Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[aesmith]

So the Meraki's a wireless router, not just a mere access point: it can NAT and has a DHCP server in it?

The NAT and DHCP are purely for any guest SSIDs.

Cisco of course.  With the standalone APs you connect on a trunk and map SSIDs to Ethernet VLANs.   The AP looks after authentication and wireless parameters, but all IP stuff, routing and firewalling is dependent on whatever handles the VLANs.

I'd be quite confident that the Firebrick would support VLANs, but they do seem a little idiosyncratic as well as powerful.

[Weaver]

The only mention I have noticed of VLANs (but I could easily be wrong) in the Firebrick docs is in connection with PPPoE modems that are multiplexed onto a physical Ethernet port by using one  VLAN per modem to keep the PPPoE systems mutually isolated. This allows the Firebrick user to exploit more modems than can be accommodated by the limited number of Ethernet ports if a VLAN-handling switch is used. Since BT wanted to charge me a million pounds for installing another couple of lines, I never got to explore life with five modems and VLANs.

But I don't remember seeing any of the kind of functions in the FB docs that a VLAN-manipulating switch can provide such as tag rewriting, or VLAN-based routing.

[aesmith]

I've been reading up a bit more on Openmesh and their Cloudtrax management.  It looks as if they implement a guest network in the same way as Meraki, meaning no need for VLANs or anything more than straightforward firewall rules.   Someone said we were getting some demo kit, so I'll see if we can get that function on the bench to see what happens at the network level.   You're talking £80 to £100 per AP, and I'd put them equivalent to Ubiquiti, sort of low-end corporate.   We've deployed Openmesh to a couple of customers. 

[Weaver]

By accident I have managed to solve this problem finally, very cheaply.

(I had thought of all kinds of schemes involving VLANs which were ugly and complicated. I had also hit on the idea of using a second Firebrick router (since I have a spare) to police the guest wireless LAN on a separate WAP. But that means I have to obviously buy another access point and what's worse waste a precious 2.4GHz channel devoted to the Guest SSID. I had also thought about doing the same thing by buying a cheap Ethernet wireless firewall/router.)

The other day I upgraded the software in my existing ZyXel NWA3560-n WAPs. Quite unexpectedly I discovered that the upgrade had added a load of very valuable features, many  completely undocumented. After a lot of digging around and searching in the docs for other ZyXel products, I discovered the meaning of a mysterious new L2 Isolation feature.

When the L2 Isolation (Layer 2 Isolation) option is selected for an SSID object, you specify a link to another object containing a list of MAC addresses, a whitelist. With L2 Isolation selected, the stations in the SSID in question can not talk to any nodes on the wired LAN or wireless stations in other SSIDs. The whitelist is a list of exceptions to this rule, holes in the L2-layer firewall surrounding the SSID, my Guest WLAN, so that the guest stations are allowed to talk to certain machines such as the gateway and the DHCP server and anything else you please. This allows the Guest WLAN clients to access the Internet, which is the whole point, but nothing else.

So job done, and no extra kit needed nor any really ugly complex config. I have a small maintenance burden though - I need to be careful to remember to maintain the list of MAC addresses, which currently contains only the MAC address of the router, and update that should I ever swap the router out, or else one day guests will be unable to access the Internet or acquire IP addresses and I will be left wondering why.

(There is another option “Intra BSS something-or-other” - which I was already using - which prevents stations in an SSID from talking to others in that same SSID. Useful but not what I needed. It at least would stop guests from attacking other guests.)

[Chrysalis]

I believe I know off the feature, but a word of warning I suggest you actually check if they cannot talk to wired clients, because as far as I am aware its to keep wireless clients isolated from each other but has no affect with wired devices.

[Weaver]

I did check that I can't access a wired node when logged in on the guest WLAN. Seems to do the job fine.

I just wish that ZyXel let you specify a wildcarded MAC address in a list entry, or a range, rather than just a single address. For some reason the Firebrick FB2700 router can adopt different MAC addresses for some reason, according to the docs. So to be safe I would have to add dozens of alternative contiguous MAC addresses just for the one device.

I haven't noticed it changing MAC address on me but who knows. It apparently picks a MAC address from a distinct 1024-wide range assigned to a unit and then writes this address (or addresses poss.) into flash so it will remain sticky and persist past a reboot. The current address ends in :09, why, I don't know.