Set up a guest network that’s actually secure

From the February 1st Plus newsletter

By Brian Livingston

In the computer industry, too many things that should be simple and easy are instead complicated and hard for the average person to understand. Take Wi-Fi routers — please!

In my column on January 25, I showed you a way to protect your most essential computing devices by placing them on a different network from easy-to-hack Internet of Things devices. The trick uses two different Wi-Fi routers.

Let‘s say that Router #1 is a cable company’s typical interface device: a gateway, which is a cable modem and Wi-Fi router in a single box. You’d connect the gateway via an Ethernet cable to a second Wi-Fi router. Perhaps you purchased the second unit to get a stronger signal, a whole-house mesh system, or better security. See Figure 2 of my previous column. (DSL and fiber-optic systems are beyond the scope of this series.)

But what if you have only one device? A cable company often installs a gateway that offers several wired Ethernet ports as well as Wi-Fi. In that case, you don’t have two devices to play with — you have just one.

One popular suggestion in blogs is to set up a “guest” network. The hope is that your IoT devices — and any human visitors with laptops — connected to the guest network cannot see or harm the computers on your main network.

In an ideal world, every consumer-grade router would come out of the box with a main network and one or more guest networks already configured. When you plug in the router for the first time, its software would walk you through the steps. Just enter a different passphrase and SSID (service set identifier) for each network — and you’re all done!

In the messy world of computer gizmos, it ain’t that easy.

I wish I could write a superficial 1-2-3 on the correct way to create a guest network on your particular router. But I can’t in good faith do so. There are hundreds of variations. Setting up your own guest network is a situation in which you actually need to pull out your device’s user guide and RTFM (read the fine manual).

Instead, what I can do here is reveal what the manuals don’t tell you.Couldn’t guest networks just be simple? Afraid not!

TP-Link guest network setup
Figure 1. Many routers can make your most valuable equipment accessible, if you inadvertently check “Allow guests to access my local network.” Source: Screen shot of TP-Link setup app (orange highlighting added)

I spoke with router security expert Michael Horowitz. He’s been, among other things, the Defensive Computing blogger of Computerworld from 2009 to 2017.

The truth is that certain routers don’t automatically allow some IoT devices to communicate with each other on a guest network. And some routers make it difficult or impossible for you to let IoT devices connect to a guest network without also giving the gadgets access to the valuable computers you’re trying to keep secure.

Matters can get ridiculously complex. One of Horowitz’s websites includes a checklist of 20 features that routers should and shouldn’t have. (See his article’s Section 8 on guest networks.) Frankly, some routers don’t work the way their manual says they do. Others incorporate behaviors that make no sense at all.Look out for these hard-to-grok features

Let me share with you some major “gotchas” to watch for, based on Horowitz’s experience:

  • TP-Link. Some TP-Link routers have check boxes in their setup routines that can “Allow guests to see each other” and “Allow guests to access my local network.” These options can expose your visitors and your computers to security risks if you check the boxes without knowing the consequences. (See Figure 1.)
  • ASUS. You may see an “Access intranet” option, which is likely to break down the wall between devices on the guest network and computers on the main network.
  • NETGEAR. At least some routers from this brand include check boxes you can turn on in their setup routines that say, “Allow guests to see each other and access my local network.” You may not realize that the word “access” could include “delete files from my primary work computer.”
  • AmpliFi. This brand includes Alien standalone routers and HD mesh systems. By default, each creates a guest network without a password. You configure the guest network on one screen, but you must assign it a passphrase on another. Neither model offers a sharing option between the main and guest networks, if you needed it.
  • D-Link. Guest networks are called “guest zones” by D-Link. The DIR-X5460 router, to name one example, allows for two such networks. Make sure you enable “Internet access only” to prevent devices on the guest network from accessing the main network.
  • Eero. A subsidiary of Amazon, eero routers provide no configuration options for their sole guest network. The eero app says guest users are blocked from streaming audio, but this may not actually be foolproof.
  • Linksys. In a January 2021 review of the firm’s EA8300 router, Horowitz criticizes the device’s limitation to problematic Wi-Fi channels. The company’s choices slow your Internet access due to interference from neighboring routers. Worse, users have no way to change the channels’ configuration.
  • Synology. Model RT2600ac, one of several Synology offerings, supports up to two guest networks. If you create two, they do share the same subnet, which might be a concern. But Horowitz’s tests confirm that guest devices can be correctly isolated from each other.
  • TRENDnet. The setup app has a check box titled “Internet Access Only (prevents guests from accessing the private LAN network).” In this case, it is turning the check mark off that makes you less secure.
  • Google Wi-Fi. Devices with the Google brand control connections between the guest and main networks with a feature called On.Here. It is “always enabled,” according to a help document. Fortunately, computing devices on the main network must be individually configured as shared, using the mobile app. Otherwise, they are protected from the guest network.

Maybe it’s better not trying to set all of this up

Whew! If the above variations make it sound like setting up a guest network is a crapshoot, you’re right. We’re all pioneers with arrows in our backs when it comes to the morass of configuration options in today’s Wi-Fi routers.

Let me say it again: The simplest way to isolate visitors and IoT devices from your essential computer systems is to use two separate routers. That’s what I describe in my January 25 column. Horowitz has a more detailed explanation on his Second Router page. It costs more to acquire two routers, but it may save you quite a bit of time.For you hard-core masochists, the truly techno option: a VLAN

Given all his testing, you may think Horowitz has a favorite solution. He does. It’s a super-configurable router with a dizzying array of options.

Horowitz’s recommended router maker is Peplink. The company’s entry-level Pepwave Surf SOHO router sells for about $200 in the US through authorized retailers. (Horowitz says he receives no commission.)

The Surf SOHO is one of the few consumer-oriented routers that implement a sophisticated network-isolation method known as a virtual local area network (VLAN). The device supports as many as 16 different Wi-Fi networks. Each network, with its own SSID and passphrase, can be isolated from the others. Alternatively, you can permit devices to see one another — the choice is yours.

A detailed technical description of every option, including a “secret handshake,” is provided on Horowitz’s VLAN page.

Well, my head hurts just from thinking about all of this. Someday, the computing industry will streamline how the Internet of Things actually connects to the Internet — the way all 4K televisions at least try to play 4K content. Until then, to keep our devices secure, we have to wade through the router complexity as best we can. Stay safe out there!

Do you know a secret that we all should know? Tell me about it! I’ll keep your identity totally confidential or give you credit as you prefer. Send your story via the Public Defender tips page.
Questions or comments? Feedback on this article is always welcome in the AskWoody Lounge!

The PUBLIC DEFENDER column is Brian Livingston’s campaign to give you consumer protection from tech. If it’s irritating you, and it has an “on” switch, he’ll take the case! Brian is a successful dot-com entrepreneur, author or co-author of 11 Windows Secrets books, and author of the new book Muscular Portfolios. Get his free monthly newsletter.

Want to see more like this? Sign up for the Plus newsletter at