User profile for user: JoelcYYZ
JoelcYYZ Author
User level: Level 1
46 points

Is an Airport Extreme's Guest Network a Separate Network

I am thinking of purchasing an Airport Extreme and am intrigued by the idea of setting up a separate network as a Guest Network but want to do so in such a way that the Guest Network connected devices do not have access to the computers or resources on the Primary Network.


I know I can do this by setting up separate sub networks by using a subnet mask such as 255.255.255.192 but am interested in easier ways of accomplishing this. This leads me to ask the following:


1. Is the Airport Extreme's Guest Network a separate network from Primary Network such that the Guest Network connected devices do not have access to the computers or resources on the primary network?


2. If the answer to the above is yes then


a) What IP Address ranges are handed out to the primary network and what IP Address ranges are handed out to the Guest Network?


b) What method / how is the Primary Network separated from the Guest Network [i.e. is it through a subnet mask, is it through a VLAN, etc.]? Please provide as much detail possible as I really want to understand this.


c) What is the best way to test that this works [i.e. could / would it be as simple as connecting a printer with a web interface to the Primary Network and trying to access that printer's web interface from the Guest Network]?


Thanks for all the help!

MacBook Air, OS X Yosemite (10.10.2)

Posted on Jan 30, 2015 6:44 PM

Reply
18 replies
User profile for user: Bob Timmons
Bob Timmons
User level: Level 10
185,114 points

Jan 30, 2015 7:06 PM in response to KiltedTim

The guest network hands out addresses in the same range as your primary network

This is not correct.


Apple uses simple VLAN technology for the primary and guest networks. By default, devices on the primary network get IP addresses in the 10.0.1.x range, while devices on the guest network get IPs in the 172.16.42.x range.


You can easily see the IP ranges that your AirPort router is using in AirPort Utility.



.User uploaded file


Is the Airport Extreme's Guest Network a separate network from Primary Network such that the Guest Network connected devices do not have access to the computers or resources on the primary network?

Correct.


What IP Address ranges are handed out to the primary network and what IP Address ranges are handed out to the Guest Network?

Check AirPort Utility. You can change these ranges if you wish. The default from primary network is 10.0.1.x and guest is 172.16.42.x


What method / how is the Primary Network separated from the Guest Network [i.e. is it through a subnet mask, is it through a VLAN, etc.]?

As mentioned above, Apple uses a simple VLAN on the AirPort routers.


What is the best way to test that this works [i.e. could / would it be as simple as connecting a printer with a web interface to the Primary Network and trying to access that printer's web interface from the Guest Network]?

You are asking a different question here. Connect the printer to he private network and then see if you can print from the guest network.

Reply
User profile for user: KiltedTim
KiltedTim
User level: Level 10
226,008 points

Jan 31, 2015 5:24 AM in response to Bob Timmons

Bob Timmons wrote:


The guest network hands out addresses in the same range as your primary network

This is not correct.


Apple uses simple VLAN technology for the primary and guest networks. By default, devices on the primary network get IP addresses in the 10.0.1.x range, while devices on the guest network get IPs in the 172.16.42.x range.


You can easily see the IP ranges that your AirPort router is using in AirPort Utility.



.User uploaded file


Thanks for the correction. It's been quite a while since I configured mine. Now I realize that mine is in bridge mode and DHCP is being handled by the router that serves as the primary gateway. Devices on both the primary and guest network get addresses in the same range on my network, but it's not because of the Airport.


Since the device that serves as the primary gateway is not configured to support VLANs (indeed, it doesn't support VLANs at all), it's more likely that routing rules are being used to prevent traffic from propagating to the wrong network.

Reply
User profile for user: KiltedTim
KiltedTim
User level: Level 10
226,008 points

Jan 30, 2015 6:48 PM in response to JoelcYYZ

You don't have to worry about subnetting. The guest network hands out addresses in the same range as your primary network, but devices connected to the guest network will not be permitted to route to any device on your internal network. The Airport Extreme (and the Express for that matter) is a router. It knows how to handle that. It's just simple routing rules.


If you want to test it, just hook up a device to the primary network and try to ping it from a device connected to the guest network. You won't be able to.

Reply
User profile for user: JoelcYYZ
JoelcYYZ Author
User level: Level 1
46 points

Jan 30, 2015 6:56 PM in response to KiltedTim

KiltedTim wrote:


You don't have to worry about subnetting. The guest network hands out addresses in the same range as your primary network, but devices connected to the guest network will not be permitted to route to any device on your internal network. The Airport Extreme (and the Express for that matter) is a router. It knows how to handle that. It's just simple routing rules.



Appreciate the response and presumably the simplicity of Apple's solution...that said, could you please explain how this is accomplished as I would very much like to understand how this works....thx...


KiltedTim wrote:



If you want to test it, just hook up a device to the primary network and try to ping it from a device connected to the guest network. You won't be able to.


I will give this a try as I am most interested in the results [i.e. I don't doubt you!].


[center]***[\center]


Three additional points come to mind:


1. As far as the guest network is concerned presumably the devices connected to this network will have internet access?


2. If I setup a Guest Network will it be 2.4 GHz or 5.0 GHz?


3. Is there any way to restrict the Guest Network to a defined and incremental block of IP Addresses so that those devices can be easily identified?


Thx...

Reply
User profile for user: KiltedTim
KiltedTim
User level: Level 10
226,008 points

Jan 30, 2015 7:06 PM in response to JoelcYYZ

1. That's correct.

2. Yes

3. No


As for how the guest network does its thing... A routers job it to "route" traffic. It knows that a device connected to the guest network is only allowed to talk to things outside of your local network. It will only route traffic from those devices out through the default gateway on your network. It will not allow the device to talk to any other device on your network. If you want to understand how, do some reading. I've spent 25 years working with networks. Trust me. It works.

Reply
User profile for user: JoelcYYZ
JoelcYYZ Author
User level: Level 1
46 points

Jan 30, 2015 7:51 PM in response to Bob Timmons

Bob Timmons wrote:

What is the best way to test that this works [i.e. could / would it be as simple as connecting a printer with a web interface to the Primary Network and trying to access that printer's web interface from the Guest Network]?

You are asking a different question here. Connect the printer to he private network and then see if you can print from the guest network.


Bob, I think that I am still on point here in that we are continuing to discuss the separation of the Primary Network from the Guest Network...to be clear, even though I think this is obvious, would a good test of the separation on the networks be to connect a printer to the 10.0.x.x. network and connect a macbook to the 172.16.x.x printer and try to add the 10.0.x.x. to the macbook in that the separation of the networks should make this a not possible...do I have this correct?

Reply
User profile for user: JoelcYYZ
JoelcYYZ Author
User level: Level 1
46 points

Jan 30, 2015 8:08 PM in response to Bob Timmons

Bob Timmons wrote:


If you have a printer connected to the primary or private network, users on the guest network will not be able to print to it. They won't even be able to "see" it.


By the same token, if you install a wireless printer for the guest network, users on the primary network will not be able to "see" it or print to it.


Thx for confirming my thinking / understanding...will test / try this out as well just to satisfy myself...

Reply
User profile for user: JoelcYYZ
JoelcYYZ Author
User level: Level 1
46 points

Jan 31, 2015 12:34 PM in response to Bob Timmons

@ Bob Timmons, thank-you, everything worked exactly as you said form the Guest Network and the Private Network being separate networks [i.e. 172.16.42.x versus 10.0.1.x], to not being able to see the printers on the Guest Network, to being able to see the printers [on the Private Network], etc.


The only thing I could not -- because I do not know how -- test is when I change form 5GHz to 2.4 GHZ...how can I test this on a MBA...does the NetWork Utility / Info / Link Speed point the way.


Thanks.

Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

Is an Airport Extreme's Guest Network a Separate Network

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up