Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




82 posts

Master Geek
+1 received by user: 5


Topic # 111743 13-Nov-2012 17:25 Send private message

Hi - Can anyone recommend a WAP  / Router that supports multiple SSID's that allow for guest / isolation mode?

The trick is that they will be on a LAN with a server giving out DHCP addresses so the guest (isolated) ssid needs to be able to get out to the Internet and get an address - either from its own DHCP server or the LAN Server but the guest clients shouldn't see anything else on the LAN....

Clear as mud?? Laughing

thanks for any suggestions - even out there ones...  

Create new topic
19803 posts

Uber Geek
+1 received by user: 1524

Moderator
Trusted
Biddle Corp
Subscriber

  Reply # 716563 13-Nov-2012 17:31 Send private message

Most access points offer client isolation. I'm guessing if you want multiple SSID's you'll also be wanting to use VLAN's to separate traffic even further.

You haven't given any specifics around AP's since there are lots of scenarios with different hardware but my recommendation for a basic indoor install would be Ubiquiti Unifi's.

Voice Engineer @ Orcon
1927 posts

Uber Geek
+1 received by user: 435

Trusted
Orcon
Subscriber

  Reply # 716565 13-Nov-2012 17:34 Send private message

Yep that's a common feature in Wireless routers nowadays, at least if you only need 2 x SSID and one of these is a "guest" SSID with only internet access.

Look for "Guest SSID" or similar function.

Have plan, send $NZD50m
3475 posts

Uber Geek
+1 received by user: 75

Subscriber

  Reply # 716570 13-Nov-2012 17:50 Send private message

sbiddle: Most access points offer client isolation. I'm guessing if you want multiple SSID's you'll also be wanting to use VLAN's to separate traffic even further.

You haven't given any specifics around AP's since there are lots of scenarios with different hardware but my recommendation for a basic indoor install would be Ubiquiti Unifi's.


How are you thinking those will be configured?

I'm guessing you're assuming some sort of router at the head end that will let one vlan be dropped into a switch port connected to the server which provides the DHCP addresses.

But how is this lot connecting to the internet? 

What's doing the NAT for the internal network? 

What's doing the NAT for the guest network? 

What's implementing firewall rules to prevent traffic moving from the server network to the guest network?  Can you do all that in a unifi?

Or are you assuming a Mikrotik or some other router in there as well and the unifis are only doing the wifi networking?

 




Promote New Zealand - Get yourself a .kiwi.nz domain name!!!

Check out mine - i.am.a.can.do.kiwi.nz - [email protected]


19803 posts

Uber Geek
+1 received by user: 1524

Moderator
Trusted
Biddle Corp
Subscriber

  Reply # 716579 13-Nov-2012 18:14 Send private message

Unifi's also do L3 isolation as well which is a cool feature. It makes it easier than having to do this with firewall rules in a router.

Getting back to Don's post you really do need to explain a lot more about your setup.



82 posts

Master Geek
+1 received by user: 5


  Reply # 716588 13-Nov-2012 18:25 Send private message

hi - thanks everyone for the replies!

They already have a Cisco Router for Internet that supports Vlans if need be but they only have a dumb switch so no Vlan support there.

If the WAP plugs directly into the Cisco and has 2 SSID's on 2 different VLan's (1 on the default for the staff) and the other for the Guests can the Cisco do DHCP and allocate IP, DNS etc for the guests but not be visible to the default Vlan so that staff Wired PCs don't get an IP from the Cisco but the wireless Staff SSID does get IP details from the LAN Server....

hmmm... think this may be turning into a VLAN versus routing question....

19803 posts

Uber Geek
+1 received by user: 1524

Moderator
Trusted
Biddle Corp
Subscriber

  Reply # 716591 13-Nov-2012 18:28 Send private message

It really sounds like you should go for something like a Mikrotik RB2011 that'll give you WiFi and router capabilities to solve everything in one box!


Have plan, send $NZD50m
3475 posts

Uber Geek
+1 received by user: 75

Subscriber

  Reply # 716689 13-Nov-2012 21:02 Send private message

sbiddle: It really sounds like you should go for something like a Mikrotik RB2011 that'll give you WiFi and router capabilities to solve everything in one box!



http://www.gowifi.co.nz/coming-soon-new-products/mikrotik-rb2011uas-2hnd-in-802.11n-wireless-router-with-sfp-port.html?keyword=RB2011

Ya that does look like a cool solution.

SFP meaning you're ready for p2p fibre, IPv6 ready, USB meaning you can put a fail over mobile solution in there and you can build as many SSID's for different networks as you want.

However, how would that get on integrating with the unifi's if he needs to cover a large area?

Would he be better to just abstract the wifi from the routing, in which case he could pay half that price and just get a 750GL or 450?








Promote New Zealand - Get yourself a .kiwi.nz domain name!!!

Check out mine - i.am.a.can.do.kiwi.nz - [email protected]


19803 posts

Uber Geek
+1 received by user: 1524

Moderator
Trusted
Biddle Corp
Subscriber

  Reply # 716697 13-Nov-2012 21:09 Send private message

They're my favourite new device, I've installed a number over recent weeks.

As for integrating with other AP's simply create 4 internal bridges and link the internal WiFi SSID and VLAN's for the UniFi together with horizon enabled to minimise the L2 traffic. 10 ports makes this ideal as you could also assign Ethernet ports to each VLAN as well.




Have plan, send $NZD50m
3475 posts

Uber Geek
+1 received by user: 75

Subscriber

  Reply # 716725 13-Nov-2012 22:22 Send private message

sbiddle: ... horizon enabled to minimise the L2 traffic.


What's 'horizon' and which bit of equipment is this being done in?

I've got a unifi 3 pack here that I haven't really played with properly yet, but this looks like quite an interesting thing to set up and test out.

So you're saying that you use the wifi in the mtk and then just dist using the unifi's?

I thought the unifi's wanted to own the whole space.  I thought the whole idea of the unifi's with a controller is so they can set the chan and power levels used over the space, but the controller won't be able to see/contorl the mtk wifi?






Promote New Zealand - Get yourself a .kiwi.nz domain name!!!

Check out mine - i.am.a.can.do.kiwi.nz - [email protected]


The Game.
3038 posts

Uber Geek
+1 received by user: 556

Trusted
Think Concepts
Subscriber

  Reply # 716743 14-Nov-2012 00:21 Send private message

Fritz!box 7340? Has a second SSID for guest support built in / AP isolation. Damn reliable router too.





Michael Murphy
[Twitter] [Last.fm] [IPv6 Sage]

Everything I say here is my own opinion and not that of my employer.

19803 posts

Uber Geek
+1 received by user: 1524

Moderator
Trusted
Biddle Corp
Subscriber

  Reply # 716768 14-Nov-2012 06:40 Send private message

DonGould:
sbiddle: ... horizon enabled to minimise the L2 traffic.


What's 'horizon' and which bit of equipment is this being done in?

I've got a unifi 3 pack here that I haven't really played with properly yet, but this looks like quite an interesting thing to set up and test out.

So you're saying that you use the wifi in the mtk and then just dist using the unifi's?

I thought the unifi's wanted to own the whole space.  I thought the whole idea of the unifi's with a controller is so they can set the chan and power levels used over the space, but the controller won't be able to see/contorl the mtk wifi?




A split horizion isn't the simplest thing in the world to explain in a short sentence but essentially enables L2 isolation and prevents network loops.

The UniFi software can't control the Mikrotik, but the WiFi in the Mikrotik can be used as an additional AP or can merely function handing out IP's. RouterOS makes it so simple to handle multiple VLAN's / SSID's with different IP ranges and enable full isolation between them.

368 posts

Ultimate Geek
+1 received by user: 1


  Reply # 717125 14-Nov-2012 15:37 Send private message

sbiddle:

A split horizion isn't the simplest thing in the world to explain in a short sentence but essentially enables L2 isolation and prevents network loops.


I don't know, I think you did a pretty good job of describing 'Split Horizion'. :-)

It 'limits' routing broadcast loops.

A node whos link to a site is lost sees another node advertising the link, but that link is via the node who has just lost the link. Chicken and egg, thus routing loop.

So... Multiple SSID. If you're on a Telecom NZ broadband package and the Telecom Massive has bequeathed you a Thomson TG582n... use it.

I was Telecom NZ's biggest TG585v8 fan, but after yesterday I'm not. Now I'm a TG582n fan. :-)

I still have VLANs, now have MSSID which works (didn't in TG585v8), 10dBm increase in signal strength at 15m, 500Kb download broadband increase, Time sync that works and maybe even syslog forwarding (UDP 514) .. Only got the box yesterday. :-) 



Both SMERSH and Cupola are SSID on the TG582n. They are in separate VLANs with their own IP sub-net and DHCP.
You can hang 'many' SSID off the one physical interface and attach them to whatever VLANs you wish.
LocalNetwork and Guest are two different VLANs with their own Ethernet and WiFi environment including IP, DHCP etc,etc.
This is not well reflected in the Web interface as the GUI is not designed ... for peoples like me.
You'll have to do most of your configuration via cmd line, but at the end of the day you have a VERY rewarding modem/router/switched environment and Telecom gives you the modem for free.... Bless.


2030 posts

Uber Geek
+1 received by user: 333

Subscriber

  Reply # 717282 14-Nov-2012 18:07 Send private message

This all sounds very well and good but at the end of the day seems a fairly complicated solution for someone who might not want something complicated.
I would just put in Unifi and use the controller's built in guest isolation and subnet blocking. Makes it real simple. One LAN. One DHCP server and yet your LAN will still be 'unseen' by the guests.

368 posts

Ultimate Geek
+1 received by user: 1


  Reply # 717895 15-Nov-2012 20:07 Send private message

chevrolux: This all sounds very well and good but at the end of the day seems a fairly complicated solution for someone who might not want something complicated.


True.  :-)

Create new topic




Twitter »
Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





Trending now »

Hot discussions in our forums right now:

Speed limit when overtaking? Teach me please.
Created by nakedmolerat, last reply by Hobchild on 26-Oct-2014 00:11 (92 replies)
Pages... 5 6 7


House Auctions
Created by t0ny, last reply by Elpie on 26-Oct-2014 00:54 (45 replies)
Pages... 2 3


VDSL, which router/modem sub $200?
Created by TeaLeaf, last reply by NonprayingMantis on 25-Oct-2014 19:48 (28 replies)
Pages... 2


Neon - Sky's new streaming service
Created by JarrodM, last reply by JimmyH on 25-Oct-2014 17:37 (29 replies)
Pages... 2


iPad Air 2 and iPad Mini 3. Gonna get one?
Created by Dingbatt, last reply by tungsten on 25-Oct-2014 20:22 (115 replies)
Pages... 6 7 8


5Ghz AP recommendations?
Created by ubergeeknz, last reply by sbiddle on 24-Oct-2014 12:42 (12 replies)

Snap have failed our company!
Created by dafman, last reply by kornflake on 23-Oct-2014 17:41 (37 replies)
Pages... 2 3


Thief taunts 12 year old via stolen laptop
Created by macuser, last reply by charsleysa on 22-Oct-2014 23:49 (12 replies)


Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.