Coffee Shop Network Pentest & Remediation
All projects
Real-world engagement / Network security

Coffee shop network pentest
& full remediation

An authorized penetration test on a live small business network — uncovering critical vulnerabilities including accessible security cameras via default credentials — followed by a ground-up network rebuild using OPNsense, VLANs, and managed switching.

Penetration testing Authorized engagement Default credentials OPNsense VLANs Network segmentation Nmap Firewall rules
Scope
Live business network
Authorization
● Explicit consent
Critical findings
2 critical
Remediation
● Complete
Router
OPNsense (custom build)
VLANs deployed
3 segments

Authorized engagement: This test was conducted with the full knowledge and written consent of the business owners, who are family members. All findings were disclosed immediately. No data was accessed beyond what was necessary to demonstrate the vulnerability. Credentials were changed during the test to prevent third-party access.

Overview

My parents’ cafe was running a typical small business network: a TP-Link mesh router, a handful of devices and a Lorex security camera system, all on the same flat network with no segmentation. When I offered to take a look at it from a security perspective, they agreed and I conducted a structured penetration test against the live environment.

The findings were significant. Within minutes of scanning the network, I identified the security cameras by their MAC address fingerprint, accessed their web interface using factory default credentials that had never been changed and had full control of the camera system including live feeds. A malicious actor posing as a regular customer on the WIFI could have done the same thing.

The engagement didn’t stop at the report. I designed and physically built a replacement network from scratch: a custom OPNsense firewall router running on a repurposed Dell Optiplex, a managed switch and properly segmented VLANs. I turned our pentest findings directly into a remediated infrastructure.

Before & after

Before — original network
  • Single flat network — all devices on the same subnet
  • Customer WIFI and staff devices on the same network
  • Security cameras reachable from guest WIFI
  • Lorex cameras running factory default credentials
  • TP-Link mesh router with no VLAN support
  • No firewall rules between device classes
  • No network visibility or logging
After — rebuilt network
  • Three isolated VLANs — guest, staff, and IoT/cameras
  • Customers on isolated guest VLAN — no LAN access
  • Cameras on dedicated IoT VLAN — unreachable from other segments
  • All default credentials changed on cameras and network gear
  • OPNsense firewall with explicit inter-VLAN deny rules
  • Managed switch enforcing VLAN tagging at port level
  • Separate SSIDs per VLAN with WPA2 on all networks

Penetration test — attack chain

The following documents the steps taken during the authorized test, from initial recon through full camera access. The entire sequence took under 30 minutes from a device connected to the guest WIFI. Diagrams will be used in place of screenshots to protect the confidentiality of the coffee shop’s network infrastructure.

01
Network reconnaissance
Nmap
Connected to the guest WIFI and ran a host discovery scan across the entire subnet. Because there was no network segmentation, all devices (including staff machines, the POS system and the camera system) were visible from the guest network.
terminal — host discovery from guest WIFI 
nmap -sn 192.168.1.0/24

# All hosts visible from guest network (no segmentation)
192.168.1.1    — TP-Link router
192.168.1.10   — Staff laptop
192.168.1.11   — POS terminal
192.168.1.20   — Unknown device (Lorex Technology OUI)
192.168.1.21   — Unknown device (Lorex Technology OUI)
192.168.1.22   — Unknown device (Lorex Technology OUI)
Flat network — guest devices have full visibility of all hosts including staff machines and camera system
02
Device fingerprinting
Nmap
Ran a service and OS detection scan against the unknown hosts. MAC address OUI lookup confirmed they were Lorex Technology devices, which is a consumer-grade IP camera brand with default credentials publicly available.
terminal — service scan on camera hosts 
nmap -sV -p 80,443,554,8000 192.168.1.20-22

192.168.1.20:
80/tcp   open  http     Lorex IP camera webserver
554/tcp  open  rtsp     RTSP stream
8000/tcp open  http     Device management interface

# Confirmed: Lorex IP cameras with web management enabled
# MAC OUI: 00:1A:07 → Lorex Technology Inc.
03
Default credential access
Browser / manual
Navigated to the camera web interface on port 80. Attempted login using Lorex’s published factory default credentials (admin / admin). Login succeeded immediately. The credentials had never been changed since installation. This granted full administrative access to all cameras.
Critical — full administrative access to live security camera system gained using published default credentials. Live feeds, recordings and system settings all accessible.
04
Responsible disclosure & credential change
Manual
Immediately after showing the camera access to the business owners, I changed the default password on the camera system to a strong unique password. This closed the immediate risk and prevented any third party from exploiting the same vulnerability before the remediation build was completed. Full findings were documented in a report and walked through with the owners in plain language.
findings summary (excerpt) 
# Finding 1 — CRITICAL
Title:    Default credentials on Lorex IP cameras
Impact:   Unauthorized access to live security footage,
          camera controls, and system config
Vector:   Network-adjacent (guest WIFI → camera subnet)
Status:   Remediated — credentials changed during test

# Finding 2 — CRITICAL
Title:    Flat network — no segmentation between guest,
          staff, POS, and IoT devices
Impact:   Any guest WIFI user can reach all LAN hosts
Status:   Remediated — VLAN rebuild (see below)

# Finding 3 — MEDIUM
Title:    Camera RTSP streams unauthenticated on LAN
Status:   Remediated — cameras moved to isolated VLAN

Remediation — network rebuild

Rather than patching the existing TP-Link mesh setup (which has its incompatibilities with our plans for network segmentation), I designed and built a replacement network from scratch, one that treated the findings as requirements and built proper segmentation in from the ground up.

The router is a Dell Optiplex repurposed as an OPNsense firewall appliance. OPNsense is an open source FreeBSD-based firewall and routing platform used in enterprise environments. Running it on commodity hardware gives full control over firewall rules, VLAN configuration, DHCP, and DNS without the limitations of a consumer router. A managed switch sits downstream of the router, enforcing VLAN tagging at the port level and trunking tagged traffic to the WIFI APs.

Rebuilt network architecture

Internet ISP modem OPNsense Dell Optiplex firewall + VLAN routing custom firewall rules Managed switch VLAN tagging VLAN 10 — Guest Customer WiFi internet only · no LAN 192.168.10.0/24 VLAN 20 — Staff POS · staff devices LAN access · no IoT 192.168.20.0/24 VLAN 30 — IoT Lorex cameras isolated · no LAN access 192.168.30.0/24 OPNsense rules guest → staff DENY guest → IoT DENY staff → IoT DENY guest → WAN ALLOW staff → WAN ALLOW IoT → WAN LIMITED inter-VLAN default: DENY all rules explicit WAP 1 front WAP 2 back

VLAN configuration

VLAN 10
Guest network
Customer-facing WiFi. Internet access only. Cannot reach any device on staff or IoT VLANs.
→ WAN only
VLAN 20
Staff network
Staff laptops, POS terminal, printer. Full internet and intra-staff LAN access. Blocked from IoT and guest segments.
→ WAN + staff LAN
VLAN 30
IoT / cameras
All Lorex cameras isolated here. Cannot be reached from guest or staff VLANs. Limited outbound only for NTP and firmware updates.
→ WAN limited

OPNsense firewall rules (excerpt)

OPNsense — inter-VLAN firewall rules 
# VLAN 10 — Guest rules
BLOCK  VLAN10  →  192.168.20.0/24   # block guest → staff
BLOCK  VLAN10  →  192.168.30.0/24   # block guest → IoT
ALLOW  VLAN10  →  WAN               # internet only

# VLAN 20 — Staff rules
BLOCK  VLAN20  →  192.168.10.0/24   # block staff → guest
BLOCK  VLAN20  →  192.168.30.0/24   # block staff → IoT cameras
ALLOW  VLAN20  →  WAN               # internet
ALLOW  VLAN20  →  VLAN20            # intra-staff LAN

# VLAN 30 — IoT / camera rules
BLOCK  VLAN30  →  192.168.10.0/24   # block IoT → guest
BLOCK  VLAN30  →  192.168.20.0/24   # block IoT → staff
ALLOW  VLAN30  →  WAN  port 123     # NTP only
ALLOW  VLAN30  →  WAN  port 80,443  # firmware updates
BLOCK  VLAN30  →  WAN               # block all other outbound

# Default inter-VLAN policy
BLOCK  ANY     →  ANY               # implicit deny all

Findings & remediation summary

Finding Severity Impact Status
Default credentials on Lorex camerasCameras shipped with admin/admin — never changed Critical Full camera admin access from guest WiFi Remediated
Flat network — no segmentationAll devices on a single /24 subnet Critical Guest users can reach POS, staff machines, cameras Remediated
Unauthenticated RTSP streamsCamera video streams accessible without credentials on LAN High Live video accessible to any LAN device Remediated
No guest network isolationGuest WiFi had same LAN access as staff devices High Customers could attempt lateral movement to POS Remediated
Router using default admin passwordTP-Link admin panel accessible with default credentials Medium Full router config access to any LAN device Remediated

Outcome: The rebuilt network has been running in production at the coffee shop since deployment with zero issues. All three VLANs are operational, the cameras are fully isolated, and the guest network provides internet access without any visibility into business systems. The OPNsense dashboard provides ongoing visibility into traffic and firewall activity that the previous TP-Link setup had no equivalent for.

↓  View full report (PDF)

What I learned

01
Default credentials are endemic
Consumer IoT devices like cameras, routers and NAS boxes almost universally ship with default credentials that owners never change. This single finding is responsible for a huge number of real-world small business breaches. It’s low-hanging fruit that’s genuinely dangerous.
02
Flat networks are catastrophic for small businesses
A coffee shop with a POS system, cameras and an unprotected public WiFi on the same /24 is a liability waiting to happen. Network segmentation is not just an enterprise concept. Any business taking card payments needs a guest network that cannot reach the POS.
03
OPNsense on commodity hardware
Building a firewall router on a repurposed Dell Optiplex gave me hands-on experience with a real firewall platform used in production environments. I got experience with VLAN interfaces, firewall rule ordering, DHCP scopes per segment and trunk port configuration on a managed switch.
04
Communicating findings to non-technical stakeholders
Writing a findings report for my parents meant translating technical vulnerabilities into plain business risk: “someone on the cafe WIFI could watch your security cameras” lands very differently than “unauthenticated RTSP stream exposure.” This communication skill matters just as much as the technical work.
Next project
Wazuh SIEM deployment