New ISP and router = new WiFi SSIDs or no? (Sky)

[visibleman]

They don't broadcast the guest SSID ie. they don't broadcast the guest network at all.

My bad; sounded like you were simply "hiding" the SSID which does absolutely sweet-fa.

...the room locking is controlled by very tight RSSI values. In effect the Guest network is geofenced to the public areas of my house.

How does setting a minimum RSSI offer security though?
I see where you're coming from in that it kind-of-ish (squinty eyes) makes it harder for the average Joe/device who happens to walk by but it doesn't prevent someone/a device connecting to an AP

Each to their own although i'm still not convinced a residential open guest network is a smart move when closing it and sticking a QR code somewhere for guests is a lot more secure and less hassle me.

 

[the-evaluator]

How does setting a minimum RSSI offer security though?
I see where you're coming from in that it kind-of-ish (squinty eyes) makes it harder for the average Joe/device who happens to walk by but it doesn't prevent someone/a device connecting to an AP

Each to their own although i'm still not convinced a residential open guest network is a smart move when closing it and sticking a QR code somewhere for guests is a lot more secure and less hassle me.

The question wasn't aimed at me, but my take on it is that it's a bit like security through obscurity though not as bad as that. Like people that move SSH on an internet facing Linux box from port 22 to port 2222 because they think it'll stop SSH brute force attack attempts. It doesn't.

It prevents people connecting because the wifi signal isn't broadcast outside of the area that @WJA96 wants it to be so if there's no signal then there's nothing to connect to. It'd have to be VERY tightly controlled RSSI settings though to guarantee that there's no signal emitted past the desired border.

It's not the way I'd do it but I can see why it's done.

QR codes aren't secure. The password is encoded but not encrypted and it's encoded in a very well published standard. It's trivial to get a password from a QR code.

 

[WJA96]

The question wasn't aimed at me, but my take on it is that it's a bit like security through obscurity though not as bad as that. Like people that move SSH on an internet facing Linux box from port 22 to port 2222 because they think it'll stop SSH brute force attack attempts. It doesn't.

It prevents people connecting because the wifi signal isn't broadcast outside of the area that @WJA96 wants it to be so if there's no signal then there's nothing to connect to. It'd have to be VERY tightly controlled RSSI settings though to guarantee that there's no signal emitted past the desired border.

It's not the way I'd do it but I can see why it's done.

QR codes aren't secure. The password is encoded but not encrypted and it's encoded in a very well published standard. It's trivial to get a password from a QR code.

Its set to -40dBi so it is very tight and I’ve swept the area with a spectrum analyser and it’s not ‘leaky’.

I believe I have 3 levels of security

Firstly, my guest network is totally separate from my home ‘private’ and home ‘business’ networks.

Secondly, my guest network is broadcast only in the public areas of the house. I can do this because I have a UAP-IW-HD (or the EA equivalent ) in every room and I can control the gain and transmit power so as to limit the emissions so I can set the hard-kick on the RSSI at -40dBi. Literally you get maximum signal on yiur handheld or you get booted off. It’s a cliff.

Thirdly, anyone who is connected to my guest WLAN has to pass the traffic through Untangle and that limits bandwidth and does the web filtering. And it’s set up pretty tightly. As an example of how tightly, someone one complained they couldn’t access the national lottery website and that was because Untangle has it listed as a gambling website.

And no, I don’t emit a visible SSID for my personal home network on the garden and garage access points because I don’t see why I should tell anyone how I structure my naming of my WLAN SSIDs.

 

[visibleman]

It prevents people connecting...

It prevents a device connecting, or the AP bouncing a device, if it isn't within the RSSI threshold set; it doesn't, however, stop a device connecting if it does.
And i see where @WJA96 is coming from but it's in the same vain as MAC address filtering or hiding the SSID; it makes life harder for average Joe but it's fairly trivial to spoof a MAC address or sniff a hidden SSID (name) unfortunately.

And i'm not trying to tell anyone how to suck eggs, it was purely the reasoning behind why you would have an open guest network versus closed when, in my opinion, the advantages of it being open don't stack up when it comes to security.
With it closed then you're only allowing access to known people/devices and a randomer, by and large, is having to brute-force to gain access <- and if that is happening then i think you have bigger issues.

QR codes aren't secure.

Of course but it's purely for the convenience (for connecting to a guest network) because who's got time to type in a stupidly long mixed character WIFI password?

 

[WJA96]

It prevents a device connecting, or the AP bouncing a device, if it isn't within the RSSI threshold set; it doesn't, however, stop a device connecting if it does.
And i see where @WJA96 is coming from but it's in the same vain as MAC address filtering or hiding the SSID; it makes life harder for average Joe but it's fairly trivial to spoof a MAC address or sniff a hidden SSID (name) unfortunately.

So they have to be INSIDE my house to connect to the guest WiFi. Literally, the living room, dining room, kitchen and the two guest bedrooms. You can’t connect anywhere else, even inside the house. The RSSI is set so low that if they leave the room, the WLAN drops off.

And if you’re in the house then I have allowed anyone to connect to my guest network. But the do have to be inside the house.

 

[visibleman]

The RSSI is set so low that if they leave the room, the WLAN drops off.

I'm not au fait with Ubiquiti gear but is that purely by setting a minimum RSSI threshold or are you setting TX power as well?

Although wouldn't increasing the TX power of the STA (station/client device) improve the RSSI as perceived on the AP and, potentially, push the STA into the set minimum RSSI threshold?

Edit - I know I've taken the OP way off topic, so apologies for that!