Guest network not secure!

Guest network not secure!
Guest network not secure!
2019-08-14 15:25:03 - last edited 3 weeks ago
Model: EAP225-Outdoor
Hardware Version: V1
Firmware Version: 1.5.0 Build 20190404 Rel. 58086

UPDATED: 22/8 add DHCP warning.

 

Hi,

 

Great product, some points to make it a bit better.

 

Controller 3.2.1 I made a SSID with guest network enabled.

 

  • When I connect to the wifi and I login I can:

Using the Fing app on my smartphone it can discover many devices on my lan network.

Run a DHCP Server to trick other clients routing the traffic thru me. Or give them a hacker dns server..

IP and MAC address information is exposed of many devices. 

 

Using the Mikrotik App, i can connect to my router and login.... using mac adress.

Wireshark shows -> not only non ip traffic is allowed but also IP broadcast/multicast from all kinds devices in my network. 

 

  • When I connect but I do not login:

I can resolve DNS entries, so you can setup a DNS VPN or simple send a message like ping <specialcontent>.myremotelocation.com

I can see the mikrotik router, but login doesn't work.

Wireshark shows -> not only non ip traffic is allowed but also IP broadcast/multicast from all kinds devices in my network. 

 

Also the isolation between the devices using the guest ssid is also NOT working when they are on different bands (2.4/5) or on different AP's.
(arp-ping works)

 

I know that this is common for many hotspot sites. Just wanted to point it out to everybody. And maybe tplink will do something with it :-)

 

Some Tips for users:

Use a different vlan for your guests, will help a lot. But you need to setup the router/switch to make that work. 

Only offer a single band and run the SSID only on 1 AP, is a more secure if you need a strong seperation between guest users. 

 

My suggestions to TP-LINK:

Only allow traffic from the mac adress of the GATEWAY to go to the client. A possiblity would be that the operation puts in the mac adres of the gateway.

(NOTE the DHCP should come from the gateway also and DNS should not be in the local subnet.)

 

If that's not possible : 

I can not add an access rule that blocks multicast (224.0.0.0/4 or just to block 239.255.255.250/32 which is used by many devices)
That would block already many information leaking of camera's on the network.
Allow only IP/IP6/ARP block all kinds of unwanted things.

 

Don't get me wrong, great product. No complaining here.

 

Cheers,

Meetriks

3
3
#1
Options
15 Replies
Re:Guest isolation not secure!
2019-08-14 16:23:37 - last edited 2019-08-14 16:24:40

Meetriks wrote

Some Tips for users:

Use a different vlan for your guests, will help a lot. But you need to setup the router/switch to make that work. 

Only offer a single band and run the SSID only on 1 AP, is a more secure if you need a strong seperation between guest users. 

 

I agree. Business-class hotspots should implement guest network using a separate VLAN on the router. Client isolation should become a separate option (like it was before) and should include blocking traffic from 2.4 GHz band to 5 GHz band.

༺ 0100 1101 0010 10ཏ1 0010 0110 1010 1110 ༻
0
0
#2
Options
Re:Guest isolation not secure!
2019-08-15 00:45:10 - last edited 2019-08-15 02:15:48

Meetriks wrote

Hi,

 

Great product, some points to make it a bit better.

 

Controller 3.2.1 I made a SSID with guest isolation enabled.

 

  • When I connect to the wifi and I login I can:

Using the Fing app on my smartphone it can discover many devices on my lan network.

IP and MAC address information is exposed of many devices. 

 

Using the Mikrotik App, i can connect to my router and login.... using mac adress.

Wireshark shows -> not only non ip traffic is allowed but also IP broadcast/multicast from all kinds devices in my network. 

 

  • When I connect but I do not login:

I can resolve DNS entries, so you can setup a DNS VPN or simple send a message like ping <specialcontent>.myremotelocation.com

I can see the mikrotik router, but login doesn't work.

Wireshark shows -> not only non ip traffic is allowed but also IP broadcast/multicast from all kinds devices in my network. 

 

Also the isolation between the devices using the guest ssid is also NOT working when they are on different bands (2.4/5) or on different AP's.
(arp-ping works)

 

I know that this is common for many hotspot sites. Just wanted to point it out to everybody. And maybe tplink will do something with it :-)

 

Some Tips for users:

Use a different vlan for your guests, will help a lot. But you need to setup the router/switch to make that work. 

Only offer a single band and run the SSID only on 1 AP, is a more secure if you need a strong seperation between guest users. 

 

My suggestions to TP-LINK:

Only allow traffic from the mac adress of the GATEWAY to go to the client. A possiblity would be that the operation puts in the mac adres of the gateway.

(NOTE the DHCP should come from the gateway also and DNS should not be in the local subnet.)

 

If that's not possible : 

I can not add an access rule that blocks multicast (224.0.0.0/4 or just to block 239.255.255.250/32 which is used by many devices)
That would block already many information leaking of camera's on the network.
Allow only IP/IP6/ARP block all kinds of unwanted things.

 

Don't get me wrong, great product. No complaining here.

 

Cheers,

Meetriks

 

Thank you for your suggestions. 

When we enable guest network, the clients connected to one SSID cannot communicate with each other and these clients cannot access the private network. 

But, even we enable guest network, it will not block some packets like ARP, DNS, DHCP, etc. If we block these packets, we will not get an IP address and access the internet normally. 

 

And you mention this feature will not work when the clietns are connected to different bands. For this we had a test, different clients cannot communicate with eath other when we enable guest network. 

 

 

 

0
0
#3
Options
Re:Guest isolation not secure!
2019-08-15 06:02:04

 Hi Forrest,

 

Thank for your input. I'm aware that there is no two IP communication between the lan or the clients connected.

I can not find in your response if you believe it's correct that people can see all devices on your lan network. 
For me this is not okay. With simple apps on there mobile people can see a lot of stuff of your internal network.
I think isolation needs to be true isolation. Other vendors have this done succesfully.  
 

Cheers,

Meetriks

 

 

When we enable guest network, the clients connected to one SSID cannot communicate with each other and these clients cannot access the private network. 

There is no IP connection but there is unlimeted two way communication with protocols like ARP with the device connecd to the wifi. 
In my case i also see AoE traffic. (ATA over Ethernet). I have not tested it but i'm pretty sure that IPX/SPX also works. We can all run old classic quake 3 arena ;-)

 

But, even we enable guest network, it will not block some packets like ARP, DNS, DHCP, etc. If we block these packets, we will not get an IP address and access the internet normally. 

You can not block them all but you should only allow the needed. Other product I use can do this... See my suggestion on how to do it. 
If you like I can share you vendor names.. Allowing those packets leaks informations, and i tested it's two way communnication with ARP.

 

 

And you mention this feature will not work when the clietns are connected to different bands. For this we had a test, different clients cannot communicate with eath other when we enable guest network. 

 

How did you test this? I used arp-ping on a laptop to arp-ping my mobile, both connected to the guest SSID.
The can connect to each other using protocol like ARP. On the same band and AP they can not, but they can on two different band.

 

0
0
#4
Options
Re:Re:Guest isolation not secure!
2019-08-16 04:55:13

Hello,

 

I am working with TP-Link on this very problem. SSID cancommunicate to items on LAN and same SSID. I have sent them OC200 configs and so far they have not been able to recreate the issue. We have moved several managed wireless systems in the past and TP Link was our move to since they have the OC200 controllers. On our first install of a OC200 and about 6 EAP245, we noticed that client isolation did not work as they should not be able to receive positive icmp echo request(ping) each other and obtain a way to tell what active devices are on the network and talking. There is a way to give the results you need to pass. On the OC200 you simply add a block access rule and add the subnet you are on. This will block everything so in order to grab an ip, access the internert you will need to add the router gateway and if you are using their cloud portal for guest to login, you will need to add the OC200 on the exception list as well. We have done this and it work fine blocking clients from talking to each other. I wonder if that is what the guest network check (what used to be called  SSID Isolation on previous firmwares) was actually supposed to do for a user that didnt know how to do the mentioned above. Perhaps a script or code behind that check mark to do just as i suggested above.

 

I agree that Vlan tagging with a good router is the best way in order to create a seperate subnet for the guest users however the ssid still needs the ability to block everything between clients on that subnet. Thats kind of the reponsibilty of the host of a network for guests... to ensure as much security as possible.I will post more as i work with TP Link, however following the instructions above i provided should give you isolation so their equipment is capable of doing it but seemingly not working on several OC200 and EAP models whether connecting direct to an AP or controling it with OC200. I only mention this just like Meetriks is to help improve as otherwise it is a solid product that offers flexibility, manageability and good wifi speeds for users.

0
0
#5
Options
Re:Guest isolation not secure!
2019-08-16 14:48:15 - last edited 2019-08-16 16:07:58

Some more details on how to make a simple effective solution:

 

Assume:  you router is the default gateway and the dhcp server ( very common) and the dns server (or the dns server is outside the subnet)

Assume: that the portal website is outside the subnet.

 

                                                      P1

ROUTER <-> SWITCH <-> AP   <-> GUEST

                                                     <-> Guest2

                              

At point P1 only traffic from the mac address of the gateway is allowed to go to mobile devices.  (traffic from left to right)

Frames with this source mac can be dns or dhcp or the entire internet traffic.

 

By only setting up that filter you will break communication with the local subnet on layer2.  Guest will not be able receive traffic from the LAN. No matter what protocol.

That is already a big step. I don’t believe more is needed for this price level product.

Layer 3 communication is not blocked between the wifi clients if the router “routes” it  (local proxy-arp).  You currently layer 3 filter will stop that traffic.

 

I use arp-ping to simply show there is communication . ICMP ping is blocked but arp-ping is not.  That just an example, more traffic can pass.

https://www.elifulkerson.com/projects/arp-ping.php

 

Also please use the mobile App Fing. It will show you how it can easily you can learn a lot about the internal network. Of course you need some test devices on your lan.

Camera / NAS / Server or something similar. Also run wireshark on a laptop and capture what you can see. Also during the moment a different device is doing the App Fing for example.

 

If the portal server is in that same subnet, it’s mac address should be allowed also.

 

If I can help to test something, let me know.

 

Cheers,

Meetriks

0
0
#6
Options
Re:Re:Re:Guest isolation not secure!
2019-08-18 09:22:20

WCC-Tech wrote

Hello,

 

I am working with TP-Link on this very problem. SSID cancommunicate to items on LAN and same SSID. I have sent them OC200 configs and so far they have not been able to recreate the issue. We have moved several managed wireless systems in the past and TP Link was our move to since they have the OC200 controllers. On our first install of a OC200 and about 6 EAP245, we noticed that client isolation did not work as they should not be able to receive positive icmp echo request(ping) each other and obtain a way to tell what active devices are on the network and talking. There is a way to give the results you need to pass. On the OC200 you simply add a block access rule and add the subnet you are on. This will block everything so in order to grab an ip, access the internert you will need to add the router gateway and if you are using their cloud portal for guest to login, you will need to add the OC200 on the exception list as well. We have done this and it work fine blocking clients from talking to each other. I wonder if that is what the guest network check (what used to be called  SSID Isolation on previous firmwares) was actually supposed to do for a user that didnt know how to do the mentioned above. Perhaps a script or code behind that check mark to do just as i suggested above.

 

I agree that Vlan tagging with a good router is the best way in order to create a seperate subnet for the guest users however the ssid still needs the ability to block everything between clients on that subnet. Thats kind of the reponsibilty of the host of a network for guests... to ensure as much security as possible.I will post more as i work with TP Link, however following the instructions above i provided should give you isolation so their equipment is capable of doing it but seemingly not working on several OC200 and EAP models whether connecting direct to an AP or controling it with OC200. I only mention this just like Meetriks is to help improve as otherwise it is a solid product that offers flexibility, manageability and good wifi speeds for users.

 

Hi WCC-Tech,

 

Can you give some example for the block access rules? I'm just a user and not that knowledgable with networking and it can help alot when there are examples that we can base from.

 

And Kudos to both of you and Meetriks!

0
0
#7
Options
Re:Re:Re:Re:Guest isolation not secure!
3 weeks ago

Hello JessieG,

 

Still working with TP-Link with this as they are really wanting to look at what we are seeing with ICMP Ping Requests and why Guest Network setting is not providing us the expected results. What we did in an install earlier this year is add what they call an Access Control Rule. We did this from the OC200 controller. Once you are logged into the controller and have your access points setup and visble on the control portal go to the bottom of the screen to wireless control. The first tab is where you want to be, there will be a table with the first column labled Access Control Rule and only one there labeled Default. On the action column click on the edit icon and this will be up the Default rule. If you want to create a true SSID Isolation when only you have one subnet (meaning you have no vlans and your using the same ip subnet or range as office or protected network) Do the following to the on screen popup that shows up after you click edit.

 

  1. You can leave the name Default
  2. Make sure Rule Mode = Block
  3. Subnet is your single ip range or subnet (for example if your router is 192.168.1.1 and all the clients are in that range) Make this 192.168.1.0/24
  4. Exclusion #1 Your Router so guests can get internet = 192.168.1.1/32 (that is your rotuer ip)
  5. Exclusion #2 This is only if you are using TP-Links portal for logging in to access internet or using their custom landing page. Clients need access to Controller = 192.168.1.***/32 (replace the *** with your controllers IP)
  6. Click Appy
  7. Go to Wireless settings and click the edit button for the SSID that is your Guest
  8. Go to the Advanced settings and then make the Access Control Rule = Default
  9. Click apply and your done.

 

You should be set, if you want to test this accurately have a client on the SSID of your guest doing a constant ping with the -t at the end. So open command prompt and ping a computer on another SSID or the same guest SSID. You will notice it ping responds. So find an active ip and "192.168.1.100 -t" with no quotes and this is an example IP as i have put here as well. As soon as you apply the settings above the requests will stop responding. This way you know that the devices are isolated. Again to get accurate test make sure that at least one or both ips are on the guest SSID you have selected the Default block rule to.

 

Again TP-Link is going to try to connect with me so they can remote connect to see what is going on as they can not replicate in the their lab. I just have to setup another out of box network they can safely remote in and do some tests. I am trying to get this setup this week for them.

 

Hope this helps!

 

 

 

2
2
#8
Options
Re:Guest isolation not secure!
3 weeks ago

Hi,

 

Some extra info of what I experience. Devices connected to SSID "Gratis"  should not be able to see each other. 

But they can, and I can not block it with a custom rule.

 

Maybe sombody notice the same thing?

For me this is not acceptable. Guest should not see each other. 

 

Cheers,

Harry

 

 

0
0
#9
Options
Re:Re:Guest isolation not secure!
3 weeks ago - last edited 3 weeks ago

Meetriks wrote

Hi,

 

Some extra info of what I experience. Devices connected to SSID "Gratis"  should not be able to see each other. 

But they can, and I can not block it with a custom rule.

 

Maybe sombody notice the same thing?

For me this is not acceptable. Guest should not see each other. 

 

Cheers,

Harry

 

 

But your screenshots show that you have not enabled access control rules as suggested and described by WCC-Tech. Please try that as well.

0
0
#10
Options
Re:Guest isolation not secure!
3 weeks ago

Powerauditor wrote

But your screenshots show that you have not enabled access control rules as suggested and described by WCC-Tech. Please try that as well.

 

Hi,

 

Thanks for your suggestion.  You can only add rules on IP basis and not on non ip, like arp. So I can't block ARP.

Also i can not create rules like 224.0.0.0/4 to block ipv4 multicast.

 

Cheers,

Meetriks

 

0
0
#11
Options
Related Articles