Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


ForumsLAN (ethernet/Wifi/routers/Bluetooth)What WiFi AP best to set up separate guest network that cannot access LAN?


87 posts

Master Geek
+1 received by user: 12


Topic # 129428 15-Sep-2013 18:51
Send private message

Hi,

Would appreciate some advice about what AP to get to help a friend set up a WiFi AP in a small medical practice.

I would like to set up a secure WiFi LAN, but also a separate guest network that cannot access the LAN, due to inherent privacy concerns in this setting. I am most familiar with Apple Airport systems, but they cannot set up a guest network unless they are also handling DHCP and NAT, and in this setting I don't want to disrupt the existing ADSL modem/router that is already handling these tasks.

So....what I was thinking was set up a usual Wifi network for the LAN, but hidden SSID, and need for MAC address authorisation for any device that could end up on the same LAN that holds patient records, but I also want to enable a guest network purely for internet access.

Can anyone recommend a reliable AP that would do what I want, and once configured, just work happily by itself without further intervention? I was reading the instruction manuals for the Ubiquiti Unifi systems, but I was worried that they needed the controller software to be running on a connected PC all the time to work properly - maybe I read it wrong....

thanks for any advice...

Peter

View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2
27285 posts

Uber Geek
+1 received by user: 6717

Moderator
Trusted
Biddle Corp
Lifetime subscriber

  Reply # 896001 15-Sep-2013 18:55
One person supports this post
Send private message

You really need a multiple VLAN setup with the guest network on a VLAN isolated from the rest of the network. To do this you need a router capable of this.

Your requirements aren't just for an AP because no AP can really do what you want to do as it's always going to be plugged into the existing flat network. A UniFi doesn't need a controller running all the time but isn't the solution to your problem - it's just going to be an AP plugged into your existing network giving out the same IP addresses that all other PC's on the network use.

5196 posts

Uber Geek
+1 received by user: 1687


  Reply # 896005 15-Sep-2013 19:10
Send private message

sbiddle: You really need a multiple VLAN setup with the guest network on a VLAN isolated from the rest of the network. To do this you need a router capable of this.

Your requirements aren't just for an AP because no AP can really do what you want to do as it's always going to be plugged into the existing flat network. A UniFi doesn't need a controller running all the time but isn't the solution to your problem - it's just going to be an AP plugged into your existing network giving out the same IP addresses that all other PC's on the network use.


This.

Whatever device you end up with, the guest network really needs to be served from your primary router, otherwise even if it is separated from other wireless devices, you could still see wired devices on your main network.

 
 
 
 




87 posts

Master Geek
+1 received by user: 12


  Reply # 896083 15-Sep-2013 22:28
Send private message

Thanks for that. Looks like I might need to tackle the router after all!

What ADSL router would be capable of doing what I want?

637 posts

Ultimate Geek
+1 received by user: 92

Trusted
Subscriber

  Reply # 896100 15-Sep-2013 23:08
Send private message

I recommend the ASUS RT-AC66U (which is what I use). In addition to being a really good router (with custom firmware as well as package management available for installing apps), the guest network works great and isolates guest devices from the main LAN. 

 

If you want something cheaper and don't really need 802.11ac capability, then the ASUS RT-N66U is still a pretty good buy, with the software being pretty much the same.

 

3422 posts

Uber Geek
+1 received by user: 411

Trusted

  Reply # 896101 15-Sep-2013 23:09
Send private message

I would definitely suggest you get a modem in bridging mode for your ADSL/VDSL and something like a Mikrotik and PFsense which are routers capable of achieving your requirements. In terms of the AP, you probably could get away without a managed switch but I would suggest just get 2x APs as VLANing may be hard.





2527 posts

Uber Geek
+1 received by user: 939

Subscriber

  Reply # 896149 16-Sep-2013 07:55
Send private message

Asus RT-AC66U supports an isolated guest network in addition to a secured private network, and it does it well. I've seen some earlier routers that claim to do this, but if you join the guest network and manually set an IP to the private range you can access the private network, where the AC66U doesn't suffer this problem as it handles the segregation differently.

Given the RT-AC56U and RT-N65U use the same OS, I'd expect them to perform this function in the same way, but I've only tested it on the AC66U.




Windows 7 x64 // i5-3570K // 16GB DDR3-1600 // GTX660Ti 2GB // Samsung 830 120GB SSD // OCZ Agility4 120GB SSD // Samsung U28D590D @ 3840x2160 & Asus PB278Q @ 2560x1440
Samsung Galaxy S5 SM-G900I w/Spark

269 posts

Ultimate Geek
+1 received by user: 24


  Reply # 896155 16-Sep-2013 08:22
Send private message

If you ran a separate AP for the guest network you might want to try out Zappie firmware, then you can restrict usage for guests but they could pay if they want more.

27285 posts

Uber Geek
+1 received by user: 6717

Moderator
Trusted
Biddle Corp
Lifetime subscriber

  Reply # 896156 16-Sep-2013 08:22
Send private message

If I was installing a solution it would involve a Mikrotik router with a modem in bridge mode because it offers so much more functionality and allows you to create a guest captive portal also as well as knowing there is full L2 and L3 isolation between networks.

There is a learning curve to this however so it's not going to be a solution for somebody who knows nothing about networking. You would need an expert to install it.

3685 posts

Uber Geek
+1 received by user: 1392

Subscriber

  Reply # 896161 16-Sep-2013 08:33
Send private message

We did this for a waiting room for a medical practice.

Used a Fortigate router (provides content filtering), level one managed switches, unifi ap's.

Had two SSID's, one was the 'guest wireless' the other was the private network. Separate VLANs with absolutely no routing between them. Then used the Unifi controller to do voucher based access for the guests and used WPA-Enterprise authentication with their Windows server for the private network.

They then put a little sign on the front counter with an 'access code' which is just a multi-use voucher created in the unifi software that gives a guest 30 minutes of time or 50MB of data. They just change this code monthly.

2527 posts

Uber Geek
+1 received by user: 939

Subscriber

  Reply # 896162 16-Sep-2013 08:35
Send private message

sbiddle: If I was installing a solution it would involve a Mikrotik router with a modem in bridge mode because it offers so much more functionality and allows you to create a guest captive portal also as well as knowing there is full L2 and L3 isolation between networks.


Having actually read the OP properly and seen it's for use in a medical practice, I'd agree, get someone in if needed, but do it with full hardware isolation. Mikrotik, Cisco - something solid. But do it right, if there's patient info potentially at risk.




Windows 7 x64 // i5-3570K // 16GB DDR3-1600 // GTX660Ti 2GB // Samsung 830 120GB SSD // OCZ Agility4 120GB SSD // Samsung U28D590D @ 3840x2160 & Asus PB278Q @ 2560x1440
Samsung Galaxy S5 SM-G900I w/Spark



87 posts

Master Geek
+1 received by user: 12


  Reply # 896426 16-Sep-2013 17:11
Send private message

Thank you all. I can see that to do it properly it needs a professional rather than a "dabbler". I will talk more with my colleague about getting it done professionally.

140 posts

Master Geek
+1 received by user: 6

Trusted

  Reply # 896916 17-Sep-2013 13:26
Send private message

You don't need expensive professional Geek help. Just get http://www.Zenbu.net.nz plug it in and hey presto just what you are wanting to provide. Print a bunch of access vouchers and give one to anyone who who wants to use your wifi. Total cost $249 - no other charges. Used by over 1000 places in NZ, Australia and Cook Islands over the last 6 years.

14289 posts

Uber Geek
+1 received by user: 2590

Trusted
Subscriber

  Reply # 897002 17-Sep-2013 15:06
Send private message

Inphinity: Asus RT-AC66U supports an isolated guest network in addition to a secured private network, and it does it well. I've seen some earlier routers that claim to do this, but if you join the guest network and manually set an IP to the private range you can access the private network, where the AC66U doesn't suffer this problem as it handles the segregation differently.

Given the RT-AC56U and RT-N65U use the same OS, I'd expect them to perform this function in the same way, but I've only tested it on the AC66U.


For $350 I'd want it to make me coffee as well. That router's recommended by Astrill as being a powerful device suitable for running a whole-house VPN over.




AWS Certified Solution Architect Professional, Sysop Administrator Associate, and Developer Associate
TOGAF certified enterprise architect
Professional photographer

5196 posts

Uber Geek
+1 received by user: 1687


  Reply # 897038 17-Sep-2013 15:39
Send private message

MauriceWinn: You don't need expensive professional Geek help. Just get http://www.Zenbu.net.nz plug it in and hey presto just what you are wanting to provide. Print a bunch of access vouchers and give one to anyone who who wants to use your wifi. Total cost $249 - no other charges. Used by over 1000 places in NZ, Australia and Cook Islands over the last 6 years.


Do you work for or have an interest in Zenbu? If so, you should really declare it when suggesting it as a solution.

3259 posts

Uber Geek
+1 received by user: 643

Trusted

  Reply # 897115 17-Sep-2013 16:52
Send private message

Most medical practices I visit just use a standard dlink router or whatever telecom gives them.

If you have a mako box for healthlink then it could be a bit troublesome to set up, but in my opinion, I would just go to dick smith and get a belkin or a netgear.

Belkin's and Netgears almost all have a secondary guest AP mode with its own password and it seperates it from the standard LAN and main WIFI network that it broadcasts - all in the one simple box.




Ray Taylor
Taylor Broadband (rural hawkes bay)
www.ruralkiwi.com

There is no place like localhost
For my general guide to extending your wireless network Click Here

 1 | 2
View this topic in a long page with up to 500 replies per page Create new topic



Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Geekzone Live »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron


Updates »

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.