Guest SSID surprises on home wireless router

My current home Internet provider is CenturyLink, and with that I’m using their recommended Zyxel C1100Z “modem”.

Via the modem’s web interface you can configure up to 4 SSIDs. I have one set up for my devices with strong security settings, and another set up for guests with weaker security settings. One thing that surprised me: when I checked the list of attached devices, devices attached to the guest SSID were allocated IP addresses in the same address range as, and could communicate with, devices attached to my trusted home SSID.

The Zyxel C1100Z will let you create LAN subnets with different IP address ranges and settings, but a device on one subnet can still communicate with devices on another LAN subnet. This would let you at least configure a host firewall (on hosts that support a host firewall) to drop traffic from a particular address range (e.g. 192.168.100.0/24).

This is lunacy, though. Why would you create separate SSIDs with different security settings if the attached devices cannot be isolated from one another? I suspect that most users do not realize this. There are some settings you can change from one SSID to another, such as bandwidth throttling, but that seems like a secondary consideration to securing your network. Needless to say, my guest network has the same security settings as my trusted home network now.

I wondered if I had overlooked a setting somewhere, so I called to confirm with CenturyLink. The technician there was able to identify the SSIDs I had configured, suggesting that they have a backdoor into the modem they provided.

The moral of the story is: never use the equipment provided by your ISP.

7 thoughts on “Guest SSID surprises on home wireless router”

  1. I just joined CenturyLink.. I’m using the exact same hardware as you.. and I noticed the exact same problem.

    My main network has DHCP assigning addresses in the 192.168.1.xxx range. My guest network has DHCP assigning addresses in the 192.168.2.xxx range. When I run an FTP server in my main network, a client in my guest network can connect to it. WTF?

    My intention is to allow devices running untrusted firmware/apps in the guest network.. so they can’t eavesdrop on unencrypted traffic in the main network.. or run port scans.. or potentially infect secure hardware with malware.. etc.

    The thing is.. the wireless router that comes baked into this modem is really darn good.. in terms of the power of its 2.4 GHz radio transmitter. It’s performing just as good as my high-end Asus router.. that’s currently not needed. However, the Asus runs WRT-Merlin.. and the firmware in the Zyxel isn’t great.. so the Asus may need to come out of its early retirement. Shame.

    I’d be interested if anyone has figured out a way to configure the firewall to disallow traffic between the LAN subnets.

  2. PS: bandwidth throttling doesn’t appear to work at all. I tried to limit the guest network to 1Mbps, but clients that connect to it and run a speed test can download at full speed.

    That’s not a deal-breaker for me. Though I’d rather that they omit the feature, than to make me believe that a setting is active when it is not.

  3. PPS: after using telnet to connect to the modem (using the login credentials that are configured with the admin GUI), a prompt is displayed. The command “sh” seems to launch a BusyBox shell, but it requires a password. Neither the password for the admin GUI, nor the telnet login are accepted. Does anybody know how to get past this password prompt? I want to poke around inside the shell and see if iptables can be manually configured (outside of the GUI).

  4. What was the outcome of this? I just got my C3000Z today and while I wanted to use my existing load balancing router, it was not gigabit ethernet capable, so I have spend the better part of today trying to configure the C3000Z to have subnet VLANs and can’t seem to find a way to limit the subnets from talking to one another. Thus it seems like a new router is the only real solution? (Surprising because we know the C3000Z is capable of VLAN tagging because it tags all it’s traffic on the WAN port — be very surprised if it didn’t have the capability to do it on the LAN ports.)

  5. Anyone ever figure out how to correct this? Or have a good guide to separating network traffic?

  6. Here I am in 2023 running into the same issues with the C1100Z. Any solutions to this yet?

Leave a Reply

Your email address will not be published. Required fields are marked *