How can I test the guest mode of my CPE?

Overview

What is ‘guest’ mode in regards to a CPE?

Although there is no standards body or any public specifications that define what guest mode means, there is an accepted de-facto definition. Guest mode may be defined as allowing ‘guest’ devices (laptops, tablets, phones, etc.) to connect to a LAN network with the purpose of getting a connection to the Internet without exposing or allowing access to other devices on that same LAN.

The typical guest mode use case is to allow a separate connection point (usually wireless) for guests to connect their device to an existing home or business network. The guest device is allowed access out the WAN interface to the Internet, but not allowed access to any resources on the LAN. LAN resources include both wired and wireless devices and/or systems (e.g printers, servers, game consoles, etc.).

Typical Guest Mode Scenario

The dashed lines in the diagram signify that those devices can ‘see’ each other. This means they can ping each other, send IP traffic to each other, request services from each other, and generally communicate with each other. Notice, however, that devices on the main LAN and guest LAN cannot ‘see’ each other.

NOTE: Some CPE devices also support a mode sometimes called ‘wireless isolation’. This feature additionally ensures that different devices connected to the guest LAN cannot ‘see’ each other. The CDRouter guest modules do not include tests to verify the behavior for this mode.

Guest Module Requirements

CDRouter introduced two new modules as part of the Multiport expansion to help verify the proper operation of ‘guest’ mode of a CPE, most likely, a wireless residential gateway/router.

The IPv4 guest module, guest.tcl, has 11 test cases. The IPv6 guest module, guest-v6.tcl, has 9 test cases.

In order to run the guest modules, you will need to have the Multiport expansion licensed for your CDRouter system and have at least three (3) test network interfaces defined. This is because the test cases require that at least two (2) LAN interfaces and one (1) WAN interface are defined. The IPv6 guest module also requires a license for the IPv6 expansion.

To support running the guest mode test cases, you will need to set a newly defined testvar lanGuestMode, which was introduced in CDRouter 10.0. This testvar will need to have its value set to yes on the LAN interface you choose to have a ‘guest’ client defined.

As mentioned above, a configuration will need two LAN interfaces defined. Typically, one which will represent the main LAN and one the represents the guest LAN. The most common configuration defines the guest LAN on a wireless interface, but the tests will also work if the guest LAN is wired.

Typical CDRouter configuration

Below, is a portion of CDRouter configuration file for a typical IPv4 guest mode setup. The main LAN is defined on eth1 and the guest LAN is defined on wlan0. In this particular example, the guest SSID does not have security set, since it is set for an ‘Open’ security mode. However, it is possible for the guest SSID to have wireless security set. CDRouter does support this mode of operation, as well. The configuration would just need to change to match the CPE’s guest SSID’s security setting.

SECTION "Base Configuration" {

    SECTION "WAN" {

        SECTION "WAN Interface" {

            testvar wanInterface                     eth2
            testvar wanMode                          DHCP

    SECTION "LAN" {

        SECTION "LAN Interface" {

            testvar lanInterface                     eth1
            testvar lanMode                          DCHP

[...]

    SECTION "CDRouter Multiport Expansion" {

    SECTION "Additional LAN Interface Setup" {

        testvar_group lan2 {

            SECTION "IPv4 LAN" {

                SECTION "LAN Interface" {

                    testvar lanInterface                     wlan0
                    testvar lanMode                          DHCP
                    testvar lanSecurity                      NONE
                    testvar lanGuestMode                     yes

              SECTION "802.11 Wireless" {

                    testvar lanSSID                          CPE_Guest

Guest Test Results

It should be noted in our own testing, we found that test results will vary from CPE to CPE. This is because each CPE vendor may implement their guest mode differently. We discovered several different techniques for implementing guest mode. In the next section, we go over some of the more common techniques and what types of results that can be expected for each.

  • Single LAN segment with Layer-2 segregation techniques
  • Single LAN segment with Layer-3 segregation techniques
  • Single LAN segment with Web Authentication
  • Using two distinct LAN segments

Layer-2 Segregation Techniques

CPEs with this type of implementation usually prevent network traffic from traversing between main and guest LANs with some sort of MAC address filtering. At a high-level, they prevent frames with certain MAC addresses from being sent between devices on the main LAN and devices on the guest LAN.

These CPE will pass the tests that ensure ARPs are not broadcast between the LANs, but will likely fail the tests that check for IP connectivity when the ARP entries are statically configured.

Layer-3 Segregation Techniques

CPEs with this type of implementation usually prevent network traffic from traversing between main and guest LANs with some sort of IP address filtering/firewall. At a high-level, they prevent packets with certain IP addresses from being sent between devices on the main LAN and devices on the guest LAN.

These CPE will likely not pass the tests that ensure ARPs are not broadcast between the LANs, but will likely pass tests that check that UDP/TCP/IP traffic is not received by the clients on each LAN.

Web Authentication

Some CPEs will use a more interactive mechanism for guest mode where they expect a user to open a web browser on the device they connect to the guest LAN and enter credentials in the web page that is presented to them.

The CDRouter guest tests cannot replicate the user interaction (the opening of a browser and entering credentials). So these CPEs are not ideal to run against the guest module.

Distinct LAN Segments

There are also some CPE vendors that treat the guest LAN as a completely different LAN segment. The guest LAN will often have its own DHCP server to give out IP addresses that are on a different segment then the DHCP server on the main LAN.

These CPE seem to be the ones that often pass most of the tests in the guest modules, because they do a combination of both Layer-2 and Layer-3 segregation of the guest LAN from the main LAN.