We've Added Guest SSID Support
SPR now supports dedicated Guest WiFi networks! This convenient feature provides internet access to visitors while maintaining separation from your primary network.
Why Guest Networks Matter
Guest networks create a separate access point on your router that allows visitors to connect to the internet without accessing your main network. It can be a hassle to go through the SPR setup flow for visistors, so the guest network is configured to work with a static password for ease of use.
Common Problems with Guest Networks
While guest networks offer convenience, they come with some security compromises that network administrators should understand:
The Shared Password Problem
The Achilles' heel of most guest networks is the shared WiFi password. This single point of failure creates multiple attack vectors:
- Identity Spoofing: When everyone uses the same credentials, any guest can impersonate another
- Rogue AP Vulnerability: Attackers with the password can create fake access points mimicking your network to get device's traffic
- Traffic Interception: With WPA2, sophisticated attackers can passively collect and decrypt network traffic
WPA3 provides some protection against passive decryption attacks, but doesn't solve the fundamental shared-credential vulnerability.
Insufficient Isolation Mechanisms
Many router implementations fall short with their isolation strategies:
- Superficial Barriers: Many systems rely solely on hostapd's built-in AP Isolation, which provides a false sense of security
- Routing Vulnerabilities: Without robust firewall rules, clever attackers can bypass basic isolation methods
- ARP Spoofing: Inadequate network segmentation can lead to containment failures
SPR's Hardened Guest Network
SPR takes guest networking seriously by implementing:
- True VLAN Isolation: Complete network segmentation that goes beyond typical AP isolation
- Defense-in-Depth: Multiple security layers working together to maintain separation
- Modern Security: Support for WPA2 and the more secure WPA3 (SAE) authentication protocols
- Policy-Based Routing: Sophisticated firewall rules that enforce strict boundaries
Default Policies for Guests
- Internet-Only: By default, guest devices can only access the internet, not other local network devices
- Device Isolation: Guest devices cannot communicate with each other, preventing potential lateral attacks
- No API/Router Access: Guest devices cannot access the router administration panel, API, or SSH
For most use cases, we still recommend our primary network's per-device password system as the gold standard for security. Reserve the guest network for temporary visitors where the convenience/security tradeoff makes sense.
How to Configure
Setting up your guest network is straightforward:
- Navigate to the Guest Network tab in the WiFi Settings Pane
- Enable the Guest SSID option
- Configure your authentication settings (we recommend enabling both WPA2 and WPA3)
- Set your Guest SSID name and password
- Save your configuration
The guest network operates on the same radio hardware as your main network. While extra beacons do use up airtime, there's no additional hardware needed.
Feedback
We'd love to hear your feedback on this new feature! Please share your experiences and suggestions on our discord
Note: Guest SSID support is available on SPR from version 1.0.12