Apple Airport Express guest network not really secure?

If I go to Start and Run

It's not clear what that means. Start or run what?

Supplying login credentials grants access to the server protected by them. That's how things work.

So, how will guests....who will all be on the 172.x.x.x range......even know that you have other devices on another subnet?....and even if they might, how will they know what IP address range is being used on the private network? Further, how would they know the correct IP address to reach your server?

And, even if they reach the server.....since you surely have the device protected with a password....how will they know what password to use?

A casual user.....about 99% of users....will have no idea about how you have your network configured.

So, to answer your question.....Do I need to return this device to the store and use something that actually protects the internal network?

The answer would be "Yes", if you know that your guests will be advanced users, who have the desire and time to learn everything about your network that they will need to know to be able to crack it.

But, if that will be the case.....do you really want them as guests?

If yes, then you will need to start searching for a router that does not use VLAN technology for the guest network function. Your search may be very, very long.

OK thanks. I am not familiar with Windows so I don't know what that command does, but for what it's worth an Express's Guest Network is as separate from its other one as yours is from mine or anyone else's. My IP addresses are all in the range 10.0.x.x and there are several of them in three US states operating pretty much all the time. Various Sharing services are enabled, so those systems are most definitely open to the Internet.

Go ahead and try to access them. You will find that you cannot, not without login credentials. The same holds true of Guest Network.

Once again, does anyone (especially an Apple employee) have a remedy to this situation or is this just a HUGE security hole that no one is discussing?

No one from Apple will ever answer here, on a user to user forum. If you want to speak to Apple, you will need to call them.

It seems that you do not understand that Apple routers are designed for use in a home among casual users. The AirPorts are not designed to be, nor will they ever be, business grade routers.

If you need a business grade router, It would make little sense to consider a router designed for home use.

GreatGeek wrote:

I've setup several of these devices and they work quite well but I setup the guest network on one and it's in the 172.X.X.X range and the local network is actually on the 192.X.X.X network.If I go to Start and Run and type in \\server it doesn't work but if I do \\192.168.1.2 it asks for the server credentials and allows someone to pull data! That's not a true "guest" network! Is this expected and normal? Do I need to return this device to the store and use something that actually protects the internal network?

It is not actually expected and normal. The guest network should be on a separate vlan to the main network. So even if you can get connection without wireless credentials the only access should be to the internet.

Tell us a bit more of the setup.

What is the main router? Is it setup to isolate vlans?

What about the switch.. again if it is managed or not and how are vlan setup?

What you might find is the Express is designed to work with the Extreme and in extend wireless mode where the network is correctly vlan isolated.

Have you tried another brand of wireless AP, with a guest mode.. because this might actually be a problem of the main router.. as it should not allow access.

I am not saying the Express are perfect by any means.. and people do occasionally report guest network functioning when it should not be.

What is model and firmware they are running.. ?

Are they plugged into the network by ethernet and setup in bridge.. then create a wireless network? Is it setup for roaming rather than extend or have you mixed them??

In the case where you use them in roaming.. the guest network should not work unless there is an airport extreme running as main router to provide vlan support.. or you have a managed switch.

It still doesn't answer the question on how this makes sense for a home user to have a guest network that could connect someone to their local network that could grab their personal files from a local share. Very poor design.

As I said it is not normal.. if I turn on the guest network in my setup.. it doesn't work because the apple router is not acting as the main router.. if it did the vlan would control access.. what you are seeing is a bug.. I have seen it reported but cannot duplicate it here.. and for most people in home setups it should not happen.

But you have discovered the truth that Apple routers are domestic and not to be used in business setups.

It does make sense for the vast majority of users in a home situation.

Modem > AirPort Extreme > Devices.

The guest network is enabled, and you are my guest

You have the password to connect to the guest network via wireless

How will you know what IP address range that my main network is using?

If you have hours and hours of time, you might be able guess correctly, so now you are on the main network.

How do you access the files on my computer without the admin password?

But 99% of home and casual users don't know this. And, even if they did....and they were devious enough to try to poke around on a private network.....how will they access a hard drive or computer that is password protected?

The Apple routers are fine as far as guest network capability for the vast majority of home users....the target customer for Apple's routers.

You already know that you cannot expect a router designed for home use to provide business level security, so stop complaining about the fact that a product does not do something that it was not designed to do. Replace the Apple router with another product that will do what it was designed to do and get over it.