Webinars

Webinar - Testing Wifi Guest Mode

5 min read

 

One of the most common use cases for Wifi is the ability to set up a guest network alongside another network that is used by the home user, business, or other organization. It’s also a source of a lot of problems: guaranteeing that the Wifi router or AP can handle the number of clients connecting; making sure that the security in place for the guest network and other networks works correctly; and ensuring the policies you’ve put in place for guest access vs. other access are correctly applied.

Although there is no standards body or any public specifcations that define what guest mode means, guest mode usually refers to allowing ‘guest’ devices (laptops, tablets, phones, etc.) to connect to a LAN network with the purpose of getting a connection to the Internet without exposing or allowing access to other devices on that same LAN.

The typical guest mode use case is to allow a separate connection point (usually wireless) for guests to connect their device to an existing home or business network. The guest device is allowed access out the WAN interface to the Internet, but not allowed access to any resources on the LAN, including both wired and wireless devices or systems (e.g printers, servers, game consoles, etc.).

 

Typical guest mode scenario

 wifi guest mode

In our diagram, each network block contains those devices that can ‘see’ each other. This means they can ping each other, send IP traffic to each other, request services from each other, and generally communicate with each other. Notice, however, that devices on the private LAN and guest LAN cannot ‘see’ each other.

 

Testing guest mode in CDRouter

CDRouter 10.0 introduced two new modules as part of the Multiport add-on to help verify the proper operation of ‘guest’ mode of a devices, most likely, a wireless residental gateway/router. These modules include one for testing guest mode over IPv4, and one for testing guest mode in IPv6 with the IPv6 add-on.

To support running the guest mode test cases, you will need to set a newly defined testvar lanGuestMode, which was introduced in CDRouter 10.0. This testvar will need to have its value set to yes on the LAN interface you choose to have a ‘guest’ client defined.

A configuration for this will need two LAN interfaces defined. Typically, one which represent the private LAN and one represents the guest LAN. The most common configuration defines the guest LAN on a wireless interface, but the tests will also work if the guest LAN is wired.

 

Guest mode test configuration

Below is a portion of CDRouter configuration file for a typical IPv4 guest mode setup. The private LAN is defined on eth1 and the guest LAN is defined on wlan0. In this particular example, the guest SSID does not have security set, since it is set for an ‘Open’ security mode. However, it is possible for the guest SSID to have wireless security set. CDRouter does support this mode of operation, as well. The configuration would just need to change to match the devices’s guest SSID’s security setting.

SECTION "Base Configuration" {
    SECTION "WAN" {
      SECTION "WAN Interface" {
        testvar wanInterface                     eth2
        testvar wanMode                          DHCP
    SECTION "LAN" {
      SECTION "LAN Interface" {
        testvar lanInterface                     eth1
        testvar lanMode                          DCHP
    SECTION "CDRouter Multiport Add-On" {
      SECTION "Additional LAN Interface Setup" {
        testvar_group lan2 {
    SECTION "IPv4 LAN" {
      SECTION "LAN Interface" {
        testvar lanInterface                     wlan0
        testvar lanMode                          DHCP
        testvar lanSecurity                      NONE
        testvar lanGuestMode                     yes
    SECTION "802.11 Wireless" {
      testvar lanSSID                          CPE_Guest

 

Analyzing the results

Since guest mode is not rigorously defined, each device vendor may implement their guest mode differently. In our own testing, we discovered several different techniques for implementing guest mode.

Layer-2 Segregation Techniques

Devices with this type of implementation usually prevent network traffic from traversing between private and guest LANs with some sort of MAC address filtering. At a high-level, they prevent frames with certain MAC addresses from being sent between devices on the private LAN and devices on the guest LAN.

These devices will pass the tests that ensure ARPs are not broadcast between the LANs, but will likely fail the tests that check for IP connectivity when the ARP entries are statically configured.

Layer-3 Segregation Techniques

Devices with this type of implementation usually prevent network traffic from traversing between private and guest LANs with some sort of IP address filtering/firewall. At a high-level, they prevent packets with certain IP addresses from being sent between devices on the private LAN and devices on the guest LAN.

These devices will likely not pass the tests that ensure ARPs are not broadcast between the LANs, but will likely pass tests that check that UDP/TCP/IP traffic is not received by the clients on each LAN.

Web Authentication

Some devices will use a more interactive mechanism for guest mode where they expect a user to open a web browser on the device they connect to the guest LAN and enter credentials in the web page that is presented to them. CDRouter can test “hotspot” routers like these by triggering its simulated LAN clients to attempt to authenticate. You can set this up in your CDRouter config.

Distinct LAN Segments

There are also some devices vendors that treat the guest LAN as a completely different LAN segment. The guest LAN will often have its own DHCP server to give out IP addresses that are on a different segment then the DHCP server on the private LAN.

These devices seem to be the ones that often pass most of the tests in the guest modules, because they do a combination of both Layer-2 and Layer-3 segregation of the guest LAN from the private LAN.