Guest network has default access to all other zones

Flint 2 on 4.5.8 here. I noticed that the Guest Network has access to zones it probably shouldn't have access to by default. I.e. Guests have access to LAN and all VPN zones (even those added later), instead of just WAN.

In my opinion, most owners of a router would want the guest network to not only be isolated from other guest clients (AP isolation, which I have turned on) but also be isolated from all zones other than WAN.

Even worse, the only way to change this is through LuCI, which the average user won't go to.

Perhaps this either merits a change in default behavior or another checkbox next to AP Isolation called "Isolate from all other zones".

Guest Wi-Fi is isolated from the normal Wi-Fi and LAN by default. Other zones, if you create them manually, might be not affected - because you manually changed configuration.

So either you found a bug (unlikely) or there is some configuration issue with your device.

1 Like

Thanks for the response! Out of the box, the guest network also had access to LAN, which I had to remove manually in the LuCI firewall settings. When I later added an OpenVPN Client and WireGuard Client connection in the GL.iNet UI, access to those were also granted to the Guest network by default, which in my opinion should not have happened.

Are you sure about that? Normally it looks like this:

That's default behavior because many people want to route via VPN.

1 Like

From the start, mine looked like this:

guest => wan

Then when I added VPN Clients, they also showed up under guest, just like in your screenshot.

Why would I want guest networks by default routed through a VPN client connection? That VPN connection may be a sensitive remote LAN of mine that also should be off limits to guests.

Either way, I propose a checkbox in the Guest Network configuration to say "isolate from all other zones" or something like that, so that no one has to go into LuCI to verify what zones guests have access to.

Edit: I misremembered regarding guests having access to LAN, my bad. It was the other way around, LAN didn't have access to the Guest network, which I had to change in LuCI. I apologize for this particular non-issue. This was important for me, as I had my IoT devices on the Guest network and needed access to them from LAN.

My other recommendation regarding giving a choice in the GLinet UI to not give guests access to other zones besides WAN is still something I think is a good idea.