Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[Weaver]

What's the easiest way to provide a second wireless LAN on which users can only access the Internet? And no access to other boxes on the wired or wireless LAN(s), apart from the router obviously.

(Sincere apologies if I've asked this question already?)

I have my Firebrick router and a ZyXel NWA-3560-n WAP to work with, and I'm assuming I might possibly need additional kit. (Actually, I have a second ZyXel WAP, same model, but that box needs debricking, and I'm too foggy to work out how to do it.)

[j0hn]

Here's a tutorial for DD-WRT
It might help in some way.
I don't know the firebrick at all, but some routers have guest access, which creates a 2nd SSID that only allows access to anything else connected to that SSID (and the internet of course).

I suspect if it can be done on the firebrick, a separate SSID will be the way to go.

[Weaver]

I already have a separate SSID for guests to use, created by the ZyXel. This is set to disallow clients on that SSID from accessing each other, but I don't know if that setting prevents them from accessing boxes on the wired LAN other than the router.

The Firebrick is not a _wireless_ router, btw. It might have a role to play though, but I can't see how.

I have a HP switch, HP 1820-24G  (J9980A), which isn't I believe powerful enough to apply custom security policies, although it can handle VLANs iirc.
 

[sevenlayermuddle]

Can't speak for Zyxel, the Billion achieves this using so-called 'interface grouping'.

So far as I recall,  I created groups, one including all the wired Lan ports and our 'private' SSID, the second includes just the guest SSID.   These two groups are then isolated from one another.

[Weaver]

@sevenlayermuddle - that's useful, knowing what kind of likely terminology products might use. Thanks, I'll keep an eye out.

The Firebrick could do this kind of thing easily, but how to effectively attach an object in a Firebrick to an SSID isn't so clear. It would presumably need a second physical WAP, but that wouldn't immediately solve the problem of how to confine the WAP to only be able to talk to the Firebrick. it would need a spare free port on the Firebrick or use of a VLAN or something. The latter is I suspect the way to go.

[aesmith]

VLAN would be the normal way to do guest wireless.  Have a separate VLAN (and subnet) on your LAN, with appropriate firewall rules.  Then either a separate standalone AP on an access port on that guest VLAN, or with a more capable AP you'd stick it on a trunk and configure the AP to map SSID to VLAN.   That second scenario is the configuration we use for customers with conventional APs.

[Chrysalis]

guest mode is the answer, many routers now days have this as a built in function.

If yours doesnt have it then it becomes more complicated, but generally linux based routers should be capable of doing so via exotic configurations.

Basically add a second ip range in your lan, and then firewall off access for that ip range from the rest of your lan so it can only use wan traffic.

[Weaver]

The firebrick can handle VLAN tags on attached devices, but I don't see much of a mention of VLAN manipulation in the limited docs that I have, and also my experience of VLAN tag rewriting and is zero. I'm just too stupid (and drugged up) to grok the terminology of VLAN handling in LAN switches. So VLAN solution is probably out. Not a reflection of its merits, more about me.

Chrysalis’ last suggestion is perhaps the way to go. Could be a use for the second Firebrick, now that I accidentally have ended up with two.

Whether I go down this road ultimately depends on Mrs Weaver’s plan and the economics of it, as would need to find some more bandwidth, and also would need to get the Mrs Weaver’s users to pay for what they use as it is not going to be a loss-maker. And those are other unsolved problems. 3G over WLAN might be another option, which make the isolation problem instantly go away, but the traffic charges would be terrifying unless safely recoverable.

[aesmith]

guest mode is the answer, many routers now days have this as a built in function....

Doesn't that rely on the wireless being integral to the router?  Otherwise without Layer 2 separation, if the guest subnet is simply overlayed over the normal one, how does the AP separate them onto separate SSIDs?

[Chrysalis]

dont know as I dont use guest mode. But guest mode is there for that purpose, to give guests internet access but not lan access.

You also have things like the wifi hotspot system the major isps use where someone outside can use the wifi from the homehub or whatever to get online but they will have no lan access.

[Weaver]

I should also clarify that my routers which are Firebrick FB2700 series, don't have wireless. I'm using ZyXel NWA-3560-n (and TPLINK 5GHz outdoor) WAPs to give WiFi.

I'd be interested in other models of business-class sophisticated WAPs. I'm lured towards Ubiquiti,  because I could get support from AA, and RevK has tested them on Apple kit including having workaround for problems in the combination of iOS and Ubiquiti networking subsystems. I don't know anything at all about Ubiquiti though, I'm going on blind faith which is probably not wise.

The ZyXel has support for dual frequencies, multiple SS IDs, Wi-Fi inter-client isolation, scripting of some sort for which I don't have documents, a CLI and object oriented web UI, which is very well-structured even though the web UI is annoyingly sluggish and buggy in places. The device needs a much more powerful processor to run the web UI, and its Wi-Fi performance could be faster on 802.11n. I need multiple WAPs, longer range 5 GHz, and one day, will need 802.11ac when I get some more modern iPads. (I currently have only one device that supports 802.11ac, an iPad 6 belonging to Mrs. Weaver. The iPad 5 I'm writing this on only has 802.11n.)

[aesmith]

... I'd be interested in other models of business-class sophisticated WAPs. ..

Based on what we've deploy for customers, other than Cisco of course ..

Meraki APs do a built-in guest function.  If you enable a Guest SSID then the AP issues a 10.x.x.x address to the guest clients, and NATs (sorry) their traffic onto the AP's host address within your LAN.   Firewalling is all done by the AP, you configure rules for what the guests can and can't talk to.   All cloud managed, just plug the AP in somewhere it can get a DHCP address and reach the Internet to pick up it's configuration.  It's expensive though, and you need to renew the subscription.

At a lower price point we've also used Openmesh for some small business applications.  They don't do an canned guest solution like Meraki, but support up to four SSIDs mapped to different VLANs.    http://www.utilitynetworks.co.uk/shop/open-mesh/category/36-open-mesh-access-points.html   Cloud managed with no subscription.

I've played with Aerohive as well, that's sort of hybrid cloud managed in that you can SSH to the devices and manually configure, I don't think they really add anything except that I got a free AP from them for registering on a reseller webcast.   Function seems OK but price is comparable to Meraki.

[Dray]

Isn't Meraki controlled by the cloud? What happens if their servers go down, do you lose your wifi?

[Weaver]

So the Meraki's a wireless router, not just a mere access point: it can NAT and has a DHCP server in it?

[Weaver]

@aesmith - And Cisco WAPs, Tony? You're a Cisco fan?