TD9980 - security hole - guest network and IPSec VPN
This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
TD9980 - security hole - guest network and IPSec VPN
Posts: 20
Helpful: 1
Solutions: 0
Stories: 0
Registered: 2013-09-09
2014-12-09 23:13:45
Posts: 20
Helpful: 1
Solutions: 0
Stories: 0
Registered: 2013-09-09
TD9980 - security hole - guest network and IPSec VPN
2014-12-09 23:13:45
Tags:
Region : UnitedKingdom
Model : TD-W8980
Hardware Version : V1
Firmware Version :
ISP :
NB - refers to TD9980 but not available in pick-list, so saved under 8980 (same hardware).
I want to report what I believe is a serious security flaw in the TD9980 guest network functionality. If the router has an IPSec tunnel configured to another site, a user on the guest network can access any device at the remote site!!!
e.g. I have a VPN tunnel connecting sites A and B, using a TD9980 at site A and a TD8960N at site B, if connected to the guest network at site A I cannot access local devices at site A (as expected) but I CAN access the router admin console and NAS file server at site B...!
The guest network must not allow access to network devices at the remote site!
I've sent an email to TPLink support, but I thought I'd also ask on here... is there any way to prevent it in the settings?
Model : TD-W8980
Hardware Version : V1
Firmware Version :
ISP :
NB - refers to TD9980 but not available in pick-list, so saved under 8980 (same hardware).
I want to report what I believe is a serious security flaw in the TD9980 guest network functionality. If the router has an IPSec tunnel configured to another site, a user on the guest network can access any device at the remote site!!!
e.g. I have a VPN tunnel connecting sites A and B, using a TD9980 at site A and a TD8960N at site B, if connected to the guest network at site A I cannot access local devices at site A (as expected) but I CAN access the router admin console and NAS file server at site B...!
The guest network must not allow access to network devices at the remote site!
I've sent an email to TPLink support, but I thought I'd also ask on here... is there any way to prevent it in the settings?
#1
Options
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
Thread Manage
Announcement Manage
8 Reply
Posts: 106
Helpful: 1
Solutions: 0
Stories: 0
Registered: 2014-11-22
Re:TD9980 - security hole - guest network and IPSec VPN
2014-12-10 02:27:27
What do you want the Guest network to have access to and what do you want to prevent access to the guest network?
0
We appreciate your feedback. Feel free to let us know more. Log in to submit feedback.
0
We appreciate your feedback. Feel free to let us know more. Log in to submit feedback.
#2
Options
- Copy Link
- Report Inappropriate Content
Thread Manage
Announcement Manage
Posts: 20
Helpful: 1
Solutions: 0
Stories: 0
Registered: 2013-09-09
Re:TD9980 - security hole - guest network and IPSec VPN
2014-12-10 04:07:55
I want devices on the guest network to have access to the internet, and nothing else.
I have set the guest network as follows:
Allow Guests to access my Local Network = DISABLED
Allow Guests to access my USB Storage Sharing = DISABLED
Guest Network Isolation = ENABLED
Guest Network Bandwidth Control = DISABLED
It successfully isolates devices on the guest network from devices on the local data network, but it does NOT isolate them from devices on a remote network connected via an IPSec tunnel (on a separate sub-net). It seems the developers did not test the guest network in this scenario.
I have set the guest network as follows:
Allow Guests to access my Local Network = DISABLED
Allow Guests to access my USB Storage Sharing = DISABLED
Guest Network Isolation = ENABLED
Guest Network Bandwidth Control = DISABLED
It successfully isolates devices on the guest network from devices on the local data network, but it does NOT isolate them from devices on a remote network connected via an IPSec tunnel (on a separate sub-net). It seems the developers did not test the guest network in this scenario.
0
We appreciate your feedback. Feel free to let us know more. Log in to submit feedback.
0
We appreciate your feedback. Feel free to let us know more. Log in to submit feedback.
#3
Options
- Copy Link
- Report Inappropriate Content
Thread Manage
Announcement Manage
Posts: 106
Helpful: 1
Solutions: 0
Stories: 0
Registered: 2014-11-22
Re:TD9980 - security hole - guest network and IPSec VPN
2014-12-10 14:31:38
If your guest network ip addresses are handed out from the same dhcp ip address pool as your non-guest network then you may want to use an access list to accomplish what you are asking in your post.
Otherwise you should place your guest network on a separate subnet and create a second dhcp ip address pool just for them.
Otherwise you should place your guest network on a separate subnet and create a second dhcp ip address pool just for them.
0
We appreciate your feedback. Feel free to let us know more. Log in to submit feedback.
0
We appreciate your feedback. Feel free to let us know more. Log in to submit feedback.
#4
Options
- Copy Link
- Report Inappropriate Content
Thread Manage
Announcement Manage
Posts: 20
Helpful: 1
Solutions: 0
Stories: 0
Registered: 2013-09-09
Re:TD9980 - security hole - guest network and IPSec VPN
2014-12-10 17:33:17
An access list is no good because once they are on the guest network they can access other devices on the remote network, which is not correct. There are settings to isolate guests from the data network and they simply don't work if you have an IPSec tunnel connecting to another site.
How is it possible to set up a separate DHCP pool for the guest network on a TD9980? I can't see any settings for that. You might as well say I should use a different router.
How is it possible to set up a separate DHCP pool for the guest network on a TD9980? I can't see any settings for that. You might as well say I should use a different router.
0
We appreciate your feedback. Feel free to let us know more. Log in to submit feedback.
0
We appreciate your feedback. Feel free to let us know more. Log in to submit feedback.
#5
Options
- Copy Link
- Report Inappropriate Content
Thread Manage
Announcement Manage
Posts: 20
Helpful: 1
Solutions: 0
Stories: 0
Registered: 2013-09-09
Re:TD9980 - security hole - guest network and IPSec VPN
2014-12-11 00:23:46
On a positive note, vpnrouter's suggestion has led me to a temporary solution - I've configured my old router as a guest wireless network, and found a way to segregate it from the data network (including remote sites) using the TD9980's "Interface Grouping" function to isolate the LAN port it is plugged into.
TD9980 firmware needs fixing to do this properly.
TD9980 firmware needs fixing to do this properly.
0
We appreciate your feedback. Feel free to let us know more. Log in to submit feedback.
0
We appreciate your feedback. Feel free to let us know more. Log in to submit feedback.
#6
Options
- Copy Link
- Report Inappropriate Content
Thread Manage
Announcement Manage
Posts: 106
Helpful: 1
Solutions: 0
Stories: 0
Registered: 2014-11-22
Re:TD9980 - security hole - guest network and IPSec VPN
2014-12-11 08:56:36
ash73 wrote
An access list is no good because once they are on the guest network they can access other devices on the remote network, which is not correct. There are settings to isolate guests from the data network and they simply don't work if you have an IPSec tunnel connecting to another site.
How is it possible to set up a separate DHCP pool for the guest network on a TD9980? I can't see any settings for that. You might as well say I should use a different router.
DHCP Server/Conditional Pool
0
We appreciate your feedback. Feel free to let us know more. Log in to submit feedback.
0
We appreciate your feedback. Feel free to let us know more. Log in to submit feedback.
#7
Options
- Copy Link
- Report Inappropriate Content
Thread Manage
Announcement Manage
Posts: 20
Helpful: 1
Solutions: 0
Stories: 0
Registered: 2013-09-09
Re:TD9980 - security hole - guest network and IPSec VPN
2014-12-11 21:13:29
Does anyone who can string more than one sentence together know how to configure DHCP conditional pool? It looks like it isolates based on client type, which is not what I want to do.
- How do you isolate one pool from the other?
- What is facility?
- What are options 241-245?
- What is the option value?
Using 2.4G for guest and 5G for data, and isolating 2.4G in a separate interface group looks the way to go, but haven't had chance to try it yet.
- How do you isolate one pool from the other?
- What is facility?
- What are options 241-245?
- What is the option value?
Using 2.4G for guest and 5G for data, and isolating 2.4G in a separate interface group looks the way to go, but haven't had chance to try it yet.
0
We appreciate your feedback. Feel free to let us know more. Log in to submit feedback.
0
We appreciate your feedback. Feel free to let us know more. Log in to submit feedback.
#8
Options
- Copy Link
- Report Inappropriate Content
Thread Manage
Announcement Manage
Posts: 106
Helpful: 1
Solutions: 0
Stories: 0
Registered: 2014-11-22
Re:TD9980 - security hole - guest network and IPSec VPN
2014-12-15 10:26:20
I sent you a private message.
0
We appreciate your feedback. Feel free to let us know more. Log in to submit feedback.
0
We appreciate your feedback. Feel free to let us know more. Log in to submit feedback.
#9
Options
- Copy Link
- Report Inappropriate Content
Thread Manage
Announcement Manage
Posts: 20
Helpful: 1
Solutions: 0
Stories: 0
Registered: 2013-09-09
2014-12-09 23:13:45
Posts: 20
Helpful: 1
Solutions: 0
Stories: 0
Registered: 2013-09-09
Information
Helpful: 0
Views: 1177
Replies: 8
Voters 0
No one has voted for it yet.
Tags
Related Articles
Pi-Hole on Guest Network
1396
1
Td9980
212
0
Guest Network Security
566
0
Network security
558
0
Guest network
735
1
Report Inappropriate Content
Transfer Module
New message