Guest Wi-Fi Network Explained: No, It’s Not Really for Your IoT Devices

Arlo Ultra
You won’t be able to setup your Arlo camera using an isolated Guest Wi-Fi network.

I’ve received a lot of questions relating to the Guest Wi-Fi network in the past couple of months, especially since the reviews the Asus ZenWiFi AX of which the feature hasn’t worked as intended.

Most of these questions, though, are not about how to set up a router’s Guest Wi-Fi networks, but instead of why specific IoT devices don’t work.

So, this post will explain Guest networking and how to use it properly. Hint: No, it’s not intended to be a security measure for IoT devices.

What is a Guest network

A Guest Wi-Fi network is a fancy name for a virtual SSID (network name) that’s, by default, isolated from the primary one you use for your home — your intranet. As a result, a device connected to the Guest Wi-Fi has access to the Internet but not your local resources, such as your shared folders or network printer.

As the name suggests, this other network is for your guests to use. The purpose is to keep guest devices separated from your home devices for security and privacy purposes.

Here’s a crude analogy: If your intranet is your home, then the Guest network is that mother-in-law suite at the far-end of your back yard. You know your in-law is comfortable there each time they visit, yet you don’t have to tend to their every move. Everyone is happy.

When a Guest network is not a Guest network

Note that many routers have the option to allow the Guest network the intranet access. With that turned on, the isolation is no longer in effect. The Guest network now works the same as the main network.

Why would anyone want to do that, you might ask? Other than they don’t know what they are doing, there are a couple of additional reasons.

First, not everyone needs a Guest network, and sometimes it’s useful to have multiple options so you can segment your devices. For example, you can have a group of clients connect to a particular SSID, and the rest to another.

Another reason is the owner of the Guest network might want to gain access to the guest’s device. The isolation, or the lack thereof, works both ways, and not every guest network is a friendly one. That’s the reason you want a VPN when using public Wi-Fi.

The point here is that, just because it’s called a Guest network, doesn’t mean it’s necessarily isolated. But in this post, for the sake of consistency, we assume that it always is.

How to set up a guest network

By definition, any Wi-Fi network that’s separated (isolated) from your main network is a guest network. And there are many ways to achieve this.

Turn it on

The easiest way is to get a router that has this feature — the majority of home routers have Guest networking these days. In this case, you just need to turn it on via the router’s web interface or mobile app. You’ll find it in a section called “Guest Network” or something to that effect.

Guest Network Setting 1
A Guest Network setting page of an Asus router. Note how the Access Intranet setting is disabled.

Once turned on, by default, the Guest network is isolated, so make sure you don’t change this setting. Most routers’ Guest network feature comes with some other settings, including time access limit, bandwidth limit, and so on. You can configure those or leave them all alone, but it’s always a good idea to secure this network with a password.

Note that when you use a router’s built-in Guest networking feature, chances are all devices connected to the Guest SSID are isolated, meaning not only can’t they access your intranet, they also don’t see one another. In other words, if the guests want their devices to work with each other locally, that won’t happen.

That said, this type of Guest networking is suitable for temporary guests who just need the Internet and nothing else. It’s also the right choice for a public place, like a coffee shop.

But if you want to offer your guests more than just the Internet, this type of Guest networking won’t cut it. Instead, you need a separate Intranet.

Create a separate intranet

If you want your loved one living in the mother-in-law unit to feel even more welcome, you can equip the place with more gadgets, such as a network printer or Wi-Fi speakers. Now, to keep these devices available to your guests, yet separate from yours, you’ll need to build a different intranet for them.

There are many ways to do this, and the easiest is to use a separate router in a double-NAT setup. For more on this, check out this post about using multiple routers on top of each other.

READ NOW:  Double NAT or How to Best Use an Existing (ISP-Provided) Gateway

In this case, the guest intranet is separate from your primary network, but its devices are not isolated from one another. And that’s important because most local devices require to be in the same system to work as intended. That brings us to why Guest networking is not for IoT devices.

Why you shouldn’t use a Guest network for many IoT devices

While it seems sensible to tell folks to put IoT devices on a Guest Wi-Fi network as a security measure, in reality, this advice can be rather idiotic in many cases for a couple of reasons.

Being in the same network doesn’t guarantee access

First, it’s important to note that having devices in the same local network (intranet) doesn’t mean they can access one another willy-nilly.

The interaction between network devices varies depending on the applications. Still, all sensitive data access — such as if you want a machine A to access a shared folder on a device B — requires some configuration which determines who can access what and how.

If you don’t do anything, by default, the access is not available. In other words, it takes work to make a computer’s information exposed to others.

Most IoTs are low-value targets for hackers

IoT stands for Internet of Things and it generally means an Internet-connected thing that’s not a computer or a mobile device.

You’ll find IoT devices all around you. Examples are network printers, IP cameras, smart speakers / TVs / appliances, and so on. All have one thing in common: They generally have limited computing capability, compared to a real computer, that is.

As a result, they generally are low-value targets. Hackers won’t try too hard to hack these devices because even when they are successful, there’s not much they can do with them. On the other hand, hacking a computer warrants a much higher return to their investment.

How about IoT botnet? Isn’t that real?

It was.

Yes, there have been instances where hundreds, if not thousands of IoTs being “hacked” at the same time to create a botnet. In these cases, there was little hacking involved, but mostly the negligence of the owners.

In their early days, IoTs, including many Wi-Fi routers, all worked right out of the box with the default username and password. Consumers got them home, hooked them to the Internet, and use them without bothering to change their default settings. It’s like you get a new safe and use it with the default 1111 combo.

The bad guys took advantage of this and were able to gain control of these devices remotely with little effort. They then used them as bots to send a simple denial-of-service (DoS) command to attack a third party.

A couple of things to note here:

  • No harm was done to the owners of the IoT devices involved in these attacks.
  • Using these IoTs with a Guest Wi-Fi network (and that might have been the case with some of them) wouldn’t have made any difference.

What’s most important is since then, IoTs have come a long way in terms of security. Most of them won’t connect to the Internet unless the user has created a (new) admin password.

(The only IoT device I’ve seen in a long time that works with its default security setting is the D-Link DIR-X1560, which turned out in my testing to be not a great router anyway.)

No, I don’t mean the chance of your IoTs being hacked is zero, but it sure is much lower than that of your computer or your phone. And using them with a Guest Wi-Fi network makes little difference, if at all, on the security front. In this case, though, one thing is more likely: They probably won’t work as intended.

Many IoTs needs intranet access to work

That’s correct. Many IoT devices need to be part of your home network to work correctly.

Take a network printer, for example, hooking it to a Guest network will keep it invisible from your other devices — they can’t print. In some cases, you still can print, but you have to do so via the Internet, and that means:

  • You must set up the printer with a vendor login account which can be a privacy concern.
  • You can’t print if the Internet is down.
  • It takes much longer to initiate a print job.

Similar things will happen with other devices. Putting them on the guest network means you disconnect them from your local network. Everything now has to go through the Internet.

Here are some more examples of what might not work if you connect your IoTs to an isolated Guest Wi-Fi network.

  • You can’t wirelessly cast a computer’s or mobile device’s screen on your smart TV.
  • Wi-Fi speakers won’t work.
  • Most IP cameras won’t work, at least the setup process.
  • Local movie streaming (from your own server) won’t work.

The list goes on. So to answer many of your questions: Putting your all IoT devices on a Guest Wi-Fi network can create a lot of headaches. Stop making it a standard practice!

It’s the matter of degrees

OK, just to be fair. First, there are Internet of Things devices — those that only need Internet and nothing else — that will work just fine when you put them on an isolated Guest network.

Also, if you get cheap ones from sketchy vendors with no or awful security, maybe it’s a good idea to isolate them — though it’s best not to use them at all.

There are possible ways to make almost all IoT devices work via a guest Wi-Fi network, including those that are part of your local recourses. But in this case, why jump over hoops with our hands tied behind your back and risk falling on your face unnecessarily when you can stroll to the same place?

The takeway

The point here is this: You need to understand your device and the Guest network and use them accordingly. The Guest network is not synonymous with better security. And vice versa, using an IoT device within your primary network doesn’t necessarily make your system more vulnerable.

The best way to make sure your IoT devices are safe from hacking is not to get cheap ones from unknown vendors. Then set a secure password for them and use them with their latest firmware. On top of that, keep your router’s firmware up-to-date, too. Finally, if the router has built-in online protection, use that.

And for those who are still adamant about always using IoT with a Guest Wi-Fi network, consider this: Your router, the one that hosts your Wi-Fi networks, including the Guest Wi-Fi, is itself an IoT device. It’s also one of the highest-value targets among IoTs. What are you going to do about this conundrum?

9 thoughts on “Guest Wi-Fi Network Explained: No, It’s Not Really for Your IoT Devices”

  1. iot devices with zero days are known to give access to the local network.
    Or the other way around.. a local privilege escalation grants access to all iot devices to put them in a botnet.
    A lot of very cheap iot devices do not have any serious or even funny way of security. So putting them in isolation is a good way to limit damage.
    A guest network is a simple way to segment your iot devices. The one that do not work on it will shift to the normal network or better a own SSID.
    The guest network is one of the simplest way to achieve that security for the normal user. Yes there are much better ways, but they are not accessible for normal users.
    So there is nothing idiotic in using the guest network for iot. It is in fact a simple and often effective way of protecting your stuff.

      • Or, said differently, almost every IoT device in my home needs access.
        Router: Obviously.
        Switches & access points: Obviously.
        Speakers: Yep.
        Google Home/Nest displays: Yep.
        Roku: Maybe not, but I don’t use it now, so I should probably just unplug it.
        Chromecast, Android TV: Yep.
        Printers: Yep (don’t even get me started on what a PITA cloud printing is)
        Weather station console (reports data to Weather Underground): Probably not. Meh. I’ll take my chances that someone goes to all the trouble of hacking such a relatively uncommon device.
        Samsung “Smart” TV: Probably not, but it’s so useless (other than as a monitor) I haven’t even bothered to connect it to my new router.

        I’m sure I’ve forgotten some, but the best security solution for them is probably just to unplug them since I probably don’t use them anyway.

      • i think people are referring more to devices like amazon echo, blink cams, ring doorbell cams, robot vacuum cleaners, smart home plugs, smart lights, etc… all those things are accessed through the internet not a local lan. smartcast tv’s and printers are the small minority with houses full of 30-50 iot devices. the only time you might need local access is for initial setup. Sorry to say but whats idiotic is to say that hackers won’t target iot devices. they don’t use them for their bandwidth. they use them to launch attacks on the rest of your network. like your phone and pc that you worry about.

          • I mean to say resources, not bandwidth. What you should realize is most people are not idiots. They already know their printers and TVs have to be on the same network if they want to access them. And it is not troublesome to re connect them, unlike the 30 iot devices they might have connected. Printers and TV’s are not even considered “iot” devices by most people. I think that is the confusion.

            But also you should realize there is much a hacker can do with an iot device (smarthome devices). Even something simple like a smartplug is very capable of being a vector to sniff or infect your pc and phone. Its idiotic to suggest hackers would not bother when its the first thing a hacker might do.

            That being said, you are right in the sense they would probably go for the printer and tv first. Since they are more capable and more likely to be on the same subnet. But probably not as easy to compromise as some cheap iot device that has no security at all and doesn’t even get regular updates.

            This is all much more practical then mac address spoofing when you don’t know the wifi password. The cheap iot device is probably more likely to expose the password then the tv and printer.

  2. Haha…I’m one of those that uses Guest Network for IoT devices. So far 90% of them works including IP Cams, Smart home devices, etc. Chromecast I put them on the main network as you would need to switch to the guest network to cast. Only one that doesnt like Guest Network are my Lifx bulbs. I cant get them to connect to guest.


Leave a comment below. (Subject to approval. No spam or profanity, please!)