How to secure old hardware against WiFi snooping?

Since some of my postings are not welcome or in question, could someone recommend me a better place to ask intermediate network questions? I'll handle the spy drama on my own.

Some questions to which I can't find definitive answers on Google are:
- What is the difference between VLAN isolation and Guest AP isolation? Both technologies appear to perform the same task - isolate. I think Guest AP isolation still allows for ICMP, but VLAN isolation does not. A lot of info suggest setting up VLAN is less about security and more about traffic type, such as IPTV.
- Does OpenVPN isolate devices better on a local network than WireGuard? OpenVPN works on Layer 2, while WireGuard works on Layer 3.
 
Last edited:
Since some of my postings are not welcome or in question, could someone recommend me a better place to ask intermediate network questions? I'll handle the spy drama on my own.

Try smallnetbuilder.com. Leave out the drama and just talk about what your goal is for your network and what your budget is to accomplish that.

But keep in mind: Ultimately, if you can't change the equipment or behavior of your users (or accept certain sacrifices yourself), none of it will matter.
 
Since some of my postings are not welcome or in question, could someone recommend me a better place to ask intermediate network questions? I'll handle the spy drama on my own.

Some questions to which I can't find definitive answers on Google are:
- What is the difference between VLAN isolation and Guest AP isolation? Both technologies appear to perform the same task - isolate. I think Guest AP isolation still allows for ICMP, but VLAN isolation does not. A lot of info suggest setting up VLAN is less about security and more about traffic type, such as IPTV.
- Does OpenVPN isolate devices better on a local network than WireGuard? OpenVPN works on Layer 2, while WireGuard works on Layer 3.

It seems you're confusing VPN and VLAN, anything you've posted so far I personally wouldn't consider intermediate networking questions. These are very basic requirements and even newly cemented Network Engineers SHOULD be able to answer these types of questions. I'll give some input though and perhaps try to clear a few things up, at a higher level, so you can at least ask the right questions for someone to look at this.

AP Guest isolation = this will generally prevent clients(aka PC's/tablets/phones/etc) from talking to each other(shares probably won't work, depending on the AP they may or may not be on the same subnet(i.e network) this is down with an internal Firewall to the AP, they probably won't be able to access the media server. But yes it's purpose is to isolate.

VLAN=Completely different than AP Guest isolation, this allows you to create a virtual separate network, and as many as you need. What this allows you to do is then create Firewalll rules for traffic between these two(or 3 or 4) networks. These rules can be as granular or as broad as you like. (these networks art not encrypted)

VPN=Virtual Private Network, seems like it's the same as VLAN but it's not. VPN uses encryption and basically creates an encrypted tunnel to another network(this could be your home network, or a VPN providers network on the internet) which you than browse from that location.

some other places to ask questions.

Reddit
Spiceworks
StackOverflow(generally for programming)
Vendor forum for whatever hardware you are using(i.e ubiquity/Cisco/Netgear)
 
I'll chime in here and I don't mean to be pedantic, but hear me out. scrappymouse captured some good answers but I wanted to clarify or or make it a bit more clear due to some nitpicky things.
  1. AP Isolation: The goal of this is prevent any wireless client that is on the same SSID from communicating with each other at all. Each wireless client is isolated at layer 2. So broadcasts are suppressed (DHCP and ARP), and DHCP replies and other types of unicast traffic seen on the network that is going to a known or unknown MAC address are stopped. This is basically identical to private VLAN on a wired switch.
  2. VLAN: These are logical separations at layer 2. Anything in the same VLAN is able to freely communicate as they are in the same broadcast domain. Quite simply, creating an additional VLAN on a 16 port switch (say, VLAN1 existed by default and you created VLAN2) would be like taking that switch and breaking it in pieces and you can assign however many ports you want per VLAN. If you assigned 8 ports per VLAN you now have 2 logical switches that have 8 available ports (you can now think of it as 2 completely separate switches). Ports 1-8 are VLAN1, and ports 9-16 are VLAN2. Any client connected to port 9-16 cannot communicate at all with ports 1-8 and vice versa. Each VLAN would need to have a DHCP server on it to hand out IP addresses to clients. You could also plug a different router in each VLAN and use it as a gateway.
    • Important note: Traffic can only flow between VLANs through a router, but technically VLANs are completely separate and unrelated to IP networking. For example, you can have the exact same IP network on 2 different VLANs, or you can have multiple IP networks on the same VLAN. This is most definitely not advised, but just trying to illustrate a point.
    • In typical deployments you have a switch with multiple VLANs on it. Then this switch will uplink to a network firewall on what is called a 'tagged' interface (Cisco calls these 'trunks' - don't get caught up in that confusion... just call them tagged links). A tagged interface injects a header that instructs any device on the other side of that link which VLANs that traffic belongs to. Then that firewall will have multiple logical interfaces on a single physical interface that connects to that switch. This firewall can now serve as a gateway for the clients on each VLANs. The firewall subinterfaces need to also be tagged so it knows which subinterface to send traffic back to the clients when it returns.A router would normally just freely pass traffic between VLANs because that's all they are designed to do. A firewall blocks and provides inspection on this traffic and you can create lots of permit, denies, IPS, AV, and other really nice goodies when traffic flows between VLANs.
  3. VPN: Virtual Private Network (as stated above). This is just an encrypted tunnel. There are plenty of different VPN technologies.
    • IPSEC: Generally used to encrypt tunnel endpoints from 2 network devices (or 2 sites). IPSEC basically causes the network devices (like a router or firewall) to encrypt any packets that flow between the two sites. So any prying eyes that exist between the source destination network device only see that it is an IPSEC packet with a source and destination IP address that match the source and destination network devices. The original packet is encrypted so those prying eyes cannot see what's actually being requested or sent across the wire. IPSEC can also be used to secure client endpoints.
    • SSLVPN: This is client VPN. A basic setup for SSLVPN is a remote user that has a client on their computer that connects to a firewall of some kind that hosts an SSLVPN connection. The client "dials in" with credentials (sometimes with MFA) to the firewall and authenticates. Once they authenticate, there is an encrypted tunnel between the client device and the remote network device that they are tunneled to. Any prying eyes cannot see any traffic between the two. However, once it "pops out" the other side of the SSLVPN tunnel, that traffic is now unencrypted. But return traffic flows the same path back since the return patch will have a destination IP address of the firewall that needs to send it back over the VPN tunnel to the client device.
    • PPTP/L2TP - PPTP should not be used anymore. L2TP should only be used if also in conjunction with IPSEC to encrypt at layer 3.
I hope this was helpful and wasn't too long winded. Good luck.
 
Thank you for clarification. I assume it would not actually help with WiFi snooping to have VPN software installed just on the router and not on individual devices because the data from those devices would not be encrypted until it would reach the router, correct?
 
Last edited:
Thank you for clarification. I assume it would not actually help with WiFi snooping to have VPN software installed just on the router and not on individual devices because the data from those devices would not be encrypted until it would reach the router, correct?
I'm curious as what makes you think it is 100% wifi snooping on these older devices? What symptoms are you seeing? I've chimed in a few times but don't think I ever got clarification on this point. I'm looking for logs etc something a little more concrete than the proverbial "they know this etc...which could only come from those devices" just out of morbid curiosity
 
I'm curious as what makes you think it is 100% wifi snooping on these older devices? What symptoms are you seeing? I've chimed in a few times but don't think I ever got clarification on this point. I'm looking for logs etc something a little more concrete than the proverbial "they know this etc...which could only come from those devices" just out of morbid curiosity

I don't know and I don't have a proper intrustion detection and/or prevention system in-place, but I am working on building one. At the moment I need to know whether VPN routers are worth it when it comes to WiFi snooping in general. Only on-device VPN software can encrypt traffic that is transmitted from that device to another device (be it WiFi or wired network), correct?
 
Does WiFi strength and distance affect security? is it any safer to keep your WiFi router close to your WiFi devices than not?
 
It is a general security practice to keep the strength of your wifi signal only as powerful as you need it to reach the devices with the quality of service required (rather than just blasting it out there); but as noted, it in and of itself does not provide additional security if your attacker can still negotiate with the devices/access point.
 
Signal weakness is relative to the devices doing the accessing. There is no "receiving power," so a kit with sufficient antennas and transmit power will not care what power setting you have. (Such extreme kits are easily built or bought). But we all experience it at home anyway, some wifi stuff works great far away, some barely keeps up in the same room.

My AP has no problem making quick queries to cars driving by my house at 45 mph and 150 ft minimum distance as part of its interference optimization, even though it's Tx power is set to a low value, and I can't imagine that car wifi power is intentionally set high given it only needs to communicate with what's inside of it.
 
Signal weakness is relative to the devices doing the accessing. There is no "receiving power," so a kit with sufficient antennas and transmit power will not care what power setting you have. (Such extreme kits are easily built or bought). But we all experience it at home anyway, some wifi stuff works great far away, some barely keeps up in the same room.

My AP has no problem making quick queries to cars driving by my house at 45 mph and 150 ft minimum distance as part of its interference optimization, even though it's Tx power is set to a low value, and I can't imagine that car wifi power is intentionally set high given it only needs to communicate with what's inside of it.
Has a lot to do with how noisy the environment is, too. If you have a lot of noise in the frequencies your AP is broadcasting in, then the effective range will be lower (because the signal will be drowned out by the noise before it reaches the device). If there is enough noise, then no matter how good your receiving antenna is, you wont be able to communicate effectively (can't amplify on the receiving end if all you get is noise).
 
Back
Top