Ubiquiti AP Guest mode
-
@scottalanmiller said:
@Dashrender said:
I tried pinging many of those addresses (different ones from what I pinged before) and I still didn't get a response.
My guess is it is showing MAC tables and is blocked from IP access.
You think it's pulling a MAC table from the switch? Do you consider this an issue? and how do you manually query for the MAC table?
-
@Dashrender said:
You think it's pulling a MAC table from the switch? Do you consider this an issue? and how do you manually query for the MAC table?
I'm not an expert on ARP but doesn't an ARP Probe return all ARP addresses in use?
-
Guest Access does not block you from seeing those devices, it just stops you communicating.
The only benefit for Guest Access to us, is that it stops other "guest" clients disturbing each other, the VLAN is the main way that we stop people interfering with the work network.
-
@Breffni-Potter said:
Guest Access does not block you from seeing those devices, it just stops you communicating.
The only benefit for Guest Access to us, is that it stops other "guest" clients disturbing each other, the VLAN is the main way that we stop people interfering with the work network.
Guest Access on the Ubiquiti AP should stop them from messing with anything on the network, no VLAN needed.
-
@scottalanmiller said:
Guest Access on the Ubiquiti AP should stop them from messing with anything on the network, no VLAN needed.
"Should" but doesn't, I can still see other devices on the network when it's enabled.
-
@Breffni-Potter said:
@scottalanmiller said:
Guest Access on the Ubiquiti AP should stop them from messing with anything on the network, no VLAN needed.
"Should" but doesn't, I can still see other devices on the network when it's enabled.
Can you? This was tested in another thread and the answer was that there was no visibility to other devices. How are you defining "seeing" them?
-
I assume by "see" that you can ping and interact with them?
-
@scottalanmiller said:
I assume by "see" that you can ping and interact with them?
IP scanner shows all the devices on the network when on guest SSID.
At home but when I'm next in I might be able to do a screenshot.
-
@Breffni-Potter said:
IP scanner shows all the devices on the network when on guest SSID.
I'd not call that "seeing" them. Getting a list of them from the ARP table, which is what we were discussing here, isn't the same as seeing the device itself. I might see a list of names of people, but it doesn't mean I can see the people themselves. Unless you can interact with the device, that's not considered "seeing" the device in a networking sense.
-
@scottalanmiller said:
@Breffni-Potter said:
IP scanner shows all the devices on the network when on guest SSID.
I'd not call that "seeing" them. Getting a list of them from the ARP table, which is what we were discussing here, isn't the same as seeing the device itself. I might see a list of names of people, but it doesn't mean I can see the people themselves. Unless you can interact with the device, that's not considered "seeing" the device in a networking sense.
Exactly - the ability for an IP scanner to list all of the IPs and MAC addresses of other devices on the corporate network is why this thread exists and brings about my question - Is the fact that Guest network computer can pull an ARP listing considered an acceptable thing? and Why or Why Not?
I confirmed that I am not able to ping any of those addresses while on the Guest network, nor can I seem to access (ping) addresses on the other side of my Site to Site VPN. I consider this a great step forward, but access to that MAC table makes me Leary. If ARP positioning could happen, would I be able to get access to that network?
-
@Dashrender said:
Exactly - the ability for an IP scanner to list all of the IPs and MAC addresses of other devices on the corporate network is why this thread exists and brings about my question - Is the fact that Guest network computer can pull an ARP listing considered an acceptable thing? and Why or Why Not?
Depends. In any normal environment, lacking IP access is enough to not have any concerns. Getting a listing alone is not at all a threat.
See if it can only see the ARP listing or if Ethernet connections is possible.
-
@Dashrender said:
I confirmed that I am not able to ping any of those addresses while on the Guest network, nor can I seem to access (ping) addresses on the other side of my Site to Site VPN. I consider this a great step forward, but access to that MAC table makes me Leary. If ARP positioning could happen, would I be able to get access to that network?
ARP Poisoning?
No need to go that far to test, you should be able to find or write a utility that would attempt direct Ethernet communications to see if there is a concern. Or just use Wireshark to see.
-
@scottalanmiller said:
@Dashrender said:
I confirmed that I am not able to ping any of those addresses while on the Guest network, nor can I seem to access (ping) addresses on the other side of my Site to Site VPN. I consider this a great step forward, but access to that MAC table makes me Leary. If ARP positioning could happen, would I be able to get access to that network?
ARP Poisoning?
No need to go that far to test, you should be able to find or write a utility that would attempt direct Ethernet communications to see if there is a concern. Or just use Wireshark to see.
OK I'll put a pin in this until tomorrow then. and start searching for how to do that.
-
Interesting - OK so you can use SNMP to pull the ARP table from a switch. I found this page that had several good commands on it for polling information from SNMP.
-
@Dashrender said:
Interesting - OK so you can use SNMP to pull the ARP table from a switch. I found this page that had several good commands on it for polling information from SNMP.
So it doesn't mean that that is what happened, but it does show that we have no reason yet to question the fencing of the Unifi.
-
@scottalanmiller said:
@Dashrender said:
Interesting - OK so you can use SNMP to pull the ARP table from a switch. I found this page that had several good commands on it for polling information from SNMP.
So it doesn't mean that that is what happened, but it does show that we have no reason yet to question the fencing of the Unifi.
I wasn't accusing anyone of anything - only sharing that I found a way to get the information. Though short of this, I'm still not sure how Advanced IP scanner could get this information.
-
@Dashrender said:
@scottalanmiller said:
@Dashrender said:
Interesting - OK so you can use SNMP to pull the ARP table from a switch. I found this page that had several good commands on it for polling information from SNMP.
So it doesn't mean that that is what happened, but it does show that we have no reason yet to question the fencing of the Unifi.
I wasn't accusing anyone of anything - only sharing that I found a way to get the information. Though short of this, I'm still not sure how Advanced IP scanner could get this information.
Wouldn't ARP Probe do that?
-
The AngryIP docs mention using ARP fetching.
-
Tryin arping it.