Question Hidden, guest wifi connection question

Status
Not open for further replies.

Gaogier

Commendable
Jan 4, 2021
100
0
1,580
Hello

so, I would like to setup a hidden guest network, for security and limitation reasons.

I would like to setup a qr code for guests to scan to join the network, but if they come back after leaving, I would like them to rescan the qr code. I want to do this so I can keep control of my network as before I had someone basically piggy backing on my network before upgrading my router from my isp. It has made me want just my home devices on my network, and guests on a guest network but I don’t want my neighbour to connect to it, leave for work, come back still being connected.

why was my neighbour on my network in the first place? Well I live in a area where there is military equipment, I assume for secret reasons about 5ft further down towards the road, all network (mobile network) is a dead zone, although this could be due to pylons I am not sure which. So, my neighbours wifi is poor compared to mine (range and speed) that they needed access to mine before covid for some reason I can’t remember, and every so often I notice that their phone is connected to mine.

now, I know I can block them, but other people who come here I would like them to ask to connect and allow them access, like my sisters, both need to access my internet for work, but don’t want them coming round to just watch films etc, I would like them to be apart of family time, not phone time, since covid I didn’t see my sisters for some 15 months as they are both front line workers.


so, I want a hidden guest network, that guests scan a qr code to connect to if needing my internet, else have poor speeds on networks and we can have family time.


is this something that is possible to do?
 
Hidden ssid are not really hidden they can be seen with a number of applications.

I am not sure how you expect a QR code to work. Unless you load some special app on the device that can somehow decode it you are going to need a internet connection BUT you do not have a internet connection because it has not yet connected.

Even if you got this to work somehow the user would always be able to see what network there device is connected to.

You best option is to use one of the more standard methods to solve this. It still will not be trivial and will require some kind of server/firewall. The concept is in general called a captive portal. There are a number of ways to implement this but it is unlikely you can just use the guest function in your router. Although I think some third party firmware can do captive portal you generally need to place a device between the wifi radio and the network. So you would need some kind of AP plugged into the server.

In effect this is how a hotel or cafe works. You either must put in some special code or at least agree to some web page that pops up.

The other somewhat simpler method would to be run the guest network in enterprise mode. Not all routers have that option. You would need a small radius server. Many people run it on a raspberry pi in a home network. When you run in enterprise mode every user has their own userid and password. Problem is I don't know what you do if they log on and never log off. You could cause the id/password to expire but it won't be checked until the next time they log in.
 
Hiding the SSID is a violation of the relevant wireless RFC's and only exists because "marketing". Any device fully compliant with the RFC's will refuse to see or connect to a hidden network. Besides, as stated above, it's trivial to determine that a hidden network exists and what the SSID is. Takes me no more than 20-30 seconds to sniff one out. It falls under "security through obscurity" which doesn't work anytime, anywhere. As stated above use of a radius server with accounts that timeout at checkout time, change the passphrase on a regular basis and separate the secure part of the network from the guest side and you're as secure as it gets.
 

Gaogier

Commendable
Jan 4, 2021
100
0
1,580
Okay, so no hidden guest network is easily done, but could I set up just a guest network that I can put simple restrictions on, and have users requiring to resign in when they come around?

at my home, and a small surrounding area, you do get network (not from o2) I had a 5 year dispute with them when I signed up to a contract from them for 2 years on the iPhone 4. But we do get a small really slow connection regarding other networks compared to just a few feet outside my home. You can get 1-3mbps, so I thought a simple qr code people’s networks should be able to open.
I want to use a qr code as I make my own passwords that follow a pattern of mine, that only I know, and nobody can ever guess as I have created a code system based on time, dates, years, locations, animals, plants, water eg rivers, they are a complete mixture of numbers, letters caps and lower, symbols to the point it looks like a random password generated one using different lengths.
 
It will not be secure no matter what you do. You need to give some a APP to decode your qr code. So now maybe the code is secure but now if anyone would get the app they could use it.

In addition all the app is going to do is decode your fancy qr code and then in effect key it into the wifi settings. The user could then just use the standard tools in the OS to display the password that your fancy app typed in.

You are trying to reinvent the wheel here.
 

Gaogier

Commendable
Jan 4, 2021
100
0
1,580
I think I am trying to find a freezer for some ice cream that I have in over 30°c/85°f heat, without the ice cream melting first, when I should just eat the ice cream with my guests.

So, I got my new router about 10days ago, and the only reason why I was thinking of using a qr code was that the network that is default on the router, uses a QR code to scan to login to the network.


So, my plan for my network

Create a guest network.
keep a very strong password for the network
when people want to connect, just let users scan a qr code and it will log them into the guest network
future visits from guests will automatically connect to the guest network.
I can still add restrictions on the guest network.
 
The problem you have is many times the app will display the SSID and password on the screen when you scan the code. Even if the built in one does not by default you can see it in the wifi settings and of course you can just use a QR reader that displays what is stored in any QR.

Doing this is mostly just a fancy way to give someone the password. It is not any more secure than if you wrote the password on paper and game it to them. The only difference is they do not have to key it in.

This is not a security function it is purely a ease of use thing.
 
I don't see anything wrong with using a QR code to login. It allows you to more easily use the full 63 character length for the passphrase and 32 characters for the SSID for maximum security, which is probably more secure than using WPS even with the 384-bit hash by WPA3. The code is generated and read using a simple algorithm and avoids much tedious typing into a phone. About the only minus is some sort of "QR Connect" app will be needed on clients or typing will still be required.

As the passphrase is stored on clients which retransmit it each time they come in range, the only way to "time-out" their connection is by manually changing the passphrase for the guest network every day. Then they would have to re-pair their devices, hopefully via QR code instead of typing.

If it allows you to use a more secure SSID and passphrase than could practically be used otherwise, then it's a good thing.
 
Ubiquiti uses a captive portal with a Voucher system. You can set the voucher to be used once for a certain amount of days which then expires, or multi-use for a set number of times, or multi-use unlimited like for your sister and close family. All they have to do it type in a 10 digit code. You can revoke vouchers at any time.

Ubiquiti isn't going to be easy to set up unless you're tech savvy.

Here's a video:
View: https://youtu.be/anYXOET6QB8?t=204
 
Oct 4, 2022
8
0
10
Have you considered having two routers?

Use the first router to connect to the internet and make that the guest network for everyone else.
On most routers you can set a speed limit and also limit how many devices can connect at a time.
Use this one to send out DHCP addresses in one range (e.g. 10.0.0.x 255.255.255.0). Set the DHCP lease time to one or two hours (60 to 120 minutes).
Now most routers have a wifi schedule option, so you can set it to allow wifi for only part of the day. After that they can't connect.

Next have a second router for you. This one will have the WAN port plug in to the first router.
The WAN connection should be a DHCP connection.
On this router make the IP range different from the first router (e.g. 192.168.1.x 255.255.255.0)
Check that this router doesn't allow access via WAN port. This way guests can't access your network, but you can access the guest network to be able to change settings on router 1.

The reason for using this set-up is that people can then use the guest network but not get into your network. More secure.


IMPORTANT
Disable WPS on both routers.
This is likely why you are seeing the neighbour's phone on your network. They aren't really on, but the device is waiting for the WPS to activate so it can connect.
I found a strange wifi TV on my network, and it was because I forgot to turn off WPS on one router.

You could also get Fing on Android and set that up to tell you when a new device is detected on the network.
 
Status
Not open for further replies.