this post was submitted on 04 Mar 2024
69 points (94.8% liked)

Selfhosted

40462 readers
450 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
 

I am worried that there is not really a benefit of doing that, just more noise and energy consumption.

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 46 points 9 months ago* (last edited 9 months ago) (3 children)

Energy consumption is essentially the same, as it's using the same radios.

For what it's worth, I have several SSIDs, each on a separate VLAN:

  • my main one
  • Guest. Has internet access but is otherwise isolated - Guest devices can't communicate with other guest devices or with any other VLANs.
  • IoT Internet: IoT and home automation devices that need internet access. Things like Ecobee thermostat, Google speakers, etc
  • IoT No Internet: Home automation stuff that does not need internet access. Security cameras, Zigbee PoE dongle (SLZB-06), garage door opener, ESPHome devices, etc

(to remotely access home automation stuff, I use Home Assistant via a Tailscale VPN)

Most of these have both 2.4Ghz and 5Ghz enabled, with band steering enabled to (hopefully) convince devices to use 5Ghz when possible.

This is on a TP-Link Omada setup with 2 x EAP670 ceiling-mounted access points. You can create up to 16 SSIDs I think.

[–] [email protected] 5 points 9 months ago (3 children)

Guest devices can't communicate with other guest devices

How do you accomplish this isolation since they're on the same subnet/broadcast domain? Is it a feature of the hardware you're using?

[–] [email protected] 9 points 9 months ago (1 children)

A lot of access points, even consumer-grade ones, have this option. It's usually accomplished via predefined firewall rules on the access points themselves.

Consumer-grade access points usually let you have just one isolated guest network, whereas fancier ones (Omada, Unifi, Ruckus, Aruba, etc) usually let you enable isolation for any SSID (ie the "guest network" is no different from any other SSID)

[–] [email protected] 1 points 9 months ago* (last edited 9 months ago) (3 children)

Isolated guest networks I get, but isolating guests from other guests on the same subnet/isolated net is what I haven't seen.

[–] [email protected] 2 points 9 months ago

The APs know who the Wi-Fi clients are and just drops traffic between them. This is called client/station isolation. It’s often used in corporate to 1) prevent wireless clients from attacking each other (students, guests) and 2) to prevent broadcast and multicast packets from wasting all your airtime. This has the downside of breaking AirPlay, AirPrint and any other services where devices are expected to talk to each other.

[–] [email protected] 2 points 9 months ago

If there's an option on the AP to not permit link local routing within a vlan/ssid, that will force all traffic up to the firewall. Then you can block intrazone traffic at the firewall level for that vlan.
I've seen this in Meraki hardware where it's referred to as "client isolation". Ubiquiti might be able to do this too.

[–] [email protected] 1 points 9 months ago

I used to have a Netgear Nighthawk router/AP I bought from Costco, and if I remember correctly, its guest network automatically isolated guests from other guests. This router didn't support VLANs so I think it was just a bunch of firewall rules.

[–] [email protected] 1 points 9 months ago (1 children)
[–] [email protected] 0 points 9 months ago (2 children)

I'm not seeing anything there that says guests can't see other guests - quite the opposite.

guests connected to your Hotspot Portal will be isolated from all other networks except the one they are assigned to.

Guests on this network are able to access the internet, and communicate with the UniFi gateway to obtain a DHCP lease and resolve names using DNS

I suppose a switch could be configured to prevent traffic going to other ports, which is how I would assume this would have to be done. This functionality would have to exist in the access point, I guess?

Does UniFi have a feature to isolate devices from each other on the same subnet? Seems like it would require some kind of Layer 2 routing?

[–] excitingburp 2 points 9 months ago (1 children)

It does. I have it enabled and tested. "Client Device Isolation." It's enabled per SSID.

[–] [email protected] 0 points 9 months ago

Oh, neat. I'll have to look into it.

Thanks!

[–] AustralianSimon 1 points 9 months ago

Unifi out of the box settings.

[–] excitingburp 2 points 9 months ago

Ooh I like the idea of "no Internet." I do trust all of those devices (open source), but they could still be pwned.

[–] [email protected] 2 points 9 months ago (4 children)

That was an amazing read. Thank you.

What do you say is the use case for separating guest Wi-Fi with the more "private" stuff on your network?

As far as I understand... Basically all communications, even inside a network, are encrypted... So I guess you do that to avoid someone trying to exploit some vulnerability?

[–] [email protected] 12 points 9 months ago* (last edited 9 months ago)

Basically all communications, even inside a network, are encrypted

LOL, oh no.

Even internet traffic isn't encrypted by default.

Sadly TCP/IP isn't encrypted.

[–] [email protected] 6 points 9 months ago (1 children)

I think the main benefit is that Guests devices on your network can't find and exploit your own devices.

[–] [email protected] 1 points 9 months ago (1 children)

If you don't trust the person, why give them access to your WiFi in the first place?

[–] osprior 8 points 9 months ago

You can trust the person, without trusting their technical skills, such that they haven't inadvertently installed malware on their own devices.

[–] AA5B 3 points 9 months ago

Remember that once you give the password out, they likely have the password from now on. They will always have access until you change the password.

No, a lot of local traffic is not encrypted, especially residential. No, residential probably doesn’t use much authentication or separation of privileges.

[–] [email protected] 2 points 9 months ago* (last edited 9 months ago)

I don't want my guests to be able to access my home server or Omada controller for example, or spread malware (their phone may have malware without them even knowing). Also, I give the guest wifi to people other than friends, like contractors. Phone reception is horrible at my house so I give them the wifi so they can use wifi calling.