I’ve received a lot of questions relating to the Guest Wi-Fi network in the past couple of months, especially since the reviews the Asus ZenWiFi AX of which the feature hasn’t worked as intended.
Most of these questions, though, are not about setting up a router’s Guest Wi-Fi network but instead of why specific IoT devices don’t work.
So, this post will explain Guest networking and how to use it properly. Hint: No, it’s not intended to be a security measure for the Internet of Things (IoT) devices.
What is a Guest network
A Guest Wi-Fi network is a fancy name for a virtual SSID (network name) that’s, by default, isolated from the primary one you use for your home — your intranet. As a result, a device connected to the Guest Wi-Fi has access to the Internet but not your local resources, such as your shared folders or network printer.
As the name suggests, this other network is for your guests to use. The purpose is to keep guest devices separated from your home devices for security and privacy purposes.
Here’s a crude analogy: If your intranet is your home, then the Guest network is that mother-in-law suite at the far-end of your back yard. You know your in-law is comfortable there each time they visit, yet you don’t have to tend to their every move. Everyone is happy.
When a Guest network is not a Guest network
Note that many routers have the option to allow the Guest network the intranet access. With that turned on, the isolation is no longer in effect. The Guest network now works the same as the main network.
Why would anyone want to do that, you might ask? Other than they don’t know what they are doing, there are a couple of additional reasons.
First, not everyone needs a Guest network, and sometimes it’s useful to have multiple options so you can segment your devices. For example, you can have a group of clients connect to a particular SSID, and the rest to another.
Another reason is the owner of the Guest network might want to gain access to the guest’s device. The isolation, or the lack thereof, works both ways, and not every guest network is a friendly one. That’s the reason you want a VPN when using public Wi-Fi.
The point here is that, just because it’s called a Guest network, doesn’t mean it’s necessarily isolated. But in this post, for the sake of consistency, we assume that it always is.
How to set up a guest network
By definition, any Wi-Fi network that’s separated (isolated) from your main network is a guest network. And there are many ways to achieve this.
Turn it on
The easiest way is to get a router that has this feature — the majority of home routers have Guest networking these days. In this case, you just need to turn it on via the router’s web interface or mobile app. You’ll find it in a section called “Guest Network” or something to that effect.
Once turned on, by default, the Guest network is isolated, so make sure you don’t change this setting. Most routers’ Guest network feature comes with some other settings, including time access limit, bandwidth limit, and so on. You can configure those or leave them all alone, but it’s always a good idea to secure this network with a password.
Note that when you use a router’s built-in Guest networking feature, chances are all devices connected to the Guest SSID are isolated, meaning not only can’t they access your intranet, they also don’t see one another. In other words, if the guests want their devices to work with each other locally, that won’t happen.
That said, this type of Guest networking is suitable for temporary guests who just need the Internet and nothing else. It’s also the right choice for a public place, like a coffee shop.
But if you want to offer your guests more than just the Internet, this type of Guest networking won’t cut it. Instead, you need a separate Intranet.
Create a separate intranet
If you want your loved one living in the mother-in-law unit to feel even more welcome, you can equip the place with more gadgets, such as a network printer or Wi-Fi speakers. Now, to keep these devices available to your guests, yet separate from yours, you’ll need to build a different intranet for them.
There are many ways to do this, and the easiest is to use a separate router in a double-NAT setup. For more on this, check out this post about using multiple routers on top of each other.
In this case, the guest intranet is separate from your primary network, but its devices are not isolated from one another. And that’s important because most local devices require to be in the same system to work as intended. That brings us to why Guest networking is not for IoT devices.
Why you shouldn’t use a Guest network for many IoT devices
While it seems sensible to tell folks to put IoT devices on a Guest Wi-Fi network as a security measure, in reality, this advice can be rather idiotic in many cases for a couple of reasons.
Being in the same network doesn’t guarantee access
First, it’s important to note that having devices in the same local network (intranet) doesn’t mean they can access one another willy-nilly.
The interaction between network devices varies depending on the applications. Still, all sensitive data access — such as if you want a machine A to access a shared folder on a device B — requires some configuration which determines who can access what and how.
If you don’t do anything, by default, the access is not available. In other words, it takes work to make a computer’s information exposed to others.
Most IoTs are low-value targets for hackers
IoT stands for Internet of Things and it generally means an Internet-connected thing that’s not a computer or a mobile device.
You’ll find IoT devices all around you. Examples are network printers, IP cameras, smart speakers / TVs / appliances, and so on. All have one thing in common: They generally have limited computing capability, compared to a real computer, that is.
As a result, they generally are low-value targets. Hackers won’t try too hard to hack these devices because even when they are successful, there’s not much they can do with them. On the other hand, hacking a computer warrants a much higher return to their investment.
How about IoT botnet? Isn’t that real?
Yes, there have been instances where hundreds, if not thousands of IoTs being “hacked” at the same time to create a botnet. In these cases, there was little hacking involved, but mostly the negligence of the owners.
In their early days, IoTs, including many Wi-Fi routers, all worked right out of the box with the default username and password. Consumers got them home, hooked them to the Internet, and use them without bothering to change their default settings. It’s like you get a new safe and use it with the default 1111 combo.
The bad guys took advantage of this and were able to gain control of these devices remotely with little effort. They then used them as bots to send a simple denial-of-service (DoS) command to attack a third party.
A couple of things to note here:
- No harm was done to the owners of the IoT devices involved in these attacks.
- Using these IoTs with a Guest Wi-Fi network (and that might have been the case with some of them) wouldn’t have made any difference.
What’s most important is since then, IoTs have come a long way in terms of security. Most of them won’t connect to the Internet unless the user has created a (new) admin password.
(The only IoT device I’ve seen in a long time that works with its default security setting is the D-Link DIR-X1560, which turned out in my testing to be not a great router anyway.)
No, I don’t mean the chance of your IoTs being hacked is zero, but it sure is much lower than that of your computer or your phone. And using them with a Guest Wi-Fi network makes little difference, if at all, on the security front. In this case, though, one thing is more likely: They probably won’t work as intended.
Many IoTs needs intranet access to work
That’s correct. Many IoT devices need to be part of your home network to work correctly.
Take a network printer, for example, hooking it to a Guest network will keep it invisible from your other devices — they can’t print. In some cases, you still can print, but you have to do so via the Internet, and that means:
- You must set up the printer with a vendor login account which can be a privacy concern.
- You can’t print if the Internet is down.
- It takes much longer to initiate a print job.
Similar things will happen with other devices. Putting them on the guest network means you disconnect them from your local network. Everything now has to go through the Internet.
Here are some more examples of what might not work if you connect your IoTs to an isolated Guest Wi-Fi network.
- You can’t wirelessly cast a computer’s or mobile device’s screen on your smart TV.
- Wi-Fi speakers won’t work.
- Most IP cameras won’t work, at least the setup process.
- Local movie streaming (from your own server) won’t work.
The list goes on. So to answer many of your questions: Putting your all IoT devices on a Guest Wi-Fi network can create a lot of headaches. Stop making it a standard practice!
It’s the matter of degrees
OK, just to be fair. First, there are Internet of Things devices — those that only need Internet and nothing else — that will work just fine when you put them on an isolated Guest network.
Also, if you get cheap ones from sketchy or unknown vendors, especially those from China, with no or bad security, maybe it’s a good idea to isolate them — though it’s best not to use them at all. The truth is, many of these devices come with intentional back-door access.
There are possible ways to make almost all IoT devices work via a guest Wi-Fi network, including those that require to be part of your local recourses. But in this case, why jump over hoops with our hands tied behind your back and risk falling on your face unnecessarily when you can stroll to the same place?
The point here is this: You need to understand your device and the Guest network and use them accordingly. The Guest network is not synonymous with better security. And vice versa, using an IoT device within your primary network doesn’t necessarily make your system more vulnerable.
The best way to make sure your IoT devices are safe from hacking is, again, not to get cheap ones from unknown vendors. Then set a secure password for them and use them with their latest firmware. On top of that, keep your router’s firmware up-to-date, too. Finally, if the router has built-in online protection, use that.
And for those who are still adamant about always using IoT with a Guest Wi-Fi network, consider this: Your router, the one that hosts your Wi-Fi networks, including the Guest Wi-Fi, is itself an IoT device. It’s also one of the highest-value targets among IoTs. What are you going to do about this conundrum?