How to secure old hardware against WiFi snooping?

Joined
Jun 26, 2020
Messages
24
Since some of my postings are not welcome or in question, could someone recommend me a better place to ask intermediate network questions? I'll handle the spy drama on my own.

Some questions to which I can't find definitive answers on Google are:
- What is the difference between VLAN isolation and Guest AP isolation? Both technologies appear to perform the same task - isolate. I think Guest AP isolation still allows for ICMP, but VLAN isolation does not. A lot of info suggest setting up VLAN is less about security and more about traffic type, such as IPTV.
- Does OpenVPN isolate devices better on a local network than WireGuard? OpenVPN works on Layer 2, while WireGuard works on Layer 3.
 
Last edited:

Grebuloner

Gawd
Joined
Jul 31, 2009
Messages
869
Since some of my postings are not welcome or in question, could someone recommend me a better place to ask intermediate network questions? I'll handle the spy drama on my own.

Try smallnetbuilder.com. Leave out the drama and just talk about what your goal is for your network and what your budget is to accomplish that.

But keep in mind: Ultimately, if you can't change the equipment or behavior of your users (or accept certain sacrifices yourself), none of it will matter.
 

scrappymouse

Limp Gawd
Joined
Mar 18, 2016
Messages
136
Since some of my postings are not welcome or in question, could someone recommend me a better place to ask intermediate network questions? I'll handle the spy drama on my own.

Some questions to which I can't find definitive answers on Google are:
- What is the difference between VLAN isolation and Guest AP isolation? Both technologies appear to perform the same task - isolate. I think Guest AP isolation still allows for ICMP, but VLAN isolation does not. A lot of info suggest setting up VLAN is less about security and more about traffic type, such as IPTV.
- Does OpenVPN isolate devices better on a local network than WireGuard? OpenVPN works on Layer 2, while WireGuard works on Layer 3.

It seems you're confusing VPN and VLAN, anything you've posted so far I personally wouldn't consider intermediate networking questions. These are very basic requirements and even newly cemented Network Engineers SHOULD be able to answer these types of questions. I'll give some input though and perhaps try to clear a few things up, at a higher level, so you can at least ask the right questions for someone to look at this.

AP Guest isolation = this will generally prevent clients(aka PC's/tablets/phones/etc) from talking to each other(shares probably won't work, depending on the AP they may or may not be on the same subnet(i.e network) this is down with an internal Firewall to the AP, they probably won't be able to access the media server. But yes it's purpose is to isolate.

VLAN=Completely different than AP Guest isolation, this allows you to create a virtual separate network, and as many as you need. What this allows you to do is then create Firewalll rules for traffic between these two(or 3 or 4) networks. These rules can be as granular or as broad as you like. (these networks art not encrypted)

VPN=Virtual Private Network, seems like it's the same as VLAN but it's not. VPN uses encryption and basically creates an encrypted tunnel to another network(this could be your home network, or a VPN providers network on the internet) which you than browse from that location.

some other places to ask questions.

Reddit
Spiceworks
StackOverflow(generally for programming)
Vendor forum for whatever hardware you are using(i.e ubiquity/Cisco/Netgear)
 

Cmustang87

Supreme [H]ardness
Joined
Oct 4, 2007
Messages
4,497
I'll chime in here and I don't mean to be pedantic, but hear me out. scrappymouse captured some good answers but I wanted to clarify or or make it a bit more clear due to some nitpicky things.
  1. AP Isolation: The goal of this is prevent any wireless client that is on the same SSID from communicating with each other at all. Each wireless client is isolated at layer 2. So broadcasts are suppressed (DHCP and ARP), and DHCP replies and other types of unicast traffic seen on the network that is going to a known or unknown MAC address are stopped. This is basically identical to private VLAN on a wired switch.
  2. VLAN: These are logical separations at layer 2. Anything in the same VLAN is able to freely communicate as they are in the same broadcast domain. Quite simply, creating an additional VLAN on a 16 port switch (say, VLAN1 existed by default and you created VLAN2) would be like taking that switch and breaking it in pieces and you can assign however many ports you want per VLAN. If you assigned 8 ports per VLAN you now have 2 logical switches that have 8 available ports (you can now think of it as 2 completely separate switches). Ports 1-8 are VLAN1, and ports 9-16 are VLAN2. Any client connected to port 9-16 cannot communicate at all with ports 1-8 and vice versa. Each VLAN would need to have a DHCP server on it to hand out IP addresses to clients. You could also plug a different router in each VLAN and use it as a gateway.
    • Important note: Traffic can only flow between VLANs through a router, but technically VLANs are completely separate and unrelated to IP networking. For example, you can have the exact same IP network on 2 different VLANs, or you can have multiple IP networks on the same VLAN. This is most definitely not advised, but just trying to illustrate a point.
    • In typical deployments you have a switch with multiple VLANs on it. Then this switch will uplink to a network firewall on what is called a 'tagged' interface (Cisco calls these 'trunks' - don't get caught up in that confusion... just call them tagged links). A tagged interface injects a header that instructs any device on the other side of that link which VLANs that traffic belongs to. Then that firewall will have multiple logical interfaces on a single physical interface that connects to that switch. This firewall can now serve as a gateway for the clients on each VLANs. The firewall subinterfaces need to also be tagged so it knows which subinterface to send traffic back to the clients when it returns.A router would normally just freely pass traffic between VLANs because that's all they are designed to do. A firewall blocks and provides inspection on this traffic and you can create lots of permit, denies, IPS, AV, and other really nice goodies when traffic flows between VLANs.
  3. VPN: Virtual Private Network (as stated above). This is just an encrypted tunnel. There are plenty of different VPN technologies.
    • IPSEC: Generally used to encrypt tunnel endpoints from 2 network devices (or 2 sites). IPSEC basically causes the network devices (like a router or firewall) to encrypt any packets that flow between the two sites. So any prying eyes that exist between the source destination network device only see that it is an IPSEC packet with a source and destination IP address that match the source and destination network devices. The original packet is encrypted so those prying eyes cannot see what's actually being requested or sent across the wire. IPSEC can also be used to secure client endpoints.
    • SSLVPN: This is client VPN. A basic setup for SSLVPN is a remote user that has a client on their computer that connects to a firewall of some kind that hosts an SSLVPN connection. The client "dials in" with credentials (sometimes with MFA) to the firewall and authenticates. Once they authenticate, there is an encrypted tunnel between the client device and the remote network device that they are tunneled to. Any prying eyes cannot see any traffic between the two. However, once it "pops out" the other side of the SSLVPN tunnel, that traffic is now unencrypted. But return traffic flows the same path back since the return patch will have a destination IP address of the firewall that needs to send it back over the VPN tunnel to the client device.
    • PPTP/L2TP - PPTP should not be used anymore. L2TP should only be used if also in conjunction with IPSEC to encrypt at layer 3.
I hope this was helpful and wasn't too long winded. Good luck.
 
Top