Wireless Access Point / Router with multiple SSID's that can be isolated...

Forums › LAN (ethernet/Wifi/routers/Bluetooth) › Wireless Access Point / Router with multiple SSID's that can be isolated...

mmlakeman

106 posts

Master Geek

#111743 13-Nov-2012 17:25

Hi - Can anyone recommend a WAP / Router that supports multiple SSID's that allow for guest / isolation mode?

The trick is that they will be on a LAN with a server giving out DHCP addresses so the guest (isolated) ssid needs to be able to get out to the Internet and get an address - either from its own DHCP server or the LAN Server but the guest clients shouldn't see anything else on the LAN....

Clear as mud??

thanks for any suggestions - even out there ones...

sbiddle

30853 posts

Uber Geek

Retired Mod

Trusted

Biddle Corp

Lifetime subscriber

#716563 13-Nov-2012 17:31

Most access points offer client isolation. I'm guessing if you want multiple SSID's you'll also be wanting to use VLAN's to separate traffic even further.

You haven't given any specifics around AP's since there are lots of scenarios with different hardware but my recommendation for a basic indoor install would be Ubiquiti Unifi's.

ubergeeknz

3344 posts

Uber Geek

Trusted

Vocus

#716565 13-Nov-2012 17:34

Yep that's a common feature in Wireless routers nowadays, at least if you only need 2 x SSID and one of these is a "guest" SSID with only internet access.

Look for "Guest SSID" or similar function.

DonGould

3892 posts

Uber Geek

#716570 13-Nov-2012 17:50

sbiddle: Most access points offer client isolation. I'm guessing if you want multiple SSID's you'll also be wanting to use VLAN's to separate traffic even further.

You haven't given any specifics around AP's since there are lots of scenarios with different hardware but my recommendation for a basic indoor install would be Ubiquiti Unifi's.

How are you thinking those will be configured?

I'm guessing you're assuming some sort of router at the head end that will let one vlan be dropped into a switch port connected to the server which provides the DHCP addresses.

But how is this lot connecting to the internet?

What's doing the NAT for the internal network?

What's doing the NAT for the guest network?

What's implementing firewall rules to prevent traffic moving from the server network to the guest network? Can you do all that in a unifi?

Or are you assuming a Mikrotik or some other router in there as well and the unifis are only doing the wifi networking?

Promote New Zealand - Get yourself a .kiwi.nz domain name!!!

Check out mine - i.am.a.can.do.kiwi.nz - don@i.am.a.can.do.kiwi.nz

sbiddle

30853 posts

Uber Geek

Retired Mod

Trusted

Biddle Corp

Lifetime subscriber

#716579 13-Nov-2012 18:14

Unifi's also do L3 isolation as well which is a cool feature. It makes it easier than having to do this with firewall rules in a router.

Getting back to Don's post you really do need to explain a lot more about your setup.

mmlakeman

106 posts

Master Geek

#716588 13-Nov-2012 18:25

hi - thanks everyone for the replies!

They already have a Cisco Router for Internet that supports Vlans if need be but they only have a dumb switch so no Vlan support there.

If the WAP plugs directly into the Cisco and has 2 SSID's on 2 different VLan's (1 on the default for the staff) and the other for the Guests can the Cisco do DHCP and allocate IP, DNS etc for the guests but not be visible to the default Vlan so that staff Wired PCs don't get an IP from the Cisco but the wireless Staff SSID does get IP details from the LAN Server....

hmmm... think this may be turning into a VLAN versus routing question....

sbiddle

30853 posts

Uber Geek

Retired Mod

Trusted

Biddle Corp

Lifetime subscriber

#716591 13-Nov-2012 18:28

It really sounds like you should go for something like a Mikrotik RB2011 that'll give you WiFi and router capabilities to solve everything in one box!

DonGould

3892 posts

Uber Geek

#716689 13-Nov-2012 21:02

sbiddle: It really sounds like you should go for something like a Mikrotik RB2011 that'll give you WiFi and router capabilities to solve everything in one box!

http://www.gowifi.co.nz/coming-soon-new-products/mikrotik-rb2011uas-2hnd-in-802.11n-wireless-router-with-sfp-port.html?keyword=RB2011

Ya that does look like a cool solution.

SFP meaning you're ready for p2p fibre, IPv6 ready, USB meaning you can put a fail over mobile solution in there and you can build as many SSID's for different networks as you want.

However, how would that get on integrating with the unifi's if he needs to cover a large area?

Would he be better to just abstract the wifi from the routing, in which case he could pay half that price and just get a 750GL or 450?

Promote New Zealand - Get yourself a .kiwi.nz domain name!!!

Check out mine - i.am.a.can.do.kiwi.nz - don@i.am.a.can.do.kiwi.nz

Sharesies

Trade NZ and US shares and funds with Sharesies (affiliate link).

sbiddle

30853 posts

Uber Geek

Retired Mod

Trusted

Biddle Corp

Lifetime subscriber

#716697 13-Nov-2012 21:09

They're my favourite new device, I've installed a number over recent weeks.

As for integrating with other AP's simply create 4 internal bridges and link the internal WiFi SSID and VLAN's for the UniFi together with horizon enabled to minimise the L2 traffic. 10 ports makes this ideal as you could also assign Ethernet ports to each VLAN as well.

DonGould

3892 posts

Uber Geek

#716725 13-Nov-2012 22:22

sbiddle: ... horizon enabled to minimise the L2 traffic.

What's 'horizon' and which bit of equipment is this being done in?

I've got a unifi 3 pack here that I haven't really played with properly yet, but this looks like quite an interesting thing to set up and test out.

So you're saying that you use the wifi in the mtk and then just dist using the unifi's?

I thought the unifi's wanted to own the whole space. I thought the whole idea of the unifi's with a controller is so they can set the chan and power levels used over the space, but the controller won't be able to see/contorl the mtk wifi?

Promote New Zealand - Get yourself a .kiwi.nz domain name!!!

Check out mine - i.am.a.can.do.kiwi.nz - don@i.am.a.can.do.kiwi.nz

michaelmurfy

meow
13260 posts

Uber Geek

Moderator

ID Verified

Trusted

Lifetime subscriber

#716743 14-Nov-2012 00:21

Fritz!box 7340? Has a second SSID for guest support built in / AP isolation. Damn reliable router too.

Michael Murphy | https://murfy.nz
Referral Links: Quic Broadband (use R122101E7CV7Q for free setup)

Are you happy with what you get from Geekzone? Please consider supporting us by subscribing.
Opinions are my own and not the views of my employer.

sbiddle

30853 posts

Uber Geek

Retired Mod

Trusted

Biddle Corp

Lifetime subscriber

#716768 14-Nov-2012 06:40

DonGould:
sbiddle: ... horizon enabled to minimise the L2 traffic.

What's 'horizon' and which bit of equipment is this being done in?

I've got a unifi 3 pack here that I haven't really played with properly yet, but this looks like quite an interesting thing to set up and test out.

So you're saying that you use the wifi in the mtk and then just dist using the unifi's?

I thought the unifi's wanted to own the whole space. I thought the whole idea of the unifi's with a controller is so they can set the chan and power levels used over the space, but the controller won't be able to see/contorl the mtk wifi?

A split horizion isn't the simplest thing in the world to explain in a short sentence but essentially enables L2 isolation and prevents network loops.

The UniFi software can't control the Mikrotik, but the WiFi in the Mikrotik can be used as an additional AP or can merely function handing out IP's. RouterOS makes it so simple to handle multiple VLAN's / SSID's with different IP ranges and enable full isolation between them.

DrStrangelove

368 posts

Ultimate Geek

#717125 14-Nov-2012 15:37

sbiddle:

A split horizion isn't the simplest thing in the world to explain in a short sentence but essentially enables L2 isolation and prevents network loops.

I don't know, I think you did a pretty good job of describing 'Split Horizion'. :-)

It 'limits' routing broadcast loops.

A node whos link to a site is lost sees another node advertising the link, but that link is via the node who has just lost the link. Chicken and egg, thus routing loop.

So... Multiple SSID. If you're on a Telecom NZ broadband package and the Telecom Massive has bequeathed you a Thomson TG582n... use it.

I was Telecom NZ's biggest TG585v8 fan, but after yesterday I'm not. Now I'm a TG582n fan. :-)

I still have VLANs, now have MSSID which works (didn't in TG585v8), 10dBm increase in signal strength at 15m, 500Kb download broadband increase, Time sync that works and maybe even syslog forwarding (UDP 514) .. Only got the box yesterday. :-)

Both SMERSH and Cupola are SSID on the TG582n. They are in separate VLANs with their own IP sub-net and DHCP.
You can hang 'many' SSID off the one physical interface and attach them to whatever VLANs you wish.
LocalNetwork and Guest are two different VLANs with their own Ethernet and WiFi environment including IP, DHCP etc,etc.
This is not well reflected in the Web interface as the GUI is not designed ... for peoples like me.
You'll have to do most of your configuration via cmd line, but at the end of the day you have a VERY rewarding modem/router/switched environment and Telecom gives you the modem for free.... Bless.

chevrolux

4962 posts

Uber Geek
Inactive user

#717282 14-Nov-2012 18:07

This all sounds very well and good but at the end of the day seems a fairly complicated solution for someone who might not want something complicated.
I would just put in Unifi and use the controller's built in guest isolation and subnet blocking. Makes it real simple. One LAN. One DHCP server and yet your LAN will still be 'unseen' by the guests.

DrStrangelove

368 posts

Ultimate Geek

#717895 15-Nov-2012 20:07

chevrolux: This all sounds very well and good but at the end of the day seems a fairly complicated solution for someone who might not want something complicated.

True. :-)