 characters long with letters, numbers, and special characters. The key is that you can remember it, so base it off some phrase you would rememeber.
ASKER
Thanks,
So I have enabled both radios for our local network. I have also changed the passphrase to 21 chars long with mixed symbols in it. I guess its a waiting game now correct? How can we tell if they are trying to brute force our network?
So I have enabled both radios for our local network. I have also changed the passphrase to 21 chars long with mixed symbols in it. I guess its a waiting game now correct? How can we tell if they are trying to brute force our network?
Not sure if your unit will capture in the logs unsuccessful attempts to connect to the network (which you can see the last 256 entries or so under Advanced). However, it is a place that you can look at to see if unauthorized devices got onto the network (assuming that it was in the last 256 things to occur).
Also, if you notice no unauthorized devices, go ahead and turn on your guest network as well, and make sure that passphrase is secure.
Also, if you notice no unauthorized devices, go ahead and turn on your guest network as well, and make sure that passphrase is secure.
ASKER
Okay so here goes:
Another device has appeared on our network!
Whats interesting is that the access control table does not show the device anywhere, the logs on our router do not show it connecting to the network either! I took a screen grab of the log interface, the device on our network, and I also quickly grabbed its MAC address as well. It appears as a Sony Experia mobile device.
Important to note however, at the time of capturing this information, we had our QNAP server, laptop, and desktop pc connected to the network via LAN cables only. No wireless devices were connected at all.
Not sure about all this now I am getting rather worried!
p2.png
p1.png
p3.png
Another device has appeared on our network!
Whats interesting is that the access control table does not show the device anywhere, the logs on our router do not show it connecting to the network either! I took a screen grab of the log interface, the device on our network, and I also quickly grabbed its MAC address as well. It appears as a Sony Experia mobile device.
Important to note however, at the time of capturing this information, we had our QNAP server, laptop, and desktop pc connected to the network via LAN cables only. No wireless devices were connected at all.
Not sure about all this now I am getting rather worried!
p2.png
p1.png
p3.png
Is anything connected to your QNAP? I think it has LAN ports on it.
Also check to see if an ad hoc network was created on the laptop.
Also check to see if an ad hoc network was created on the laptop.
ASKER
Server has 4 LAN ports. It is connected to a Linksys unmanaged switch which in turn is connected to our router.
I checked the laptop and there are only two networks on it and both are LAN. Everything else is disabled.
I am going to shut down the server and monitor it with nothing connected to the router except one desktop machine. I shall revert back in 24 hours.
I checked the laptop and there are only two networks on it and both are LAN. Everything else is disabled.
I am going to shut down the server and monitor it with nothing connected to the router except one desktop machine. I shall revert back in 24 hours.
The phone has to be connected to something. If it's able to show with wireless shut off entirely on the router, then it's connected to something on that network that IS authorized. It may help if you turn on additional logging (namely logging router operation and attempted access to allowed access). The latter will let you see where the phone is attempting to connect to, along with an IP.
ASKER
Hi masnrock,
First off, sorry for the delay, I took 48 hours instead of 24, just to be thorough.
Around 48 hours ago, I started with doing as you suggested, shutting down server, unplugged everything except for our R8000 router and one desktop machine. No telephone line here, just fiber cable to a router.
So, I powered up the router (with wireless disabled) and desktop with the internet connection totally unplugged. I sat and watched the logs and kept refreshing my windows browser. Nothing except the desktop machine appeared on our network.
I then went through the router with a fine comb and made sure everything was set as we discussed earlier. I then kicked on the wireless, enabling two radios, the 2.4 GHZ and the first 5 GHZ . After watching the logs on the router for around 30 minutes, Waaammm! One of those mobile devices appeared on our network again. I had already provided some screen grabs of it previously which showed its MAC address and model details. I then ran just the 2.4 GHZ for an hour or so and nothing appeared. However, as a precaution, I disabled all WiFi because we feel that that the individual(s) behind this are hacking our network with malicious intent.
Since then, we have been running everything on LAN and progressively turned on every LAN device. Not once has any unauthorized device appeared on our network since disabling the WiFi.
So with all that said and done, I therefore come to the conclusion that those responsible are highly skilled because they do it in a way that makes them appear as complete "ghosts" on our router. You might say that no way this is possible but I am speaking with 100% confidence that there were no logs, no MAC or IP address details recorded in the router at all even after extending the logging events to include everything! And to make matters worse, I had changed our password three times since we last spoke! I assume from the above that the individual(s) needed the stronger 5 GHZ radios to maintain a good connection right?
So masnrock, where to from here? I mentioned earlier that we do have spare equipment that we could daisy chain or possibly flashing DD-WRT firmware but you tell me, what do we need to do to get our problem fixed? Also, we now have a very good idea who is behind this but without any proof we are screwed! Is there any way we can catch the person?
First off, sorry for the delay, I took 48 hours instead of 24, just to be thorough.
Around 48 hours ago, I started with doing as you suggested, shutting down server, unplugged everything except for our R8000 router and one desktop machine. No telephone line here, just fiber cable to a router.
So, I powered up the router (with wireless disabled) and desktop with the internet connection totally unplugged. I sat and watched the logs and kept refreshing my windows browser. Nothing except the desktop machine appeared on our network.
I then went through the router with a fine comb and made sure everything was set as we discussed earlier. I then kicked on the wireless, enabling two radios, the 2.4 GHZ and the first 5 GHZ . After watching the logs on the router for around 30 minutes, Waaammm! One of those mobile devices appeared on our network again. I had already provided some screen grabs of it previously which showed its MAC address and model details. I then ran just the 2.4 GHZ for an hour or so and nothing appeared. However, as a precaution, I disabled all WiFi because we feel that that the individual(s) behind this are hacking our network with malicious intent.
Since then, we have been running everything on LAN and progressively turned on every LAN device. Not once has any unauthorized device appeared on our network since disabling the WiFi.
So with all that said and done, I therefore come to the conclusion that those responsible are highly skilled because they do it in a way that makes them appear as complete "ghosts" on our router. You might say that no way this is possible but I am speaking with 100% confidence that there were no logs, no MAC or IP address details recorded in the router at all even after extending the logging events to include everything! And to make matters worse, I had changed our password three times since we last spoke! I assume from the above that the individual(s) needed the stronger 5 GHZ radios to maintain a good connection right?
So masnrock, where to from here? I mentioned earlier that we do have spare equipment that we could daisy chain or possibly flashing DD-WRT firmware but you tell me, what do we need to do to get our problem fixed? Also, we now have a very good idea who is behind this but without any proof we are screwed! Is there any way we can catch the person?
Alright, so it looks like the party involved is connecting to your main network, not your guest one. By the way, please tell.me that you are not using the default password on your router and that remote administration is turned off on it.
One more request: Could you please disconnect your extenders? I forgot about those... and let me know if the unauthorized machines stay on.
I assume you have looked in the attached devices section and seen no signs of those devices, correct?
What are some of the spare routers you have? Just so that you can see how things work on one of those first. The DDWRT firmware for your particular netgear isn't a DD-WRT official one (just to forewarn you).
One more request: Could you please disconnect your extenders? I forgot about those... and let me know if the unauthorized machines stay on.
I assume you have looked in the attached devices section and seen no signs of those devices, correct?
What are some of the spare routers you have? Just so that you can see how things work on one of those first. The DDWRT firmware for your particular netgear isn't a DD-WRT official one (just to forewarn you).
ASKER
Hey thanks :-)
That is correct, router password is strong and remote admin on all our hardware has been off since day one.
Extenders. They are all connected (1 base with 2 extenders / dual Ethernet ports) to our LAN by Ethernet only and have had the admin password secured and WiFi radios disabled since we bought them. We did not want to use the WiFi functionality of them because of interference and security concerns. Please note that these have been on for the last day, no issues at all.
Attached Devices and Access Control! Nothing, zero, zilch! We have crossed referenced and triple checked every device in our house with the access table as well.
We have a spare Linksys 1900AC and a Netgear D6200. I am familiar with the caveat regarding DD-WRT for the R8000.
That is correct, router password is strong and remote admin on all our hardware has been off since day one.
Extenders. They are all connected (1 base with 2 extenders / dual Ethernet ports) to our LAN by Ethernet only and have had the admin password secured and WiFi radios disabled since we bought them. We did not want to use the WiFi functionality of them because of interference and security concerns. Please note that these have been on for the last day, no issues at all.
Attached Devices and Access Control! Nothing, zero, zilch! We have crossed referenced and triple checked every device in our house with the access table as well.
We have a spare Linksys 1900AC and a Netgear D6200. I am familiar with the caveat regarding DD-WRT for the R8000.
Here is a link to the page that contains a link to what is currently the latest DD-WRT for your Netgear. When you read the details, you will know why I provided this link:
https://www.myopenrouter.c
Firmware for the 1900AC is on the DD-WRT site, just search their database for the right one: http://www.dd-wrt.com
https://www.myopenrouter.c
Firmware for the 1900AC is on the DD-WRT site, just search their database for the right one: http://www.dd-wrt.com
ASKER
Hey thanks.
I take it from your reply that daisy chain is not an option?
I used Kong-Mod before and found its wireless speeds to be very poor despite optimizing the bands etc.. Tomato any good to you? Also, how will flashing my router to DD-WRT fix this unauthorized access problem? Is there things we can do to stop it?
I take it from your reply that daisy chain is not an option?
I used Kong-Mod before and found its wireless speeds to be very poor despite optimizing the bands etc.. Tomato any good to you? Also, how will flashing my router to DD-WRT fix this unauthorized access problem? Is there things we can do to stop it?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks.
We already have a whitelist of friendly device MAC addresses loaded on our router under Access Control. Block all new devices set to on by default! In my earlier question, Joseph mentioned that the hacker is probably using MAC spoofing which is not to hard to do. I have no clue how that works but would love to return the favor!
Looks like I shall go ahead and load up DD-WRT for now. Might take me a bit of time though as its been a while since I last flashed a router.
Just a side question, is it normal for an extender to obtain an address outside the bounds of our network definition? For example, our local network address range in DCHP is 192.168.1.60 through 192.168.1.80. One extender picks up an IP address of 192.168.1.187 and another one picks up 192.168.1.73. Is this normal? I noticed that you cannot assign an IP in the extender, only reserve the address in the router which is what we have done for our 4 LAN ports on our server.
I shall revert back later after I have flashed the router.
Thanks :-)
We already have a whitelist of friendly device MAC addresses loaded on our router under Access Control. Block all new devices set to on by default! In my earlier question, Joseph mentioned that the hacker is probably using MAC spoofing which is not to hard to do. I have no clue how that works but would love to return the favor!
Looks like I shall go ahead and load up DD-WRT for now. Might take me a bit of time though as its been a while since I last flashed a router.
Just a side question, is it normal for an extender to obtain an address outside the bounds of our network definition? For example, our local network address range in DCHP is 192.168.1.60 through 192.168.1.80. One extender picks up an IP address of 192.168.1.187 and another one picks up 192.168.1.73. Is this normal? I noticed that you cannot assign an IP in the extender, only reserve the address in the router which is what we have done for our 4 LAN ports on our server.
I shall revert back later after I have flashed the router.
Thanks :-)
If you are using MAC filtering and that is still occurring, then yes they are most likely spoofing.
Well, reservations are normally outside of the DHCP bounds, so in that regard you are good. Your actual network bounds are 192.168.1.1 to 192.168.1.254.
Also, have you tried using a program like Angry IP Scanner? You would be able to possibly find out which IP the person is using by process of elimination. Once you do that, you could do a tracert to those devices and see what is in between. There are only a few things I see possible.
Go ahead and get DD-WRT loaded and let's see if we can get more data.
Well, reservations are normally outside of the DHCP bounds, so in that regard you are good. Your actual network bounds are 192.168.1.1 to 192.168.1.254.
Also, have you tried using a program like Angry IP Scanner? You would be able to possibly find out which IP the person is using by process of elimination. Once you do that, you could do a tracert to those devices and see what is in between. There are only a few things I see possible.
Go ahead and get DD-WRT loaded and let's see if we can get more data.
ASKER
Hey masnrock,
I will look into Angry IP scanner and see what it can do for us. Regarding our network DCHP setting, we specifically made a network configuration with just 20 IP addresses to limit the number of devices that can connect.
Unfortunately, due to time constraints, I have not yet had the time to flash my router but plan to do so this coming weekend.
Having said that, I am fully aware that DD-WRT will provide me with the capacity to create a VLAN on my R8000 router as asked in my initial question. So rather than drag this question on any longer, I am going to close it and if I have any further questions, I will just open a new one and we can go from there.
Thanks so much for your help masnrock. Appreciated.
I will look into Angry IP scanner and see what it can do for us. Regarding our network DCHP setting, we specifically made a network configuration with just 20 IP addresses to limit the number of devices that can connect.
Unfortunately, due to time constraints, I have not yet had the time to flash my router but plan to do so this coming weekend.
Having said that, I am fully aware that DD-WRT will provide me with the capacity to create a VLAN on my R8000 router as asked in my initial question. So rather than drag this question on any longer, I am going to close it and if I have any further questions, I will just open a new one and we can go from there.
Thanks so much for your help masnrock. Appreciated.
A DHCP scope of 20 addresses limit the number of devices that can connect via DHCP. However, units with static IP addresses could connect with an address in (and cause a potential conflict) or out of that range, as long as it is in the overall subnet (which is where I provided the large range of addresses). Hopefully this does start to get sorted out.... good luck and feel free to create more questions if need be.
This isn't a strong point of home routers... VLANs that is. DD-WRT would probably help, assuming you wanted to reflash the firmware on the router with non-Netgear firmware.
Since I know the question this started from, let me ask this: The unauthorized devices that got onto the network: Were you able to ping them from authorized systems on the network? (Obviously no way to test the other way around)
This may also be a good challenge for Netgear support, depending on how old the router is, because since you had things set up correctly, there is no way that should have been possible IF the devices in question were connected to the guest network.