Guest LAN - what ports to open?

q54e3w

Im just in the process of creating a guest network for visitors to use. Im curious if there are any established best practices of what to open and what not too.

currently

I block all guest traffic from guest to my other non guest subnets
I allow DNS (53) and NTP (123) to my router
I allow the following ports out:
    HTTP (80 & 8080 & 443)
    SMTP (587 & 465)
    IMAP (143 & 993)
    Ephemeral (49152:65535)

Im specifically interested to hear if I should allow DNS & NTP out but would appreciate any feedback or advice as to other services I should consider providing.

thx!

KOM

Are you trying to prevent them from doing something specifically?  If not, just open it up.

q54e3w

actually, thats a very good point, thank you. I was stuck in the mindset of keeping ports locked down unless actually needed but you raise a good point re guests - there isn't anything I don't want them doing except hacking my personal files and photos etc so I can relax and open up for them. Appreciate the pointer, thanks

doktornotor

I'd keep port 25 closed, though. ;)

marvosa

At work, this is what we're allowing on our guest network:

TCP
www
https
ftp
smtp

UDP
DNS
NTP

Some small issues that have come from being so locked down:

• No VPN (e.g. IPsec) connections can be made, so vendors are unable to make secure connections to their corporate offices

• No IMAP connections can be made, .e.g. people trying to use the Gmail app from their phone/tablet are blocked

we have some paranoid people here, but I'm with KOM, from my perspective locking down guest wireless just creates unnecessary tickets!  LoL!  I mean… it's guest... it should be isolated from your production network and throttled if it's sharing your main connection.  IMO... why create extra management overhead by locking it down and having to revisit syslogs and rules every time there's a question/issue?

Stick it on a separate vlan/interface, throttle it and be done.  Then that's the the last you'll ever hear of it... vs. fielding questions and tickets and troubleshooting why this doesn't work and why can't we get to that, etc.

NOYB

LOL

I've been employed by companies blocking everything under the sun too.  Like you they probably thought no VPN connections could be made too.  So I did VPN connection to home and used my own ISP connection for external access anyway.  And that was even on the corporate business network, not the guest network.

If the powers that be are really concerned about guest access they should block everything and require guests to use a VPN to their own service, company, etc.  But I think the real reason isn't that they are concerned about security etc. or whatever.  But rather they are power and control freaks who need something to hang their hat on to justify their employment.  And this also allows them to snoop and collect information on/from their guests.

KOM

It also depend on what you mean by 'guests'.  Personal friends in your house, or paying customers at the villa?