Your guest wifi is likely insecure

Here’s a fun question most people who aren’t aware of underlaying networking is, how is your guest wifi implemented, how does it work? And that it isnt to keep your wifi passwords separate.

Before the appearance of guest wifi on consumer home routers, admins wanted to segregate their wifi just like they do with wired networks. On your standard L2 and L3 networks, for the purpose of security, you want to separate your networks on the physical, layer 2 and layer 3 giving full separation and only allowing inter communication where specified. This helped to avoid authorised users from accessing resources that they shouldn’t while also preventing users from being able to easily communicate with one another. A lot of wifi access points also have a feature called isolation which is basically each user being in their own layer 2 network which prevents intercommunication, like someone else on the network seeing what song you’re listening to on your windows vista and newer based computer (windows media network sharing was defaulted to on, letting people access your music over the network if they bothered to look which while may be trivial to some for security can be embarrassing to others).

So back to guest wifi, admins also wanted to partition the network the same way on wifi, doing this by having each SSID given its own vlan. 1 wifi radio can have an unlimited number of SSIDs but you may not find this on your home router for GUI management simplicity. Now lets take that same router and make it only an access point on the network, how is it going to keep the guests isolated from the home users this time?

Before we continue on, lets ask, what makes a network secure? We first need to know what can communicate with one another, and what do we leak. An example leakage happens when a switch becomes a hub and transmit traffic onto a port not meant to the destination at that port, allowing that device to see traffic not meant for it. But how does this translate to wifi? Well a wifi acts like a hub, not a switch. Even the newest wifi is still a hub despite some tech nerds on youtube saying otherwise with the new MU-MIMO tech and more, this is because wifi works in an area over a common medium and frequency range, like sharing a physical cable, so any traffic not bound for the destination still appears to any device using that radio, while the isolation feature only prevents layer 2 traffic from one client head to another wireless client on the same radio. Using a different SSID however with a different password, means that even though the same traffic is on the air and can be picked up, the encryption is different, but a guest wifi is usually shared even with a password or through some temporary hotspot/radius, nullifying that advantage and allowing us access to the network to still get packets sent to us by mistake the old fashion way such as memory overflows.

Even worse, a lot of consumer home routers implement guest wifi as just another SSID connected to the same layer 2, switch and layer 3 network, this means that your network still isnt secured and is only made worse when said router is used as an access point as some home consumer routers do have segregated guest wifi if they themselves are the router. So how then do we truthfully ensure that our wifi SSIDs are partitioned the same way admins do for their networks? The answer is to treat the SSID just like any other connection. Remove the terminology of guest and start implementing SSIDs properly, with their associated layer 2 features such as vlans. OpenWRT for instance allows this sort of implementation on the same hardware that the manufacturer firmware did not implement guest wifi using vlans. By assigning a different vlan to the wifi we use for guest, we can then proceed to isolate it on layer 3 as well, ensuring that clients do not see each other, and we can further isolate by dropping any routing between our layer 3 nets while also having the option to implement 1 to 1 IP relationships between the router and the client by using an address range with a 254 mask allowing only 2 devices per network (router and client) while dropping routing between a range of IP address, further isolating clients especially if used with wifi isolation feature.

The most popular method for partitioning a network, vlans. But it does not stop communication on layer 3 through a router for example and limits the speed at which layer 3 communication happens across vlans

Standard switch arrangement, everyone can see everyone and communicate with no limits

Partitioning in the switch logic, without using VLANs. The first step to properly segmenting traffic

Segregating layer 3 without doing vlans, means that clients see each other and can still communicate via layer 2, such as IPX.

Internet happens on layer 3, between every switch the layer 2 is stripped everytime it passes a device and new layer 2 encapsulation is added at every device that routes.

There you have it, can you really make sure that your guest wifi is following both layer 2 and 3 for segments? Switch logic in groups not using vlans are very rare that only few switches do it, mainly fully managed ones from mikrotik to cisco, however anything lower is simply using vlans in switch groups or have fixed groups. Its best to use a configurable device that lets you attach a SSID to a vlan such as in openwrt and to follow through with a different IP subnet and a non routable setting in the router so that the 2 nets cannot even see each other, not even across internet, and to use the isolation feature for wifi as well for the guest SSID.