I've received many questions relating to the Guest Wi-Fi network in the past couple of months, especially since the reviews of the Asus ZenWiFi AX, in which the feature hasn't worked as intended.
However, most of these questions are not about setting up a router's Guest Wi-Fi network but why specific IoT devices don't work.
So, this post will explain "Guest" networking and how to use it properly. But to cut to the chase: Guest networking is not intended to be a security measure for Internet of Things (IoT) devices.
What is a Guest network?
A Guest Wi-Fi network is a fancy name for a virtual SSID (network name) that's, by default, isolated from the primary one you use for your home -- your intranet. Device isolation is the keyword here.
There's no such thing as "Guest" in networking. The name is a marketing term for a built-in VLAN (virtual local network).
If you can create a Wi-Fi SSID (network name) separate and isolated from the one you use, then it's effectively the guest Wi-Fi network, no matter what you call it.
Consequently, don't bother naming a separate Wi-Fi network with the "Guest," or "IoT" suffix. But if you do, remember that doing so alone does not automatically make that network isolated or more "secure."
The point is this: don't look for a router with the "best Guest networking feature." Instead, look for one that has VLAN capability for its Wi-Fi. Conversely, if a router has a comprehensive Guest networking feature, you can consider that as its VLAN capability.
Specifically, a device connected to the Guest Wi-Fi has access to the Internet but not your local resources, such as your shared folders or network printer.
As the name suggests, this other network is for your guests to use. The purpose is to keep guest devices separated from your home devices for security and privacy purposes.
Here's a crude analogy: If your intranet is your home, then the Guest network is that mother-in-law suite at the far end of your backyard. You know your in-law is comfortable there each time they visit, yet you don't have to tend to their every move. Everyone is happy.
When a Guest network is not a Guest network
Note that many routers have the option to allow the Guest network intranet access. With that turned on, the isolation is no longer in effect. The Guest network now works the same as the primary network.
(This is like a mother-in-law suite in the backyard with no bathroom of its own. Guests who stay there will still need to enter your home anyway.)
Why would anyone want to do that, you might ask? Other than they don't know what they are doing, there are a couple of additional reasons.
First, not everyone needs a Guest network, and sometimes it's helpful to have multiple options so you can segment your devices. For example, you can have a group of clients connect to a particular SSID and the rest to another.
Another reason is the owner of the Guest network might want to gain access to the guest's device. The isolation, or the lack thereof, works both ways, and not every guest network is friendly. That's the reason you want a VPN when using public Wi-Fi.
The point here is that just because it's called a Guest network doesn't mean it's necessarily isolated. But in this post, for the sake of consistency, we assume that it always is.
How to set up a guest network
By definition, any Wi-Fi network separated (isolated) from your primary network is a guest network. And there are a few ways to achieve this.
Turn it on
The easiest way is to get a router that has this feature -- the majority of home routers have Guest networking these days. In this case, you only need to turn it on via the router's web interface or mobile app. You'll find it in a section called "Guest Network" or something to that effect.
Once turned on, by default, the Guest network is isolated, so make sure you don't change this setting.
Most routers' Guest network feature come with some other customization, including time access limit, bandwidth limit, etc. You can configure those or leave them alone, but it's always a good idea to secure this network with a password.
Generally, the Guest network shares the same Wi-Fi standard, channel width, and security level -- WEP, WPA, WPA2, or WPA3 -- as the main network of the same band. If you choose to use the Guest network for legacy devices, change the setting of the main network accordingly.
When you use a router's built-in Guest networking feature, chances are all devices connected to the Guest SSID are isolated, meaning not only can't they access your intranet, but they also don't see one another.
In other words, if the guests want their devices to work with each other locally, that won't happen.
This type of Guest networking is suitable for temporary guests who need the Internet and nothing else. It's also the right choice for a public place, like a coffee shop.
But if you want to offer your guests more than just the Internet, this type of Guest networking won't cut it. Instead, it would be best if you had a separate Intranet.
Create a separate intranet
If you want your loved one living in the mother-in-law unit to feel even more welcome, you can equip the place with more gadgets, such as a network printer or Wi-Fi speakers.
To keep these devices available to your guests yet separate from yours, you'll need to build a different intranet for them.
There are many ways to do this, and the easiest is to use a separate router (with a different Wi-Fi network) on top of your existing one in a double-NAT setup.
You then can use either Wi-Fi network for your guests. For more on this, check out this post on using multiple routers on top of each other.
In this case, the guest intranet is separate from your primary network, but its devices are not isolated from one another.
And that's important because most local devices require the same system to work as intended. That brings us to why Guest networking is not for IoT devices.
Why you shouldn’t automatically use a Guest network for many IoT devices
While it seems sensible to tell folks to put IoT devices on a Guest Wi-Fi network as a security measure, this advice can be rather near-sighted in many cases.
Still, the nonsensical "security" notion is so popular that many vendors add "IoT" as a prefix, suffix, or setting label for their hardware's Guest network, such as in the case of the Netgear Orbi RBKE960. Like the "Guest" suffix mentioned above, putting "IoT" in the SSID or its label doesn't automatically add anything to the virtual wireless network. It's pure marketing nonsense.
There are a couple of things to keep in mind about a local network and IoT devices.
1. Being in the same network doesn’t guarantee access
First, it's important to note that having devices in the same local network (intranet) doesn't mean they can access one another willy-nilly.
The interaction between network devices varies depending on the applications. Still, all sensitive data access -- such as if you want machine A to access a shared folder on device B -- requires some configuration that determines who can access what and how.
If you don't do anything, access is not available by default. In other words, it takes work to make a computer's information exposed to others.
2. IoTs are generally low-value targets
IoT stands for Internet of Things, and it generally means an Internet-connected thing that's not a computer or a mobile device.
You'll find IoT devices all around you. Examples are network printers, IP cameras, smart speakers / TVs / appliances, etc. All have one thing in common: They generally have limited computing capability compared to a real computer.
As a result, they generally are low-value targets. Hackers won't try too hard to hack these devices because there's not much to do with them, even when they are successful. On the other hand, hacking a computer warrants a much higher return on their investment.
How about IoT botnets? Isn’t that real?
It can be.
Yes, there have been instances where hundreds, if not thousands, of IoTs being "hacked" at the same time to create a botnet. In these cases, there was little hacking involved, but mainly the owners' negligence. They are crimes of opportunity.
In their early days, IoTs, including many Wi-Fi routers, functioned fully with the default username and password. Consumers got them home, hooked them to the Internet, and used them without bothering to change their default settings. That's like when you get a new safe and use it with the default 1111 combo.
The bad guys took advantage of this and were able to gain control of these devices remotely with little effort. They then used them as bots to send a simple denial-of-service (DoS) command to attack a third party.
A couple of things to note here:
- No harm was done to the owners of the IoT devices involved in these attacks.
- Using these IoTs with a Guest Wi-Fi network (which might have been the case with some of them) wouldn't have made any difference.
What's most important is since then, IoTs have come a long way in terms of security. Most won't connect to the Internet unless the user has created a (new) admin password.
The only IoT device I've seen in a long time that works with its default security setting is the D-Link DIR-X1560, which turned out in my testing to be not a great router anyway.
No, I don't mean the chance of your IoTs being hacked is zero, nor do I mean to downplay the security issue in these devices. But you should be more concerned about your computer or your phone.
Most importantly, using IoTs with a Guest Wi-Fi network makes little difference, if at all, on the security front. In this case, though, one thing is more likely: They probably won't work as intended.
3. Most importantly: Many IoT devices need intranet access to work
That's correct. Many IoT devices need to be part of your home network to work correctly.
Take a network printer, for example. Hooking it to a Guest network will keep it invisible from your other devices -- they can't print. In some cases, you still can print, but you have to do so via the Internet, and that means:
- You must set up the printer with a vendor login account which can be a privacy concern.
- You can't print if the Internet is down.
- It takes much longer to initiate a print job.
Similar things will happen with other devices. Putting them on the guest network means disconnecting them from your local network. Everything now has to go through the Internet.
Here are some more examples of what might not work if you connect your IoTs to an isolated Guest Wi-Fi network.
- You can't wirelessly cast a computer's or mobile device's screen on your smart TV.
- Wi-Fi speakers won't work.
- Network printers won't work locally.
- Most IP cameras won't work, at least in the setup process.
- Local movie streaming (from your server) won't work.
The list goes on. So to answer many of your questions: Putting all your IoT devices on a Guest Wi-Fi network can create many headaches. Stop making it a standard practice!
Extra: It’s a matter of degree
OK, to be fair. First, there are Internet of Things devices -- those that only need the Internet and nothing else -- that will work just fine when you put them on an isolated Guest network.
Also, if you get cheap ones from sketchy or unknown vendors, especially those from China, with no or bad security, maybe it's a good idea to isolate them -- though it's best not to use them. The truth is that many of these devices come with intentional back-door access.
There are possible ways to make almost all IoT devices work via a guest Wi-Fi network, including those required to be part of your local recourses. But in this case, why make things more complicated than necessary?
The point here is this: You need to understand your device and the Guest network and use them accordingly. The Guest network is not synonymous with better security. And vice versa, using an IoT device within your primary network doesn't necessarily make your system more vulnerable.
The best way to make sure your IoT devices are safe from hacking is not to get cheap ones from unknown vendors. Then set a secure password for them and use them with their latest firmware. On top of that, keep your router's firmware up-to-date, too. Finally, if the router has built-in online protection, use that.
And for those who are still adamant about always using IoT with a Guest Wi-Fi network, consider this: Your router, the one that hosts your Wi-Fi networks, including the Guest Wi-Fi, is itself an IoT device. In fact, it's the highest-value target among all IoTs. What are you going to do about this?