Beryl AX Guest Network not isolating

I would like my wifi guests to be able to access the internet without being able to view all the devices on my home network.

My home network connects to the internet via SKY Broadband, but the SKY router does not have a guest network setting. I have a fully updated Beryl AX, Current Firmware
Version 4.6.9, Firmware Type release2, connected via ethernet and setup as a router. The SKY router provides via DHCP my Beryl AX an IP = 192.168.1.130 netmask = 255.255.255.0 and the Beryl AX uses the defaults: IP of 192.168.8.1 and supplies normal users in the range 192.168.8.* range and guests with the range 192.168.9.* as expected. The NETWORK > Guest Network > Security Setting > AP Isolation is on.

However guest wifi users can still view (via Zenmap etc) all of my private home network ... which rather defeats my reason for a guest network! I assumed the default settings would enable suitable network segmentation, but I only have a limited understanding of IP address subnets.

Am I doing something wrong? Am I misunderstanding that a guest network is designed to limit guest access to my private home network? Any advice greatly appreciated.

So just to confirm:
192.168.1.0/24 home network behind this Beryl at 192.168.1.130 WAN, guest network on 192.168.9.0/24 network.

You need to Isolate the Beryl on the SKY router from discovering other clients on the 192.168.1.0/24 network.

Does the SKY router give this functionality, as your private network is upstream, anyone connecting from the Beryl can access anything and the Beryl should not be on your local network, but the guest network on your SKY router isolated from other clients.

Thank you for the response. Yes, home network on 192.168.1.0/24 with beryl at 192.168.1.130 WAN and Beryl guest network on 192.168.9.0/24. My SKY broadband router has no guest network configuration option(s) at all. I thought that the Beryl guest network would make my home devices undiscoverable by Beryl guest network users - I believed (perhaps incorrectly) that that is the primary function of a guest network, is that not the case?

192.168.9.0/24 network goes to 192.168.1.0/24 network. They are not isolated.
192.168.9.0/24 only isolate from 192.168.8.0/24, which is the two network form Beryl.

So you can connect your other devices to Beryl's private wifi.

Would it make any difference if I was able to make the Beryl use a different IP address range for the guest network like 10.0.0.0 ?

It does not make any difference.

One thing you could do is to use VPN on Beryl AX and only vpn policy to only let Guest wifi goes through the VPN. So the devices on Beryl AX's Guest wifi will not be able to access your local network.

1 Like

I have used VPNs, but have no idea how to do this on a Beryl AX. Would guest clients have to have VPN software? Where would the endpoint be located? Would you know of a beginners guide I might be able to follow to set this all up? Thank you so much for your help so far.

Let's omit the vpn policy thing.

Pls read the general vpn (wireugard) client setup guide. It has videos so easy to follow.

I have read this, but lack the understanding to see how this would solve my problem. I suspect it might mean that I would have to purchase a vpn subscription, which would not be appropriate. Perhaps in the long term a large and costly new router with a guest network function is the only way forward if SKY broadband allow one to replace their router? There was I thinking a Beryl AX guest network would be a simple solution!

That doesn't surprise me, what type of connection do you have from sky

I have a normal residential SKY Broadband FTTP connection with a SKY Hub (which is their default router), this includes broadband and landline phone - which probably means that I have to stick with their router for the phone system to work. GGGrrrrrrr

Yes, the phone line is your issue :sob:

You could have the Beryl as the router and everything would work apart from the landline as it needs the sky router to do the sip authentication bit, and sky will not give you those details.

Looking again at vpn possibilities. On my desktop when using a vpn I can still access all my home local network devices, both by pinging and a web browser. Are you sure this would be different on the Beryl AX?

So your requirement is the following, right?

You want the guest wifi on the Beryl AX do not have access to your home network, which is the upstream network.

I will let product managers to have a check.

Correct. I want the Beryl AX to access the internet on my home network via my router but NOT any other devices, like my Raspberry Pis, home server, Roku etc, desktop PC etc.

Does your Sky modem/router support VLANs? That is essentially a more technical way to create a "guest" network.

The other thing you could do without connecting to a VPN and forcing all connections through it is to connect only your Beryl (and phone) to the Sky modem/router and do the primary/guest network division from the Beryl. Hopefully the Sky modem/router has a passthrough mode for devices other than the phone, though. Otherwise you'll have double-NAT, which may or may not be ok for you.

No, I have the normal Sky broadband router supplied in the UK, called a Sky Broadband Hub model SR203. It supports VoIP telephones, but has very basic customisation options, there is no capacity for guest networks or VLANS or passthrough mode. UK ISP supplied routers like this do not get any simpler! I need the landline phone at the moment, so the Sky router has to stay.

If I purchased a subscription to a VPN for use by the Beryl AX, how could it be configured so that connecting devices were unable to access all the other devices on my home network? Is there a setting to force connections on the Beryl AX guest network to use the VPN all the time?

Thank you so much for all your assistance.

Yes, after you've set up a VPN connection on the Beryl, go to the VPN Dashboard area and enable the connection.

Then select the "Global Options" and make it look like this:

That should do it.

Excellent. I have used Mullvad vpn and have been entirely successful in blocking access to my private home network. Thank you all those who have helped me with this thread.

2 Likes

I'm going to test if this works:
https://www.reddit.com/r/openwrt/comments/c57hwe/share_your_wifi_hide_your_core/

iptables -t mangle -A prerouting -i eth0.1 -j TTL --ttl-inc 1

What this will do is, when a packet passes in through eth0.1 to be forwarded, it's TTL is incremented by 1. Because of this, a traceroute fails to see the router as the TTL is upped by one, then it exceeds it's transit and errors on WAN side (it's upstream router). This hides your routing core from such traces.