Guest Wifi bandwidth restriction

Forums › LAN (ethernet/Wifi/routers/Bluetooth) › Guest Wifi bandwidth restriction

mvanwijk

12 posts

Geek

#191474 5-Feb-2016 11:48

I'm replacing the (ISP supplied) router in a community centre, and want to be able to offer not only 'Guest Wifi/SSID', but also be able to restrict it's bandwidth. The building is on 100Mb Fibre which narrows the range of suitable routers.

It seems that most new routers offer a Guest Wifi option, with the ability to restrict access to other devices on the LAN, but not the bandwidth restriction. The new TP-Link routers offer Guest Wifi bandwidth restriction, but don't support direct connection to Fibre (well, through the ONT), because they don't offer 'VLAN tagging'.

Would appreciate any advice from those who have solved this (ideally without going to DD-WRT).

BigPipeNZ

1170 posts

Uber Geek

Trusted

BigPipe

#1485844 5-Feb-2016 12:10

some ISPs will do UFB without VLAN tagging, which would enable you to use that router if you want to.

Bigpipe (us) and MyRepublic are the two I am aware of, but there may be more.

bigpipe.co.nz
https://www.facebook.com/BigPipeNZ
https://twitter.com/BigPipeNZ

sbiddle

30853 posts

Uber Geek

Retired Mod

Trusted

Biddle Corp

Lifetime subscriber

#1485907 5-Feb-2016 13:54

Mikrotik router with suitable AP such as a UniFi or Mikrotik. You also need to factor in the network configuration to ensure that client isolation exists on the guest WiFi and that full L2 and L3 isolation exists between the guest network and the community centre network.

mvanwijk

12 posts

Geek

#1485943 5-Feb-2016 14:26

hadn't looked at the MicroTik range - obviously a bit more work up front, but plenty of flexibility!

jnimmo

1097 posts

Uber Geek

#1485949 5-Feb-2016 14:34

UniFi probably quite a good option too in case you wanted to add any extra APs in future

Not sure what you were thinking about open wifi vs using a simple WPA2 key - can I recommend the second option to avoid someone being able to eavesdrop on the traffic with 0 effort :)

Earbanean

943 posts

Ultimate Geek

#1485969 5-Feb-2016 14:59

You should be able to configure that through the QoS functionality of a lot of routers. I have a similar situation. We have a self-contained flat in the basement of our house, which we rent out. We give the tenants access to our WiFi, but don't want them hogging the bandwidth and stopping our Netflix streaming etc.

I use a Netgear WNDR3700 router flashed with Gargoyle firmware. Then in the QoS set up on that, I can set bandwidth percentage limits (percentages of max when link saturated), for groups of client IP addresses. this works really well and means when we're not using the bandwidth, they have access to it. But when we're both using it and it saturates, then we get priority. I imagine a lot of stock firmware would also allow QoS based in IP addresses.

sbiddle

30853 posts

Uber Geek

Retired Mod

Trusted

Biddle Corp

Lifetime subscriber

#1486013 5-Feb-2016 15:46

Assuming there are physical PC's (such as those for the community centre) the most important aspect here is VLAN or L2/L3 isolation. It's so common to find so many places that offer free WiFi who know nothing about security.

Having a WPA2 key offers added security over an open network but assuming you're their tech support you'll have a nightmare on your hands if you ever decide to change the password. It's the reason captive portals are still so popular.

mvanwijk

12 posts

Geek

#1486038 5-Feb-2016 15:58

I noticed a number of routers do offer IP address-based QoS features, but unless the 'Guest Wifi' only allocates addresses in a particular range then I'm not sure if this would work in practice.

We're not planning to offer 'Open' Wifi (ie. unsecured) - would definitely be using a password (which would change regularly-ish). Yes, isolation from the rest of the network is a must do.

Sharesies

Trade NZ and US shares and funds with Sharesies (affiliate link).

sbiddle

30853 posts

Uber Geek

Retired Mod

Trusted

Biddle Corp

Lifetime subscriber

#1486040 5-Feb-2016 16:01

mvanwijk:

We're not planning to offer 'Open' Wifi (ie. unsecured) - would definitely be using a password (which would change regularly-ish).

Assuming you're going to have a reasonable number of users then using WPA2 and changing it regularly will lead to support nightmares as I mentioned above.

mvanwijk

12 posts

Geek

#1486053 5-Feb-2016 16:16

I guess to be fair we're really thinking 'open-ish' - have a password, but display it inside the building where users can see it (but not visible from outside for 'drive by wifi). Thoughts?

Earbanean

943 posts

Ultimate Geek

#1486055 5-Feb-2016 16:18

mvanwijk:

I noticed a number of routers do offer IP address-based QoS features, but unless the 'Guest Wifi' only allocates addresses in a particular range then I'm not sure if this would work in practice.

I can't speak for most routers, but with Gargoyle that's straight forward. You give static IP addresses to all your own known clients and have those in a particluar range (say 192.168.1.2 - 192.168.1.128). Then you set the range for DHCP lease allocation for any other clients in a different range (say .128 - .256). Then set your QoS rules for those two ranges.

mvanwijk

12 posts

Geek

#1486062 5-Feb-2016 16:27

Earbanean:

mvanwijk:

I noticed a number of routers do offer IP address-based QoS features, but unless the 'Guest Wifi' only allocates addresses in a particular range then I'm not sure if this would work in practice.

I can't speak for most routers, but with Gargoyle that's straight forward. You give static IP addresses to all your own known clients and have those in a particluar range (say 192.168.1.2 - 192.168.1.128). Then you set the range for DHCP lease allocation for any other clients in a different range (say .128 - .256). Then set your QoS rules for those two ranges.

OK that sounds like less work than I'd thought...

yitz

2079 posts

Uber Geek

#1486096 5-Feb-2016 17:14

Depending on requirements, the el-cheapo solution would be just NAT the TP-Link router behind the existing office router. Apply outbound IP filtering rules to drop any traffic destined to upstream main office IP ranges, Wi-Fi client isolation and disable management on the LAN side (keep open on the WAN side to access from the office network). Flick off the power after hours. All that should be easily achievable on Broadcom-based routers as many TP-Link units are.

If you are redoing the SOHO network all together then above suggestions are good, consider a proper firewall and separate access points.

coffeebaron

6234 posts

Uber Geek

Trusted

Lifetime subscriber

#1486114 5-Feb-2016 17:36

Draytek 2800 series routers will do bandwidth limiting, and a bunch of other things.

Rural IT and Broadband support.

Broadband troubleshooting and master filter installs.
Starlink installer - one month free: https://www.starlink.com/?referral=RC-32845-88860-71
Wi-Fi and networking
Cel-Fi supply and installer - boost your mobile phone coverage legally

Need help in Auckland, Waikato or BoP? Click my email button, or email me direct: [my user name] at geekzonemail dot com

robjg63

4098 posts

Uber Geek

Subscriber

#1488057 9-Feb-2016 13:38

Actually I found that some of the TP-Link routers do support VLAN tagging.

I am moving to UFB on an ISP that dont use VLAN tagging and have been looking at the TP-Link Archer c7 ~$200.

I figured it might be good if it did support VLAN tagging if I should ever need to change ISPs - though I wouldnt really expect I would need to change.

Anyway - found this http://forum.tp-link.com/showthread.php?81425-Archer-C7-new-firmware-does-not-support-vlan-id-10

Seems that on the C7 if you email them a support ticket they let you have a beta firmware that allows setting of VLAN10 - which I gather is what you need. It seems that the standard software has something under an IPTV section that lets you set VLAN tagging - but only allows numbers from 16-???? - and wouldnt let you ordinarily set 10 as a value.

In fact if you go to pricespy.co.nz and query "archer c7 VLAN10" its now bringing up a model that is apparently ready off the shelf.

Nothing is impossible for the man who doesn't have to do it himself - A. H. Weiler