Posted: Thu Jul 16, 2020 13:48 Post subject: Guest Network - most secure config
I've been trying to set up a virtual guest network in a secure way following guides around creating bridges etc. but whenever I do so I an no longer connect via the guest virtual network.
In general, I *do* recommend that you use bridges when creating virtual wireless connections. It just makes it easier to deal w/ situations where eventually you decide to bridge it w/ other physical/virtual wireless connections or wired connections (e.g., you don't have to rewrite the firewall rules). But if you don't anticipate that ever happening, it's not strictly necessary. You can just reference the virtual network interface directly and keep it simple.
IOW, the use of bridges is NOT inherently more safe/security than referencing the actual network interfaces. It's more a matter of convenience than anything else.
So simply setting up a virtual network is safe enough?
I'm wanting to use it for smart devices and the kid's tablet and mobile. basically any device I don't completely trust not be vulnerable at some point due.
If so then I can move on to attempting to tackle the task of limiting bandwidth for the virtual guest network so I'm getting more juice down the line for streaming etc.
As I read your post, it sounded to me as if you had the impression that assigning your virtual wireless network to a bridge was somehow going to make things more secure. IT DOES NOT! Whether you reference the virtual wireless network interface directly (e.g., wl0.1), or assign it to a new bridge (e.g., br1) and reference that instead, it's all the same as far as security is concerned. In either case, you need to create firewall rules that reference one or the other.
What a bridge does is add convenience. For example, suppose I have *multiple* virtual wireless interfaces or even want to add a wired network interface such that they are all configured w/ the same IP network. I can add them all to their own bridge and reference only it (e.g., in creating firewall rules) rather than dealing w/ the individual network interfaces.
Again, there is no security benefit here. And that's why sometimes, esp. in simple configurations, such as adding a virtual wireless network for guests, users will forgo a bridge and just create firewall rules based on that network interface (e.g., wl0.1).
Code:
# no communications between private and guest networks
iptables -I FORWARD -i br0 -o wl0.1 -j REJECT
iptables -I FORWARD -i wl0.1 -o br0 -j REJECT
But if you choose to assign that wireless network interface to a bridge (e.g., br1), all that does is change your references in the same firewall rules.
Code:
# no communications between private and guest networks
iptables -I FORWARD -i br0 -o br1 -j REJECT
iptables -I FORWARD -i br1 -o br0 -j REJECT
Yes, I had always assumed that depending on whether you configured the virtual wireless network interface as bridged or unabridged, Net Isolation would ultimately create one or the other set of rules as I described above. My manual firewall rules are more to make clear what's happening, and using the Net Isolation option to obtain the same effect is probably preferred.
But as you know, I'm old school. And I don't fully trust those additional settings, particularly when dealing w/ any non-routed configuration (e.g., WAP). If you decide to configure a WAP, then add a virtual wireless network interface for guests, those auto-generated rules are worthless since you can't deny access from the guest network through the private network and still gain internet access.
Joined: 18 Mar 2014 Posts: 12917 Location: Netherlands
Posted: Sat Jul 18, 2020 8:21 Post subject:
eibgrad wrote:
Thanks for the clarification egc.
Yes, I had always assumed that depending on whether you configured the virtual wireless network interface as bridged or unabridged, Net Isolation would ultimately create one or the other set of rules as I described above. My manual firewall rules are more to make clear what's happening, and using the Net Isolation option to obtain the same effect is probably preferred.
But as you know, I'm old school. And I don't fully trust those additional settings, particularly when dealing w/ any non-routed configuration (e.g., WAP). If you decide to configure a WAP, then add a virtual wireless network interface for guests, those auto-generated rules are worthless since you can't deny access from the guest network through the private network and still gain internet access.
That's why there are always caveats to using the GUI. The GUI works in *most* cases for typical configurations (usually routed). But as we all know, it's commonplace around here for ppl to create all kinds of configurations in which the GUI will fail you because of its assumptions. Just keep that in mind.