Testing Wireless Guest Networks
Overview
What is ‘guest’ mode in regards to a CPE?
Although there is no standards body or any public specifications that define what guest mode means, there is an accepted de-facto definition. Guest mode may be defined as allowing ‘guest’ devices (laptops, tablets, phones, etc.) to connect to a LAN network with the purpose of getting a connection to the Internet without exposing or allowing access to other devices on that same LAN.
The typical guest mode use case is to allow a separate connection point (usually wireless) for guests to connect their device to an existing home or business network. The guest device is allowed access out the WAN interface to the Internet, but not allowed access to any resources on the LAN. LAN resources include both wired and wireless devices and/or systems (e.g printers, servers, game consoles, etc.).
Typical Guest Mode Scenario
The dashed lines in the diagram signify that those devices can ‘see’ each other. This means they can ping each other, send IP traffic to each other, request services from each other, and generally communicate with each other. Notice, however, that devices on the main LAN and guest LAN cannot ‘see’ each other.
NOTE: Some CPE devices also support a mode sometimes called ‘wireless isolation’. This feature additionally ensures that different devices connected to the guest LAN cannot ‘see’ each other. The CDRouter guest modules do not include tests to verify the behavior for this mode.
Guest Module Requirements
Although ‘guest’ networks are most often encountered in WiFi environments, CDRouter can test a CPE’s guest mode operation over Ethernet or wireless interfaces if your CPE supports it.
Two modules are available to test your CPE’s guest mode operation:
- guest.tcl (15 tests cases) for IPv4 LAN clients
- guest-v6.tcl (12 tests cases) for IPv6 LAN clients
In order to run the guest modules, you will need to have the Multiport expansion licensed for your CDRouter system and have at least three (3) test network interfaces defined. This is because the test cases require that at least two (2) LAN interfaces and one (1) WAN interface are defined. The IPv6 guest module also requires a license for the IPv6 expansion.
As mentioned above, a configuration will need two LAN interfaces defined. Typically, one which will represent the main LAN and one the represents the guest LAN. The most common configuration defines the guest LAN on a wireless interface, but the tests will also work if the guest LAN is wired.
You will need to set the lanGuestMode testvar to yes
on the LAN interface designated as a ‘guest’ network. CDRouter will
automatically create new DHCP clients on this interface as needed when
running the guest mode test cases.
Typical CDRouter configuration
Below, is a portion of CDRouter configuration file for a typical IPv4 guest mode setup. The ‘Base Configuration’ section defines the CPE’s primary LAN network on the wifi4-ax56 interface with SSID ‘CPE_WiFi’. The guest network is defined in the lan2 testvar_group under the ‘CDRouter Multiport Expansion’ section of the config file using the wifi6-ax56 interface and SSID ‘CPE_WiFi_Guest’.
In this particular example, both networks are defined with lanSecurity set to NONE so that any client can connect without
a password. However, any security mode supported by your CPE may be used
for either network. See Configuring Wireless LAN Interfaces
for details on how to enable WPA and other WiFi security settings.
SECTION "Base Configuration" {
SECTION "WAN" {
SECTION "WAN Interface" {
testvar wanInterface eth2
testvar wanMode DHCP
SECTION "LAN" {
SECTION "LAN Interface" {
testvar lanInterface wifi4-ax56
testvar lanMode DCHP
testvar lanSecurity NONE
SECTION "802.11 Wireless" {
testvar lanSSID CPE_WiFi
[...]
SECTION "CDRouter Multiport Expansion" {
SECTION "Additional LAN Interface Setup" {
testvar_group lan2 {
SECTION "IPv4 LAN" {
SECTION "LAN Interface" {
testvar lanInterface wifi6-ax56
testvar lanMode DHCP
testvar lanSecurity NONE
testvar lanGuestMode yes
SECTION "802.11 Wireless" {
testvar lanSSID CPE_WiFi_Guest
Guest Test Results
It should be noted in our own testing, we found that test results will vary from CPE to CPE. This is because each CPE vendor may implement their guest mode differently. We discovered several different techniques for implementing guest mode. In the next section, we go over some of the more common techniques and what types of results that can be expected for each.
- Single LAN segment with Layer-2 segregation techniques
- Single LAN segment with Layer-3 segregation techniques
- Single LAN segment with Web Authentication
- Using two distinct LAN segments
Layer-2 Segregation Techniques
CPEs with this type of implementation usually prevent network traffic from traversing between main and guest LANs with some sort of MAC address filtering. At a high-level, they prevent frames with certain MAC addresses from being sent between devices on the main LAN and devices on the guest LAN.
These CPE will pass the tests that ensure ARPs are not broadcast between the LANs, but will likely fail the tests that check for IP connectivity when the ARP entries are statically configured.
Layer-3 Segregation Techniques
CPEs with this type of implementation usually prevent network traffic from traversing between main and guest LANs with some sort of IP address filtering/firewall. At a high-level, they prevent packets with certain IP addresses from being sent between devices on the main LAN and devices on the guest LAN.
These CPE will likely not pass the tests that ensure ARPs are not broadcast between the LANs, but will likely pass tests that check that UDP/TCP/IP traffic is not received by the clients on each LAN.
Web Authentication
Some CPEs will use a more interactive mechanism for guest mode where they expect a user to open a web browser on the device they connect to the guest LAN and enter credentials in the web page that is presented to them.
The CDRouter guest tests cannot replicate the user interaction (the opening of a browser and entering credentials). So these CPEs are not ideal to run against the guest module.
Distinct LAN Segments
There are also some CPE vendors that treat the guest LAN as a completely different LAN segment. The guest LAN will often have its own DHCP server to give out IP addresses that are on a different segment then the DHCP server on the main LAN.
These CPE seem to be the ones that often pass most of the tests in the guest modules, because they do a combination of both Layer-2 and Layer-3 segregation of the guest LAN from the main LAN.
