#StandWithUkraine
Andrey “Rarst” Savchenko —  — Hardware — dlink, lan, network, security, wifi, wireless

Guest zone for secure public Wi-Fi separate from LAN

Quantity of wireless access points is booming (in some places faster than in others, but still). I have covered my wireless router and it is perfect for my own use.

But other than personal use there is often need for public Wi-Fi access to Internet, that is safely separated from internal and private network. Some SOHO wireless routers started to include feature for that called guest zone.

What it does

Guest zone essentially creates separate network space. Computers connecting through guest zone will have access to router’s Internet connection, but no access to other PCs on LAN.

Usually there is also option to isolate guest clients from each other.

dlink_guest_zone

dlink_guest_zone

Setup

  1. First you need a router that has guest zone feature. I tested it on D-Link DIR-320 (curiously my DIR-400 doesn’t have it) so all settings are according to that model.
  2. Set up regular settings as usual, they are not connected to or affect guest zone usage.
  3. Locate guest zone settings, for D-Link they are in Advanced tab of administration interface.
  4. Enable guest zone for wireless interface (can also include LAN ports) and give it a name (SSID), it must be different from main SSID – they will co-exist nicely.
  5. Set up router’s IP for guests. For main this is usually 192.168.0.1 so for guests it should be something else like 192.168.1.1. DHCP will assign IPs from this zone to guest.
  6. Set up security for guest connections according to your requirements.
  7. You can set guest zone to only be active on schedule in specific hours.
  8. Don’t forget to save settings when done and wait for router to apply them.
  9. You can also restrict bandwidth guest zone can consume in traffic management.

Done. Router will now maintain two wireless networks at the same time. Native will act as part of regular LAN and guest zone will only have Internet access, but nothing more.

Overall

There are multiply ways to secure and set up public Wi-Fi access. Many of them require highly functional, but complex and expensive hardware. Guest zone feature is perfect replacement when number of connecting computers is low and can be found in relatively inexpensive SOHO routers.

Related Posts

11 Comments

  • Jim Sefton #

    Guest zones are an interesting idea but I'm not sure I need them in the home. Everyone I invite into my home I trust to use the main wifi and everyone else I really don't trust. For businesses it is worse though, as they can get into trouble if people use their network for illegal activity. Not sure now the big boys (starbucks etc) deal with that, but I know there have been several court cases that would certainly put me off providing a wifi network (as a business)

  • Rarst #

    @Jim It's one thing to trust people and another to trust their computers to not be infected with viruses. :) For businesses it boils down to how is everything set up. Even DIR-320 can be quite precise with schedule, bandwidth limitation and signal power to limit access to small controlled area. Of course there are risks, but WiFi is desirable service where long waits are involved and guest zone is a good way to make it convenient and secure on low budget.

  • Jim Sefton #

    Yes you are right, although what are these viruses you speak of, I run a Mac? ;) Out of interest, if you were to provide a guest network as a service would you rely on something like this or would you use a more hardened firewall system to force everything through port 80 and a few choice other ports (to prevent torrents, for example)... or am I being a little over paranoid?

  • Rarst #

    @Jim Would you be naive enough to assume that Macs have no viruses? :) Google it. If it was my personal responsibility I'd probably go with dedicated access point and hardware firewall (plus hardware AP manager if selling access) to have more options and accommodate for a large connections possibility. But some require just "cheap but secure" and guest zone is about perfect fit in such cases.

  • Jim Sefton #

    Geez Rarst, I guess sarcasm didn't come over too well on comment? ;) I know Macs are vulnerable too, and I also know the main reason we have a lot less is we are a smaller market share ans a such virus writers would rather spend their time "coding" for Windows :) Anyway, back on topic, I'd agree for a guest zone on a home network it fits well. I have just got a DLink for the first time, always had Netgear before and am impressed so far. My Airport Extreme also has the guest network facility. Too early to tell which is the better option though, if any. All I need now is some friends to come try it out, LOL :)

  • Rarst #

    @Jim Sorry, I only had few frantic minutes to go over comments in the morning. My bad. :) I quite like D-Link hardware lately. It gets some bad feedback online, but I suspect that is mostly form people overloading and overusing it. For normal usage it is quite stable and affordable in my experience.

  • SpaceCadet0 #

    What is this "5.Set up router’s IP for guests"? My DIR-655 has guest zone but does not have option for setting up a separate DHCP for guest zone, it uses the main DHCP to assign IP to guest. From your post, it seems like with the DIR-320, you have 2 DHCP's configurable from the same router, can anyone with a DIR-320 confirm this?

  • Rarst #

    @SpaceCadet0 Yep, you can specify completely separate IP zone and mask for guests. I do not think I have experience with DIR-655, but I do know that when I last checked DIR-320 was somewhat specialized in this regard and had most flexible guest zone settings, comparing to other D-Link routers of this category.

  • Oliver Newell #

    Does Guest Zone support Nexxt 300Mbps Wlss Solaris300 RouterN 110/220V. If not what is supported by this router to create a controlled Hotspot. I would like to use the hotspot to derive income e.g. selling time codes to use the internet.

  • Rarst #

    @Oliver Newell What you want is way more complex that SOHO-class routers are capable of. I know there are more complex (and expensive) devices for selling access, but I have no hands-on experience with such.

  • don #

    nice info.. found this afterward and it found ith useful a number of dlink emulators (lets you check out what you can set up on each) http://www.dlink.com/ca/en/home-solutions/support/faqs/access-points-range-extenders/does-d-link-provide-an-emulator-simulator-for-my-device