I’ve received many questions relating to the Guest Wi-Fi network in the past couple of months, especially since the reviews of the Asus ZenWiFi AX, in which the feature hasn’t worked as intended.
However, most of these questions are not about setting up a router’s Guest Wi-Fi network but why specific IoT devices don’t work.
So, this post will explain “Guest” networking and how to use it properly. But to cut to the chase: Guest networking is not intended to be a security measure for Internet of Things (IoT) devices.
Table of Contents
What is a Guest network?
A Guest Wi-Fi network is a fancy name for a virtual SSID (network name) that’s, by default, isolated from the primary one you use for your home — your intranet. Device isolation is the keyword here.
There’s no such thing as “Guest” in networking. The name is a marketing term for a built-in VLAN (virtual local network).
If you can create a Wi-Fi SSID (network name) separate and isolated from the one you use, then it’s effectively the guest Wi-Fi network, no matter what you call it.
Consequently, don’t bother naming a separate Wi-Fi network with the “Guest,” or “IoT” suffix. But if you do, remember that doing so alone does not automatically make that network isolated or more “secure.”
The point is this: don’t look for a router with the “best Guest networking feature.” Instead, look for one that has VLAN capability for its Wi-Fi. Conversely, if a router has a comprehensive Guest networking feature, you can consider that as its VLAN capability.
Specifically, a device connected to the Guest Wi-Fi has access to the Internet but not your local resources, such as your shared folders or network printer.
As the name suggests, this other network is for your guests to use. The purpose is to keep guest devices separated from your home devices for security and privacy purposes.
Here’s a crude analogy: If your intranet is your home, then the Guest network is that mother-in-law suite at the far end of your backyard. You know your in-law is comfortable there each time they visit, yet you don’t have to tend to their every move. Everyone is happy.
When a Guest network is not a Guest network
Note that many routers have the option to allow the Guest network intranet access. With that turned on, the isolation is no longer in effect. The Guest network now works the same as the primary network.
(This is like a mother-in-law suite in the backyard with no bathroom of its own. Guests who stay there will still need to enter your home anyway.)
Why would anyone want to do that, you might ask? Other than they don’t know what they are doing, there are a couple of additional reasons.
First, not everyone needs a Guest network, and sometimes it’s helpful to have multiple options so you can segment your devices. For example, you can have a group of clients connect to a particular SSID and the rest to another.
Another reason is the owner of the Guest network might want to gain access to the guest’s device. The isolation, or the lack thereof, works both ways, and not every guest network is friendly. That’s the reason you want a VPN when using public Wi-Fi.
The point here is that just because it’s called a Guest network doesn’t mean it’s necessarily isolated. But in this post, for the sake of consistency, we assume that it always is.
How to set up a guest network
By definition, any Wi-Fi network separated (isolated) from your primary network is a guest network. And there are a few ways to achieve this.
Turn it on
The easiest way is to get a router that has this feature — the majority of home routers have Guest networking these days. In this case, you only need to turn it on via the router’s web interface or mobile app. You’ll find it in a section called “Guest Network” or something to that effect.
Once turned on, by default, the Guest network is isolated, so make sure you don’t change this setting.
Most routers’ Guest network feature come with some other customization, including time access limit, bandwidth limit, etc. You can configure those or leave them alone, but it’s always a good idea to secure this network with a password.
Generally, the Guest network shares the same Wi-Fi standard, channel width, and security level — WEP, WPA, WPA2, or WPA3 — as the main network of the same band. If you choose to use the Guest network for legacy devices, change the setting of the main network accordingly.
When you use a router’s built-in Guest networking feature, chances are all devices connected to the Guest SSID are isolated, meaning not only can’t they access your intranet, but they also don’t see one another.
In other words, if the guests want their devices to work with each other locally, that won’t happen.
This type of Guest networking is suitable for temporary guests who need the Internet and nothing else. It’s also the right choice for a public place, like a coffee shop.
But if you want to offer your guests more than just the Internet, this type of Guest networking won’t cut it. Instead, it would be best if you had a separate Intranet.
Create a separate intranet
If you want your loved one living in the mother-in-law unit to feel even more welcome, you can equip the place with more gadgets, such as a network printer or Wi-Fi speakers.
To keep these devices available to your guests yet separate from yours, you’ll need to build a different intranet for them.
There are many ways to do this, and the easiest is to use a separate router (with a different Wi-Fi network) on top of your existing one in a double-NAT setup.
You then can use either’s Wi-Fi network for your guests. For more on this, check out this post on using multiple routers on top of each other.
In this case, the guest intranet is separate from your primary network, but its devices are not isolated from one another.
And that’s important because most local devices require the same system to work as intended. That brings us to why Guest networking is not for IoT devices.
Why you shouldn’t automatically use a Guest network for many IoT devices
While it seems sensible to tell folks to put IoT devices on a Guest Wi-Fi network as a security measure, this advice can be rather near-sighted in many cases.
Still, the “security” notion is so popular that many vendors actually add “IoT” as a prefix, suffix, or setting label for their hardware’s Guest network, such as in the case of the Netgear Orbi RBKE960. Like the “Guest” suffix mentioned above, putting “IoT” in the SSID or its label doesn’t automatically add anything to the virtual wireless network. It’s pure marketing nonsense.
There are a couple of things to keep in mind about a local network and IoT devices.
1. Being in the same network doesn’t guarantee access
First, it’s important to note that having devices in the same local network (intranet) doesn’t mean they can access one another willy-nilly.
The interaction between network devices varies depending on the applications. Still, all sensitive data access — such as if you want machine A to access a shared folder on device B — requires some configuration that determines who can access what and how.
If you don’t do anything, access is not available by default. In other words, it takes work to make a computer’s information exposed to others.
2. IoTs are generally low-value targets
IoT stands for Internet of Things, and it generally means an Internet-connected thing that’s not a computer or a mobile device.
You’ll find IoT devices all around you. Examples are network printers, IP cameras, smart speakers / TVs / appliances, etc. All have one thing in common: They generally have limited computing capability compared to a real computer.
As a result, they generally are low-value targets. Hackers won’t try too hard to hack these devices because there’s not much to do with them, even when they are successful. On the other hand, hacking a computer warrants a much higher return on their investment.
How about IoT botnets? Isn’t that real?
It can be.
Yes, there have been instances where hundreds, if not thousands, of IoTs being “hacked” at the same time to create a botnet. In these cases, there was little hacking involved, but mainly the owners’ negligence. They are crimes of opportunity.
In their early days, IoTs, including many Wi-Fi routers, functioned fully with the default username and password. Consumers got them home, hooked them to the Internet, and used them without bothering to change their default settings. That’s like when you get a new safe and use it with the default 1111 combo.
The bad guys took advantage of this and were able to gain control of these devices remotely with little effort. They then used them as bots to send a simple denial-of-service (DoS) command to attack a third party.
A couple of things to note here:
- No harm was done to the owners of the IoT devices involved in these attacks.
- Using these IoTs with a Guest Wi-Fi network (which might have been the case with some of them) wouldn’t have made any difference.
What’s most important is since then, IoTs have come a long way in terms of security. Most won’t connect to the Internet unless the user has created a (new) admin password.
The only IoT device I’ve seen in a long time that works with its default security setting is the D-Link DIR-X1560, which turned out in my testing to be not a great router anyway.
No, I don’t mean the chance of your IoTs being hacked is zero, nor do I mean to downplay the security issue in these devices. But you should be more concerned about your computer or your phone.
Most importantly, using IoTs with a Guest Wi-Fi network makes little difference, if at all, on the security front. In this case, though, one thing is more likely: They probably won’t work as intended.
3. Most importantly: Many IoT devices need intranet access to work
That’s correct. Many IoT devices need to be part of your home network to work correctly.
Take a network printer, for example. Hooking it to a Guest network will keep it invisible from your other devices — they can’t print. In some cases, you still can print, but you have to do so via the Internet, and that means:
- You must set up the printer with a vendor login account which can be a privacy concern.
- You can’t print if the Internet is down.
- It takes much longer to initiate a print job.
Similar things will happen with other devices. Putting them on the guest network means disconnecting them from your local network. Everything now has to go through the Internet.
Here are some more examples of what might not work if you connect your IoTs to an isolated Guest Wi-Fi network.
- You can’t wirelessly cast a computer’s or mobile device’s screen on your smart TV.
- Wi-Fi speakers won’t work.
- Network printers won’t work locally.
- Most IP cameras won’t work, at least in the setup process.
- Local movie streaming (from your server) won’t work.
The list goes on. So to answer many of your questions: Putting all your IoT devices on a Guest Wi-Fi network can create many headaches. Stop making it a standard practice!
Extra: It’s a matter of degree
OK, to be fair. First, there are Internet of Things devices — those that only need the Internet and nothing else — that will work just fine when you put them on an isolated Guest network.
Also, if you get cheap ones from sketchy or unknown vendors, especially those from China, with no or bad security, maybe it’s a good idea to isolate them — though it’s best not to use them. The truth is that many of these devices come with intentional back-door access.
There are possible ways to make almost all IoT devices work via a guest Wi-Fi network, including those required to be part of your local recourses. But in this case, why make things more complicated than necessary?
The point here is this: You need to understand your device and the Guest network and use them accordingly. The Guest network is not synonymous with better security. And vice versa, using an IoT device within your primary network doesn’t necessarily make your system more vulnerable.
The best way to make sure your IoT devices are safe from hacking is not to get cheap ones from unknown vendors. Then set a secure password for them and use them with their latest firmware. On top of that, keep your router’s firmware up-to-date, too. Finally, if the router has built-in online protection, use that.
And for those who are still adamant about always using IoT with a Guest Wi-Fi network, consider this: Your router, the one that hosts your Wi-Fi networks, including the Guest Wi-Fi, is itself an IoT device. In fact, it’s the highest-value target among all IoTs. What are you going to do about this?
Comments are subject to approval, redaction, or removal.
It's generally faster to get answers via site/page search. Your question/comment is one of many Dong Knows Tech receives daily.
(•) If you represent a company/product mentioned here, please use the contact page or a PR channel.
37 thoughts on “Guest Wi-Fi Network Explained: Best Practices (with Your IoT Devices)”
Dong, I’ve been combing your resources – SUPER appreciate your thoroughness and clarity!
Question about the guest network bandwidth limiter option.
My main router is an ASUS AX5700, and I’m using ZenWiFi XD6’s with AiMesh as nodes (wired backhaul). I’ve got bandwidth limited for guests at 10Mbps, but it only works when connected to the main router. Once a device connects to a node, the bandwidth is no longer limited on the guest network. Any thoughts on how to fix this?
That’s generally the case with AiMesh and Travis. Guest networking used to be available only at the router until AiMesh 2.0. I don’t think what you need will happen anytime soon since it’s very complicated.
Oh, that’s disappointing. I guess I could set up a second network with my old Deco X20’s for guests, but I was hoping to avoid having to have the extra hardware.
1. What, if any, settings can be changed on an Asus router so that someone cannot connect a 2nd router to the Guest Network and thereby get to the main network? If so, do you have an article to read on how to do that or an search term to use?
2. The only Iot devices I found that need to be on my main network are the TV (to cast from the laptop) and the printer (to print), but they don’t need internet access – only intranet. So I used the Asus Router AiProtection/Parental Controls/Time Scheduling feature, put those devices on the list, and set the time to “Block.” Is that doing what I think it is, which is blocking those devices from accessing the internet and thereby adding a layer of protection?
3. My Asus router has 3 guest networks. Do you have an article on strategies for using these? I deduce that Asus Ai-Mesh only includes the first one. On mine the third is labeled “Default setting by Alexa”; googling indicates that just means it is the one Alexa changes if you connect your router to Alexa and give voice commands. My preliminary thought on the three guest networks is to use one for adult guest, a second for grandchildren that I can set to shut off at 10pm, and a third for IoT devices, but would love some guidance…
1. You do that by securing the SSID the usual way. As mentioned, isolation is the mechanism that keeps devices connected to a Guest network from accessing your local resources. But the Internet still has to go through the primary router.
2. Both the TV and the Printer need access to the Internet for firmware updates and streaming in the former’s case. But sure, you can do that to keep specific devices from the Internet.
3. Your assessment is correct. As mentioned in this post, you can name/customize them however you’d like.
The Verizon router #CR1000A appears to have two separate connections to handle guests and IoT devices. Thoughts?
• Guest Wi-Fi (2.4 GHz)
• IoT Wi-Fi (2.4 GHz)
The IoT notion doesn’t mean anything — it’s misleading and arbitrary aimed to fool folks who don’t know into thinking the hardware is “better” or “more valuable” than it is, Oliver. Netgear does the same with the Orbi RBKE960. Many routers have multiple “Guest” networks, and you can name or use them however you want. Asus and Synology, for example, offer three or more per band. By the way, make sure you this the post carefully — you wouldn’t have asked the question if you did.
I think best pratice is to connect any IOT devices to your guest networks and dont allow guests to reach eachother internally. Doing so Any access should go through internet, thats a downside.
But most routers
only allows only one Guest SSID? I want my guests to access guest wifi with less bandwidth and my own iOT devices on another guest network with more premium
connections. How does Dong archive this, or am i thinking too complicated?
Most routers with Guest networking allow you to adjust the total bandwidth for guests, Dzung.
No problem, I am actually trying to understand here.
If you don’t consider your guests a security risk, then why use the guest network at all? Alternatively, why not just give guests access to your primary network?
In the case of Asus Guest networks there is no difference anyway.
Best practice for Asus Guest networks would surely then be to disable the guest network and only allow trusted clients access to your primary network?
For best practice, if you can’t securely allow guests access to the internet without exposing your internal devices, what is the point of the guest network access?
It’s a matter if degrees, Luke. If you go around taking things as black and white, this Guest Network thingy is the least of your problems. Not that what you said about it is correct. 🙂
Great article! Helped solve many issues I was having with my IOT devices.
Awesome! Glad it worked out, Jim.
I am one of those that put most of the IOT devices (~50) onto a guest network. I have two issues wondering if you have any insight to it. Does the guest (virtual) network has the same range? I have a couple of Kasa devices that are located at the perimeter of the house that does not always connect. Wondering if I switch it over to the main network it would stay connected.
Is the connection on the virtual network as stable? Device dependant?
Some of my Kasa, Lifx, and a few devices inside the house randomly disconnect and does not reconnect on its own. Wondering if I switch it over to the main network it would stay connected.
I have an Asus 89x router. Wondering if that is a problem.
This depends on the hardware, Chinh. But yes, the main Wi-Fi network is almost always better than the virtual one. They should have the same range, though. As for why things get disconnected, you might want to check out this post, especially when you use a Wi-Fi 6 router, which the RT-AX89X is.
Ok. Don’t keel over from the length. 🙁
First and foremost: I am NOT trying to argue or be combative with you. I’m new to all this and am GENUINELY trying to understand and learn.
At the start of your article you mention that – in terms of the widespread hack of IOT devices back in the day – “using these IoTs with a Guest Wi-Fi network (and that might have been the case with some of them) wouldn’t have made any difference.”
1) Do you mean it wouldn’t have made any difference because you’re presuming people plugged and played their router out of the box (i.e. didn’t change any default username/passwords on it?)
2) So, my MAIN home network is my “intranet”? Is that correct?
*** You go on to say “And enabling a Guest Wi-Fi network… by default, [is] isolated from the primary one (the “intranet” one?). As such “a device connected to the Guest Wi-Fi has access to the Internet but not your local resources, such as your shared folders or network printer.”
Ok, so this sounds like good security to me so far! IoTs and guest devices on the Guest Network can’t “infect” my main network, yes?
“First, it’s important to note that having devices in the same local network (intranet) doesn’t mean they can access one another willy-nilly.
The interaction between network devices varies depending on the applications. Still, all sensitive data access — such as if you want a machine A to access a shared folder on a device B — requires some configuration which determines who can access what and how.
If you don’t do anything, by default, the access is not available. In other words, it takes work to make a computer’s information exposed to others.”
Ok….. I didn’t know that.
3) I’m not necessarily worried that a guest is going to try and log in to my bank account. Still…wouldn’t them being on a Guest Network protect my MAIN network just in case any of their devices have malware or other bad stuff on them?
This next thing you wrote….. gah. I…I AM SO TOTALLY LOST.:
“No, I don’t mean the chance of your IoTs being hacked is zero, but it sure is much lower than that of your computer or your phone. And USING THEM WITH A GUEST WI-FI NETWORK MAKES LITTLE DIFFERENCE, IF AT ALL, ON THE SECURITY FRONT.”
4) What the what? You said that a Guest Network is isolated from the “intranet” (i.e. the MAIN network). Wouldn’t it follow then that IoT devices being on the Guest Network WOULD lessen the chances of a MAIN network getting hacked should the less-secure IoT devices on the GUEST Network get hacked since a Guest Network is isolated from the MAIN network?
And this is why – if what I wrote in the previous paragraph is true – I’m again TOTALLY CONFUSED by you writing: “The Guest Network is not synonymous with better security.”
As far as things “likely not to work as intended”:
1. I don’t own a wireless printer. My printer is connected to my laptop. If anybody needed to print anything they could email it to me and I’d print it for them. Sorted. 😊
2. My home is far from the Jetsons. I have 2 Smart TVs, some smart plugs, a few smart bulbs, an Amazon Echo and a Dot. That’s about as “high-tech” as things are ever going to get around here!
3. If I want (I never do) to stream something from my computer to my TV, I have an HDMI cable tucked behind the TV that I plug the laptop in to and voila.
5) I have Bluetooth earbuds and headphones that I’ve connected to the Echo and the DOT. If I put the ECHO, DOT, etc. on the guest network, will the bluetooth earbuds still connect to those devices? (I warned you I was in over my head.)
You make a good point about the router itself being an IoT device and what to do about that conundrum!! Creating a complex password and prayer? I don’t know. At a certain point don’t you have to let go and let God? LOL. This stuff can drive you nuts if you let it.
Erikje commented: “A lot of very cheap iot devices do not have any serious or even funny way of security. So putting them in isolation is a good way to limit damage. A guest network is a simple way to segment your iot devices…. The guest network is one of the simplest way to achieve that security for the normal user. Yes there are much better ways, but they are not accessible for normal users.”
Cooloutac may not have been the height of gentility when writing:
“I think people are referring more to devices like amazon echo, blink cams, ring doorbell cams, robot vacuum cleaners, smart home plugs, smart lights, etc… all those things are accessed through the internet not a local lan. Smartcast tv’s and printers are the small minority with houses full of 30-50 iot devices. the only time you might need local access is for initial setup. Sorry to say but what’s idiotic is to say that hackers won’t target iot devices. they don’t use them for their bandwidth. They use them to launch attacks on the rest of your network. Like your phone and computer that you worry about.”
6) Basically, then, isn’t what they both wrote sound?
I’m seriously about ready to just throw all of this crap out. Candles and abacuses are looking better and better.
If you reply I will be completely astounded and deeply, deeply grateful. 🙂
I’m totally with you in one regard: I am also too old for some sh*t.
Your annoyance is unfounded in terms of my taking anything as “absolute”, “black or white”. The fact that I was posing questions backs up that I wasn’t doing either of those things. I was trying to learn.
“Make” you answer?
“With something you don’t know, don’t make assumptions.” Again: I ASKED QUESTIONS. That is the furthest thing from “making assumptions” as one can possibly get. It’s trying to LEARN.
Asking you to “take my problems as your own”? You’re giving yourself much more credit here than is warranted. I was asking questions in full understanding that you’re not an Oracle.
Ah! I DID make one assumption! I assumed that your having a comments section was so that people not as knowledgeable as you about these sorts of things could ask you questions and learn.
You likely won’t (VERY likely won’t); but if you re-read what you wrote back to me, you thinking to yourself “God, I came across like a callous, hostile, arrogant a-hole” would be singularly appropriate.
Hi Lori – I think am somewhat in the same boat as you -i.e. being new to the concept of network segmentation for the sake of personal security (although I have been building/using computers for the majority of my life).
I also have to agree that some portions of this article are a bit confusing/contradictory. So let me try to answer ‘some’ of your questions (which would also help me gather my own thoughts):
1) “using these IoTs with a Guest Wi-Fi network (and that might have been the case with some of them) wouldn’t have made any difference.”
My answer: Am assuming that Dong was referring to the fact that these users hadn’t bothered to change their default settings – which obviously means that they being on the Guest network (or any network for that matter) wouldn’t have protected them.
But what if they had actually configured their IoT devices correctly and then put them on the Guest network? Would they have been protected then? Maybe. It also depends on how the rest of their network was configured.
2) You go on to say “And enabling a Guest Wi-Fi network… by default, [is] isolated from the primary one (the “intranet” one?). As such “a device connected to the Guest Wi-Fi has access to the Internet but not your local resources, such as your shared folders or network printer.”
Ok, so this sounds like good security to me so far! IoTs and guest devices on the Guest Network can’t “infect” my main network, yes?
My answer: Yes, but it depends on your router settings. When creating guest networks there should be settings like “enable intranet access” or “isolate from main network”, etc. Configuring this would either isolate the guest network from your main/personal/intranet network, or allow access.
Some routers also have an additional setting: AP (Access Point) isolation. Enabling this would mean that devices connected to that particular network would not be able to talk to each other (i.e. inter communication – which I think Dong’s article also touches upon).
3) I’m not necessarily worried that a guest is going to try and log in to my bank account. Still…wouldn’t them being on a Guest Network protect my MAIN network just in case any of their devices have malware or other bad stuff on them?
My answer: Yes, if your main goal here is to separate ‘your guests’ from your private network, then having a Guest network (which is isolated from accessing the intranet/main network) definitely helps (as compared to having just one big network).
Any level of network segmentation (done correctly) definitely helps towards achieving better security.
However, if your goal is to also protect your network from ‘uninvited guests’ (hackers) from the internet, then does the guest network isolation protect you? Only to a certain extent. It would ward of the curious neighbor /casual hacker, but it wouldn’t protect you against a professional dedicated hack. This is because, although the guest network can provide some isolation, its still isolation only at a ‘software’ level. And software can always be cracked with the right resources.
Additionally – the general design of home routers tend to be inclined more towards convenience than security. (When it comes to networking, there is unfortunately an eternal struggle between convenience and security)
So then what do you do? How do you proceed? Ask yourself these questions:
1. Do you simply want to ‘network-isolate’ people who visit your home, whom you may or may not know very well?
Then by all means go ahead with the guest network – with intranet isolation enabled and strong passwords.
2. Do you use semi-trusted IoT devices (Alexa, Smart TV from a known brand, Playstation, etc) and don’t think you’re at a major risk of a professional hacker coming after your finances, and want the simplest way to achieve a better level of security?
Look at configuring multiple Guest networks on your router (with strong passwords – different from each other, and your main network/internet), enabling intranet isolation, and enabling AP isolation (in cases where your IoT devices don’t need to communicate with other devices on that network).
If you’re looking for a new router I would suggest Asus – as it offers a good level of customization and receives frequent security updates.
Additionally – also look at updating the software/firmware on all your devices (and configuring strong passwords), and running scheduled antivirus/malware scans on computers and phones.
3. Do you use un-trusted IoT devices and consider yourself a potential target for a dedicated hack?
Then you might want to look at something more than the basic-isolation provided by Guest networks.
From what I have learnt so far, there are two main ways to attain ‘better’ network segmentation/isolation:
1) VLANS – Virtual LANs – These basically split up your network at a software level (similar to Guest networks), but provides more customizations and is designed more with security in mind. However it needs specific hardware and software knowledge, to setup and configure. You could read up more on these if you’re interested and a bit tech-savy.
2) Multiple Routers – This is not only (relatively) simpler compared to setting up VLans but is also ‘stronger’ in terms of security. Because this approach provides ‘true’ isolation at a hardware level, which is very difficult (if not impossible) to get through. Each router will have it’s own firewall, physical and virtual addresses, etc.
But the downside is the additional cost and space for multiple routers (and cabling, etc).
No matter which route you take, I suggest you do some reading on it. Because somethings done incorrectly (due to lack of knowledge) could potentially make things worse!
Alright, this is pretty much all I have gathered so far. Hope I was able to add ‘some’ clarity, if not much. Good luck with your journey 🙂
Consumer grade, even some ProSumer grade all in one routers can’t securely handle this. A true gateway appliance is needed and it can and will through the use of vlans… It is a small learning curve but you can write rules for anything.
My “trusted” networks can talk with my IoT devices, but not vise versa.
Let’s say my neighbor and I are at the fence between our properties. I would have to initiate the conversation and we could talk for hours. Now. If we are standing there and I have not initiated and conversation, he can not see me… He could keep calling out my name and I would never hear.
Any one logging into my “guest network” can not see each other, or anything else. So, someone comes over, needs to use the internet for something, well no problem. Give them the password, they log in , they are taken to a captive portal, agree to MY terms, and if it isn’t illegal, the have access for a set amount of time. It really isn’t that hard.
IE… Grandkids come over for a Sunday dinner… They talk, play games, whatever, even on the internet. But when it is close to dinner time, I can tell Alexa to “Stop happy time” , (even though Alexa lives on the Iot vlan) all access is killed, time for the family time. This type of control really isn’t that thought to learn/grasp..
Oh, the router you get from your ISP could be the worst thing in your LAN, and double NAT should be a last resort, especially when there are so many affordable solutions out there. And by that I mean a gateway that has NO wifi for around $100. The reason for no wifi is because YOU define what rules YOU want. The wifi will be controlled but the gateway.
My (admittedly limited) understanding of guest network isolation (at least in terms of a Netgear router) is that – contrary to Netgear documentation – when the guest network option is enabled on the router, it is NOT isolated. Though, as I said, evidently Netgear claims that it is.
This might differ from one model to another, Lori. But generally, by default, a Guest network is isolated from the main network. Note that the isolation is only limited to the local network and not via the Internet. For example, an iPhone connected to an isolated Guest network can still Facetime to another connected to the main network, or any network for that matter.
Thanks for replying! Truthfully, I’m so in over-my-head here I should probably keep quiet.
I have questions but need a little time to organize them better. May I write and ask for your feedback again?
FYI, Asus Guest Networks as an example are not isolated properly from the main guest network.
While they may appear to most clients and users as isolated, this isolation can be easily bypassed by anyone.
All a user needs to do is connect a second Asus router in repeater mode to the Guest network, and they will have full access into the main network.
e.g. Your primary RT-AX89U router running a guest network, using only the guest network credentials, a RT-AC68U can be connected as a repeater to the guest network, and any devices connecting to the repeater will have full access into the main network. Not isolated at all.
So I don’t trust Asus guest networks at all. I can’t speak for other manufacturers.
There’s no RT-AX89U router, Luke.
Sorry, mixed up RT-AX86U and RT-AX89X. Regardless, I believe the insecure Guest Networks are part of the AsusWRT code, not specific to individual models.
It’s not really a security matter, Luke. It’s like you should not consider your guests as security risk, in which case you shouldn’t have them over as guests. Things are not black and white. The Guest network is a matter of convenience, not security.
iot devices with zero days are known to give access to the local network.
Or the other way around.. a local privilege escalation grants access to all iot devices to put them in a botnet.
A lot of very cheap iot devices do not have any serious or even funny way of security. So putting them in isolation is a good way to limit damage.
A guest network is a simple way to segment your iot devices. The one that do not work on it will shift to the normal network or better a own SSID.
The guest network is one of the simplest way to achieve that security for the normal user. Yes there are much better ways, but they are not accessible for normal users.
So there is nothing idiotic in using the guest network for iot. It is in fact a simple and often effective way of protecting your stuff.
It is when you apply that to those that need intranet access to work, Erik, like printers, Wi-Fi speakers, etc.
Or, said differently, almost every IoT device in my home needs access.
Switches & access points: Obviously.
Google Home/Nest displays: Yep.
Roku: Maybe not, but I don’t use it now, so I should probably just unplug it.
Chromecast, Android TV: Yep.
Printers: Yep (don’t even get me started on what a PITA cloud printing is)
Weather station console (reports data to Weather Underground): Probably not. Meh. I’ll take my chances that someone goes to all the trouble of hacking such a relatively uncommon device.
Samsung “Smart” TV: Probably not, but it’s so useless (other than as a monitor) I haven’t even bothered to connect it to my new router.
I’m sure I’ve forgotten some, but the best security solution for them is probably just to unplug them since I probably don’t use them anyway.
Nie list, 123. And PITA is absolutely accurate! 🙂
i think people are referring more to devices like amazon echo, blink cams, ring doorbell cams, robot vacuum cleaners, smart home plugs, smart lights, etc… all those things are accessed through the internet not a local lan. smartcast tv’s and printers are the small minority with houses full of 30-50 iot devices. the only time you might need local access is for initial setup. Sorry to say but whats idiotic is to say that hackers won’t target iot devices. they don’t use them for their bandwidth. they use them to launch attacks on the rest of your network. like your phone and pc that you worry about.
Thanks for the input. It’s a matter of degree. Also, I don’t think you actually read my post in its entirety.
I mean to say resources, not bandwidth. What you should realize is most people are not idiots. They already know their printers and TVs have to be on the same network if they want to access them. And it is not troublesome to re connect them, unlike the 30 iot devices they might have connected. Printers and TV’s are not even considered “iot” devices by most people. I think that is the confusion.
But also you should realize there is much a hacker can do with an iot device (smarthome devices). Even something simple like a smartplug is very capable of being a vector to sniff or infect your pc and phone. Its idiotic to suggest hackers would not bother when its the first thing a hacker might do.
That being said, you are right in the sense they would probably go for the printer and tv first. Since they are more capable and more likely to be on the same subnet. But probably not as easy to compromise as some cheap iot device that has no security at all and doesn’t even get regular updates.
This is all much more practical then mac address spoofing when you don’t know the wifi password. The cheap iot device is probably more likely to expose the password then the tv and printer.
Probably out of scope of what you’re saying, but I feel it’s very important to segment the IoT devices. I just don’t trust the makers of these devices to focus on security. At all. People want security, but they have lousy equipment. You can’t really have it both ways. Get a good router. A real router. For home, a good router is the Netgate SG-1100. Not too expensive at all. Tons of videos on how to set things up and you’ll be a whole lot smarter on this stuff. Get a good wireless access point that supports vlans. Ubiquiti makes really good ones. You don’t even need a managed switch. Again videos on youtube. Iot’s are the low hanging fruit. Their security is lacking and are an excellent attack vector to the private network.
I agree, Thomas, which is why you should get IoT devices from shaddy vendors.
Haha…I’m one of those that uses Guest Network for IoT devices. So far 90% of them works including IP Cams, Smart home devices, etc. Chromecast I put them on the main network as you would need to switch to the guest network to cast. Only one that doesnt like Guest Network are my Lifx bulbs. I cant get them to connect to guest.
Yeah, you can make it work but it could be a pain and, if so, you deserved it, Peter. 🙂