Guest Network able to open RDP sessions on network

Question

Hi There&nbsp;We've purchased and setup an RBR50 ad RBS50 to add a mesh&nbsp; into our small office network, we had some dead spots with our previous equipment and this has resolved these issues,&nbsp;The RBR50 is connect directly into our wired nework and configured as an Access Point (AP) as is the RBS50, the wired back haul is working correctly, we're able to wirelessly connect to our office network, browse servers and NAS, printers, RDP sessions etc.&nbsp;Having set the guest network up, with "Allow guests to see each other and access my local netowrk" turned off, all seems well. Guests have reliable internet connections and are unable to browse our network....&nbsp;However, guests can start RDP sessions onto our servers. Obviously these are account and password protected so we are somewhat protected, though this leaves me unsettled that this could happen, it seems that the guest network is not fully disconnected.&nbsp;Firmware is current v2.3.5.30, and the firmware update is saying there are no further updates, however i can manually download v2.5.1.8.&nbsp;Is this a problem that has been seen before and has been cleared up in this later firmware?&nbsp;it seems like a blindingly obvious secruity flaw

tomschmidt · Answer

l11nad, I was concerned when I saw your question posted here.&nbsp; So I duplicated your testing.&nbsp; I bound my laptop to my guest network and could not access any local resources, including using Remote Desktop.&nbsp; I could only use RDP to my desktop from my laptop when on my primary network.&nbsp; When on the guest network, the hostname is not resolvable for my desktop, so I used the 192.168.1.X IP assigned to it and it still could not open an RDP connection.&nbsp; Are you sure that you do not have RDP tunneled through the firewall to the internet in your router settings to allow this?&nbsp; i.e. you allow RDP to mypc.mydomain.com from the internet?&nbsp; I used firmware v2.5.1.8 on my RBR50 and RBS50 satellites for my testing, so perhaps this is an issue with your v2.3.5.30 firmware if you don't allow internet RDP access.

CrimpOn · Answer

I did a similar test, opening Orbi Guest access and not allowing guest devices to see the primary network. Connected my phone, and it behaves as expected. No access. However....

I cannot test in AP mode (having only a modem, and I don't want to go fetch an old router to stick in the middle of all this).
My phone did get an IP address in the primary subnet. (This is one of the ways that Orbi WiFi 6 appears to be different from my Orbi WiFi 5. I hear that the guest network on Orbi WiFi 6 is in a different subnet.)

So, the Orbi is not going to let a guest device access the primary network, but what about the router that Orbi is connected to?
@I11nad said "Guests have reliable internet connections and are unable to browse our network....."
I wonder how this works? Shouldn't the primary router just see packets from a subnet going to IP's on the same subnet?

This is very confusing.

How was this "unable to browse" tested?
(ping? network scanner like Fing? trying to use a printer?)
Does AP mode somehow recognize IP's from the guest network and shut them out?
Way Cool. Pretty slick programming for an "access point".
Or, does RDP actually go out to the internet and then back into the network?

tomschmidt · Answer

Thanks&nbsp;CrimpOn&nbsp;for noting that&nbsp;l11nad&nbsp;was using AP mode, not Router mode on his Orbi.&nbsp; My Orbi is in router mode, and I do not want to break things either by adding a different router between my modem and Orbi and putting the Orbi in AP mode.&nbsp;l11nad, I suspect your issue is due to your primary router allowing the access, as it has no means of distinguishing the Orbi guest and primary networks.&nbsp; For this to work properly, you need to remove your primary router and let the Orbi be in router mode rather than AP mode.&nbsp; You have a double NAT situation which is not recommended.&nbsp; Search for "double NAT" on the community forums or google for more information about it.

CrimpOn · Answer

tomschmidt&nbsp;wrote:l11nad, I suspect your issue is due to your primary router allowing the access, as it has no means of distinguishing the Orbi guest and primary networks.&nbsp; For this to work properly, you need to remove your primary router and let the Orbi be in router mode rather than AP mode.&nbsp; You would then have a double NAT situation which is not recommended.&nbsp; Search for "double NAT" on the community forums or google for more information about it.Please see my edit above.&nbsp; There is currently one router.&nbsp; Putting the Orbi into router mode would create the Double-NAT.&nbsp;This is a fascinating situation.&nbsp; I will dig out my spare Orbi and attach it in AP mode to see what happens.&nbsp; (Not a trivial exercise, so it will take some time.)&nbsp; Will not duplicate the OP's router, but it's the best I can do.

tomschmidt · Answer

I should have re-read my reply before posting.&nbsp; It would only be in a double NAT situation if both routers where in router mode.&nbsp; Since the Orbi is in AP mode, all clients get their DHCP assignments from the primary router in between the modem and the Orbi.&nbsp; The primary router has no way to distinguish systems on the Orbi network, it won't know if they are using the wired LAN ports, primary WiFi or guest WiFi.&nbsp; So if the PCs that are being allowed RDP access from the guest network are on the primary network of the primary router, then this will not be filtered from other clients on the primary router.&nbsp; They would only be guests on the clients bound to the Orbi.&nbsp;l11nad, are the PCs that are being allowed RDP access from the guest WiFi on the primary router, or are they on the Orbi?

Forum Discussion

Guest Network able to open RDP sessions on network

7 Replies