AP>Wireless SSID>Guest Protect

Just updated to the latest 8.1 Firmware and I’m setting up a brand new Surf SOHO.

Noticed a new subsection under AP>Wireless SSID called Guest Protect. There is a new option to tick called ‘Block All Private IP’ which I’ve not seen before, with custom subnets and block exceptions. I’ve no idea what this section is/does and there’s no help to click on. I’ve searched for a bit but haven’t managed to locate anything so if someone could assist I’d love to learn!

Thanks all!

Brill, the guest protect feature is not new, although it might be in a different place you haven’t seen before. Private IP ranges (your LAN) are supposed to be in certain IP ranges. Those IP ranges are not permitted to exist on the public internet. Its to prevent you having a LAN address that also exists as a public external IP.

The Guest Protect feature blocks access to your LAN. Connected devices can exchange data with your gateway (the Surf SOHO) to gain access to the internet, but they cannot talk to other devices on the LAN. Thats typically something you want on a guest SSID.

Block all private IP blocks all the designated private IP ranges as shown here:

If your SOHO is not connected to other networks via VPN, enabling guest protect alone is enough. The use case for block all private IP is when you have other locations connected by VPN, and you want to block guest access to those remote networks. Of course that assumes the remote networks are using one of the known private IP ranges in the Wiki.

Block exceptions would allow your guests access to specific device, but not the remainder of the LAN.

2 Likes

Thanks for your reply @Don_Ferrario. Yeah I’ve not noticed it until now. I obviously wasn’t paying attention! Ha ha

I’m struggling to understand this actually… Please excuse my idiocy. I can see why it would be desirable in my situation, with no VPN, to block private IP address ranges from the WAN side. But why would this particular setting be under the wireless SSID section and not the firewall? Or have I misunderstood?

I have already blocked outbound access for the internal networks, out to 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16 subnets in the firewall rules. If I ticked the option, did I not need to create these firewall rules? I’m wondering what this setting gives me in addition to what I already have.

Or have I been barking up the wrong tree and does it just relate to when the Wi-Fi is being used as the WAN?

Having the option on the SSID allows you apply the block only to wiif clients using that particular SSID. In our business we have a Guest SSID and an Internal SSID. By applying guest protect only to the SSID I am protecting our LAN devices only from persons using the Guest SSID. You can do this with VLANs but its a whole lot less work to check that guest protect box.

If those subnets don’t exist on our LAN and you have no VPN, I’m not sure what it accomplishes to block access to those private IP subnets, or to use the block all private IP option. Your users can’t get to them anyway because those ranges don’t exist directly on the internet. These are ranges that exist only on other LANs.

This has nothing to do with Wifi as WAN. Its all about blocking certain of your local users from your LAN, while allowing other wifi users more access.

In addition to what @Don_Ferrario has said … Have you ever been in a hotel and used a utility (there are many out there) to see what other clients your device sees? Ideally, you want to see no-one and you don’t want others to be able to see you. There should be, in essence, a partition between all users and the users should be able to get out through the gateway to the internet – only. That’s Don’s objective for his business’ guest network and Peplink has made it easy to do this – just check that box. Mission accomplished. Yes, you can certainly do the same thing with the firewall. But why?

Thanks to both of you for clarifying this. If only Peplink had documented this in the manual, or with a help pop up, it might have saved me from asking. Appreciate the help.

I think I understand now. Already used VLANs to achieve this, with inter-VLAN routing disabled under the VLAN section, as well as enabling Layer 2 Isolation under the SSID section. I’m guessing therefore that I don’t need to use the ‘SSID Guest Protect’ feature…

I should add at this point that Michael Horowitz’s guide at https://routersecurity.org/SurfSOHOinitialconfiguration.php#FirewallRules has been an invaluable resource, so thanks also to Michael for this awesome site. This was where I saw the suggestion to block outbound access to the private address ranges, which my clients don’t need.

1 Like