Vous êtes sur la page 1sur 4

03/02/2020 Add a guest subnet on your LAN – Greg Hausman's Blog

TECH

ADD A GUEST SUBNET ON YOUR LAN


JUNE 10, 2010 | HAUSMAN | 4 COMMENTS

I have a private LAN here on a NetGear FVS338 VPN Firewall Router, with a couple of servers for internal use. Our wireless network is password-
protected, and I hate giving out the password to people that want to use our wireless while they are visiting. Or I have to ask them to look away while
I type it in. What if they have keylogger software installed? Anyone could have my wireless network password.  We use passwords on all our network
shares, but I still don’t like the idea of guests having that wireless password to begin with. Here’s how I set up my guest access on its own subnet so
that guests have access to the internet but not my private LAN.

I have a small pocket router (D-link DWL-G730AP) for travel. I can hook it up in router mode and provide guest access to the internet with some
lame-o password like “12345” (bonus point if you immediately thought of Spaceballs).

The weird thing was how I had to do it after a DWL rmware update. Before the rmware update, I set up LAN multi-homing on the Netgear with a
secondary IP of 192.168.1.1/255.255.255.0 (my private LAN is on 192.168.0.1/255.255.255.0). The pocket router (“guest router”) was plugged into
the physical LAN via a LAN port on the Netgear router and given a static WAN IP of 192.168.1.2 with a gateway 192.168.1.1 (the Netgear Router
works as a gateway). Then the guest router was given a LAN IP address of 192.168.1.3, and ran a DHCP server offering addresses from
192.168.1.100 – 192.168.1.200. My client machine could connect and everything worked. Since the WAN IP of the guest router is on a different
subnet than the private LAN, Windows Firewall blocks File and Printer Sharing between the guest LAN and the private LAN, which is what I wanted.

If you don’t assign the guest router a WAN IP on a different subnet and just plug your guest router into your LAN so it gets a WAN IP on your private
subnet (typically 192.168.0.1xx from your DHCP server), your guests can see all your network shares because in front of the guest router NAT, all

wordpress.greghausman.com/2010/06/10/add-a-guest-subnet-on-your-lan/ 1/4
03/02/2020 Add a guest subnet on your LAN – Greg Hausman's Blog

your guest machines appear to be coming from the guest router WAN IP, which is still on your private subnet. Don’t do that. You must separate the
subnet on which your guest router WAN IP resides. Other people accomplish something like this by putting the guest router rst in the chain, but I
don’t want to do that because A). my network is all set up the way I like it, so I don’t want to make major changes, and B). then my private network
would be double-natted and I don’t want that as I occasionally open up a service or two (don’t tell my ISP, it’s for personal use only).

Then I merrily updated the rmware on the guest router and suddenly the above setup didn’t work anymore. After the rmware update, the guest
router wouldn’t take a LAN IP that was on the same subnet as the WAN IP. The client machines had no access to the internet. I left the WAN IP set up
as above, 192.168.1.2/255.255.255.0/gateway=192.168.1.1, and I set the LAN up on 10.10.10.1, with its own DHCP server handing out addresses in
10.10.10.100-10.10.10-200. Then the clients immediately started working.

So it is possible to add a guest wireless router to an existing private network with its own subnet that Windows Firewall (and others, presumably)
will respect, without doing any major restructuring to your private LAN.

EDIT: Thanks to Geoff for pointing out that the networks may not be as well separated as you might think at this point. You can still access shares and
services on the machines on the main LAN from your guest subnet. My solution was to add rewall rules to the guest router blocking access to the
main LAN. I have 3 rules de ned on the DWL-G730AP:

1. Drop from all interfaces, source 10.10.10.100 – 10.10.10.254, dest. 192.168.0.2 – 192.168.0.254, proto ICMP, ports 1 – 65534, always

2. Drop from all interfaces, source 10.10.10.100 – 10.10.10.254, dest. 192.168.0.2 – 192.168.0.254, proto UDP, ports 1 – 65534, always

3. Drop from all interfaces, source 10.10.10.100 – 10.10.10.254, dest. 192.168.0.2 – 192.168.0.254, proto TCP, ports 1 – 65534, always

This prevents any services from being accessed, and blocks pings as well so guests on the LAN can only get to your main router (192.168.0.1) for
DNS lookups and traf c allowed to pass through that router only.

4 THOUGHTS ON “ADD A GUEST SUBNET ON YOUR LAN”

wordpress.greghausman.com/2010/06/10/add-a-guest-subnet-on-your-lan/ 2/4
03/02/2020 Add a guest subnet on your LAN – Greg Hausman's Blog

kandiamo
SEPTEMBER 18, 2011 AT 10:24 PM

Two days of web searching and reading about approximate con gurations … and THIS is what I was looking for. Thank YOU!

Landlord DHCP wireless gateway downstairs linked to phone/TV/ethernet PC, wanted isolated wireless guest network upstairs for his tenants
to share his internet connection but keep his family’s usage private. I think your plan will work for us. Thanks.

Geoff
JANUARY 22, 2012 AT 12:05 AM

Thanks for the post. However you might not be as well protected as you think. While it’s possible that Windows will block File Sharing between
your 192.168.0.x private LAN and your guest 10.10.10.x LAN, I think you will nd that the two networks can still talk to each other. E.g. from a
guest machine on the 10.10.10.x subnet try pinging a machine on the 192.168.0.x subnet. I think you will see it will nd it just ne.

So while basic le sharing may be blocked. that won’t stop something like telnet/ftp or a virus/trojan from accessing les & data on your private
LAN. I believe the only way to ring-fence two LANs is by using 3 routers.

Netgear’s “Multi-Homing” does not segregate the two subnets – in fact it does the opposite, it effectively ‘pools’ the subnets together! This is
opposite to the “VLAN”s offered by some other manufacturers (e.g. Draytek).

Thanks.

 hausman
JANUARY 22, 2012 AT 10:28 AM

Thanks Geoff, I’ll try it and see what happens.

 hausman

wordpress.greghausman.com/2010/06/10/add-a-guest-subnet-on-your-lan/ 3/4
03/02/2020 Add a guest subnet on your LAN – Greg Hausman's Blog

JANUARY 22, 2012 AT 12:34 PM

You were right, though I was initially unable to ping from one network to the other. So I did a little digging. I apparently got wise to this at some
point (after I posted) and added rewall rules to the pocket router to drop traf c between the subnets. You’re right, normally the two networks
can see each other but with proper router management this risk can be mitigated. I’ll update my original post to re ect these changes.

COMMENTS ARE CLOSED.

wordpress.greghausman.com/2010/06/10/add-a-guest-subnet-on-your-lan/ 4/4