deny clients on guest

Topics pertaining to SRM usage, usability and management
Forum rules
Synology Community is the new platform for the enthusiasts' interaction, and it will soon be available to replace the Forum.
pergola.fabio
Student
Student
Posts: 74
Joined: Thu Jul 12, 2018 7:42 pm

deny clients on guest

Unread post by pergola.fabio » Fri Sep 14, 2018 12:45 pm

is it possible to deny / ban devices on the guest network? but they still need to access the normal wifi :)

strange question :)

but i dont want our internal business users to accss the guest network , where they can do anything they want...

guest network is in other words only for visitors

Babylonia
Virtuoso
Virtuoso
Posts: 1299
Joined: Tue Jul 26, 2016 10:47 am

Re: deny clients on guest

Unread post by Babylonia » Fri Sep 14, 2018 12:58 pm

Indeed a strange question.
- Internal business users should be using the "normal" network and normal WiFi access
- A "guest" network is separated from that normal network, and specially used for "visitors"

You can even use a setting that those visitors / guests have no access to each other by "AP isolation".
So they only have access to internet, but have no access to whatever other device or client within the network,
not your own internal business network, not even to other visitors. So a pure solely access to internet.

More or less comparable / related, but by other functions, a few weeks ago you was asking < THIS >.
So what is your goal?
RT1900ac / DS213j / DS415+ / DS218+ (at different locations).

pergola.fabio
Student
Student
Posts: 74
Joined: Thu Jul 12, 2018 7:42 pm

Re: deny clients on guest

Unread post by pergola.fabio » Fri Sep 14, 2018 1:36 pm

well, we have company rules, so that ofice/internal users are not allowed todo stuff, like visting websites, nzb, torrent, therefore i created rules... but they are smart, they just disconnect the lan cable, access the guest wifi, and off they go :)

thats why i want to disallow the internal users to access the guest

Babylonia
Virtuoso
Virtuoso
Posts: 1299
Joined: Tue Jul 26, 2016 10:47 am

Re: deny clients on guest

Unread post by Babylonia » Fri Sep 14, 2018 3:19 pm

How did you limit the use of these services for your own employees for outgoing connection?
By making firewall rules for the main "company's" used sub-net?

You can also limit connection for the guest sub-network by comparable firewall rules.
E.g. only allowing using e.g for port 80, 443 for outgoing connections. Next firewall rule, deny for all.
In that situation remote access to a NAS or other other Synology router using port 5001 or 8001 can not be used.
(To figure out, I tried this for myself, and that kind of blocking by firewall rule is working ---> no access).

I don't know which ports are used for services like nzb / torrent?
RT1900ac / DS213j / DS415+ / DS218+ (at different locations).

pergola.fabio
Student
Student
Posts: 74
Joined: Thu Jul 12, 2018 7:42 pm

Re: deny clients on guest

Unread post by pergola.fabio » Sat Sep 15, 2018 12:10 pm

yes, i created rules

but i dont want to allow only 80/443 on guest
i want that the internal users CANT access the guest wifi at all , by mac address or something
so basicly to create a rule that specific laptops cant acess the guest

Babylonia
Virtuoso
Virtuoso
Posts: 1299
Joined: Tue Jul 26, 2016 10:47 am

Re: deny clients on guest

Unread post by Babylonia » Sat Sep 15, 2018 2:47 pm

That brings more work to do, If clients login, you have to know which laptob or client name (and by that their MAC-address) belongs to users to block.

As by Synology options you can not block by "MAC-address", you should follow another approach.
Give those laptobs a fixed IP-address (by MAC-address) within the guest WiFi sub-net range, by a certain order.
E.g. labtop one to five do give fixed IP-adresses within the guest sub-net by consequtively numbers.

Block the range of IP-addresses that are used by thoses laptobes for accessing the external network.
So if they login by the guest WiFi network (they still can), the have no internet access at all.
Last edited by Babylonia on Sat Sep 15, 2018 3:37 pm, edited 1 time in total.
RT1900ac / DS213j / DS415+ / DS218+ (at different locations).

pergola.fabio
Student
Student
Posts: 74
Joined: Thu Jul 12, 2018 7:42 pm

Re: deny clients on guest

Unread post by pergola.fabio » Sat Sep 15, 2018 2:51 pm

ok, thats indeed a good approach, thnx for the tip

pergola.fabio
Student
Student
Posts: 74
Joined: Thu Jul 12, 2018 7:42 pm

Re: deny clients on guest

Unread post by pergola.fabio » Sun Sep 16, 2018 7:46 pm

hmm, problem

i dont see an option todo mac-reservation on the guest network wifi

ps: dhcp on local 192.168.x is off on synology, i use anther server for dhcp

tips?

Babylonia
Virtuoso
Virtuoso
Posts: 1299
Joined: Tue Jul 26, 2016 10:47 am

Re: deny clients on guest

Unread post by Babylonia » Sun Sep 16, 2018 10:24 pm

pergola.fabio wrote:
Sun Sep 16, 2018 7:46 pm
ps: dhcp on local 192.168.x is off on synology, i use anther server for dhcp
You didn't say that before. In that occasion the "DHCP Clients" and "DHCP Reservation" are greyed out.
But there is a work around for it.

Do use DHCP-server by the Synology router, just temporarily.
By that, at least "DHCP Clients" and "DHCP Reservation" are accessible (not greyed out anymore).
You can set your devices for a fixed IP-address.
Afterwards switch off the main DHCP-server of the Synology router again, by your personal choice.
(WiFi Guest DHCP IP-range is still active, if only the main DHCP server is disabled).
Reboot your router to release old IP-addresses.

After reboot. The fixed Guest IP-addresses are still active now.
(I did testing for myself using my phone and a smart app called "FING".
After reboot of my router, and my mobile phone).
RT1900ac / DS213j / DS415+ / DS218+ (at different locations).

pergola.fabio
Student
Student
Posts: 74
Joined: Thu Jul 12, 2018 7:42 pm

Re: deny clients on guest

Unread post by pergola.fabio » Sun Sep 16, 2018 10:29 pm

ok, thnx for the testing :)

maybe another approach :

is there also some kind of package, so if users access the guest network, they are redirectec to some kind of login page, so they need an account ?

Babylonia
Virtuoso
Virtuoso
Posts: 1299
Joined: Tue Jul 26, 2016 10:47 am

Re: deny clients on guest

Unread post by Babylonia » Sun Sep 16, 2018 10:40 pm

I know what you mean, but not a possibility for the Synology guest WiFi network till yet.

Personally I don't care for this missing feature. As mostly in occasions where such an extra "login" by a special webpage is needed for a guest network, it is not working without issues (at least my experience). Very annoying.
RT1900ac / DS213j / DS415+ / DS218+ (at different locations).

pergola.fabio
Student
Student
Posts: 74
Joined: Thu Jul 12, 2018 7:42 pm

Re: deny clients on guest

Unread post by pergola.fabio » Mon Sep 17, 2018 7:27 am

Thx for all the info, appreciate it

Post Reply

Return to “Installation and Configuration”