EAP Guest Network functionality
EAP670 hw 1.0, fw, 1.0.14
NOT using controller
My network consists of multiple vlans and local dns server. Firewall handles routing dns traffic to dns server from different vlans.
One of the ssid's on the eap670 is defined with guestmode enabled. My understanding is this is support to block private ip traffic (ie rfc1918), allowing only internet bound traffic.
As such, it's still allowing traffic to pass to the local gateway ip assigned by dhcp to wireless client.
In addition, it's also allowing rfc1918 udp port 53 traffic (dns). Is this by design? If so, is there a more detailed definition of what kind of traffic guest mode actually blocks? Is there other traffic it's allowing (ie NTP)?
Thanks!
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
If the DNS server is blocked, the guest clients won't be able to resolve domain names to IP addresses, which is a crucial part of accessing the internet.
To be more specific: The guest network SHOULD be able to access the DNS server in the private LAN, just like it can access the DHCP server.
To avoid it, you can configure a public DNS server for the guest network, such as 8.8.8.8.
- Copy Link
- Report Inappropriate Content
Hi @das1996
With the guest network enabled, clients connecting to the guest wifi won't be able to access any private IP traffic.
But there is an exception: the guest network won't take effective if you are using IPv6 address.
- Copy Link
- Report Inappropriate Content
@Vincent-TP I beleive you're mistaken as traffic such as dns and arp does pass to rfc1918 subnets.
- Copy Link
- Report Inappropriate Content
Hi @das1996
How did you notice that? If you have captured some packets, please send them to TP-Link support via email and please also include this forum link, as well as the settings page of the guest wifi.
- Copy Link
- Report Inappropriate Content
@Vincent-TP I noticed this by the fact that clients on said SSID can access a DNS server residing on a private ip. If all private IP traffic is blocked, this should not be possible.
- Copy Link
- Report Inappropriate Content
Hi @das1996
Did you configure the DNS server IP address as this private IP address when you configure DHCP server?
If yes, the clients connecting to the guest SSID will request a DNS server from this IP address.
That's it, it won't be able to access any private IP address.
- Copy Link
- Report Inappropriate Content
@Vincent-TP The dns server has an ip of 10.10.100.2 which falls within the range of rfc1918 - https://datatracker.ietf.org/doc/html/rfc1918#section-3
By all accounts, this (port 53 udp to private ip range) traffic SHOULD be blocked but isn't because I can see dns lookup requests on dns server coming from client connected to SSID with guest mode enabled.
It is blocking tcp/443 traffic to private ip but NOT dns.
How can I make this more clearer?
- Copy Link
- Report Inappropriate Content
If the DNS server is blocked, the guest clients won't be able to resolve domain names to IP addresses, which is a crucial part of accessing the internet.
To be more specific: The guest network SHOULD be able to access the DNS server in the private LAN, just like it can access the DHCP server.
To avoid it, you can configure a public DNS server for the guest network, such as 8.8.8.8.
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 323
Replies: 7
Voters 0
No one has voted for it yet.