Isolated guest network is not working properly (security issue)

I have used the latest Forris (and system) update to setup guest network (WiFi for guests) without access to internal resources.

I used the checkboxes in forris, saved configuration. Then I went to Luci (few days later) and switched my main (not guest) networks to the WPA2-EAP. Guest networks were not changed, they’ve WPA2-PSK. It’s necessary to say that I didn’t touch network or other configuration in any other way than described.

I decided to test and connected to the guest WiFi. I obtained correct guest IP (from the guest network default range 10.111.222.0/24). Router LAN IP is classic: 192.168.1.1 As I have some ports forwarded to my server in LAN, I wanted to see what happens if I try to connect to my local server. I entered the URL (working from WAN) but I was redirected to Forris login page! From the guest network! I tested the router IP manaully (by entering 192.168.1.1) and I can get to configuration!

Forris states in the question mark button "Enables Wi-Fi for guests, which is separated from LAN network. Devices connected to this network are allowed to access the internet, but aren’t allowed to access other devices and the configuration interface of the router. " I was able to login to forris and save any changes I did through guest network.

What can I do to configure guest network correctly? I did not touched firewall zones rules or anything else. guest_turris network was created by the update, not by me.

I ended up with creating WiFi guest network with standard LAN access as it works even better (due to port forwards).

However, I think it should at least not allow to visit router admin. I consider such issue as critical. Can anyone help?

For me the “stock” guest network works as advertised. I am not able to connect to the router.
Maybe the issue are your portforwards?

Yes, portforwards may be the issue. However, this is still critical bug. I (of course) need port forwards for my network to work properly. Can’t disable them and test.

I can’t understand why network isolation won’t work with that. Almost everyone I know use port-forwarding. At least router administration should not be accessible.

An extra note: My ports 80/443 are redirected to another server in my network from the router. If port forwarding affects it, why it is redirected to router admin?

OpenWRT specifies rules for port forwarding explicitly to interfaces and adresses so it’s interesting that this can happen. Although web interface shouldn’t be accessible it isn’t the big security breach. More important is if you still can’t access devices on lan. Can you please send email to support with diagnostics. We need to see network and firewall configuration. (we will address this next week as this one are national holidays and nobody is at work)

Dear Turris team, when already dealing with this issue, could you please extend the documentation a bit? It would be very helpful, if you could write a short summary of what exactly is being set up when establishing a guest wi-fi.

I know about the docs on the project website, but I would like to get more detailed information, such as:

  • Is there a VLAN for the guest network? How is it set up?
  • Are the firewall settings being modified? If so, how? Is there a separate firewall zone (in the OpenWRT/UCI sense) being created?

It would be great if we could find this kind of information in the docs without having to look at Foris source or compare snapshots before/after configuration and the like. Thank you!

Documentation … it is unresolve problem for long time.
Unfortunately! :slight_smile:

1 Like