What WiFi AP best to set up separate guest network that cannot access LAN?

Forums › LAN (ethernet/Wifi/routers/Bluetooth) › What WiFi AP best to set up separate guest network that cannot access LAN?

PJ48

104 posts

Master Geek

# 129428 15-Sep-2013 18:51

Hi,

Would appreciate some advice about what AP to get to help a friend set up a WiFi AP in a small medical practice.

I would like to set up a secure WiFi LAN, but also a separate guest network that cannot access the LAN, due to inherent privacy concerns in this setting. I am most familiar with Apple Airport systems, but they cannot set up a guest network unless they are also handling DHCP and NAT, and in this setting I don't want to disrupt the existing ADSL modem/router that is already handling these tasks.

So....what I was thinking was set up a usual Wifi network for the LAN, but hidden SSID, and need for MAC address authorisation for any device that could end up on the same LAN that holds patient records, but I also want to enable a guest network purely for internet access.

Can anyone recommend a reliable AP that would do what I want, and once configured, just work happily by itself without further intervention? I was reading the instruction manuals for the Ubiquiti Unifi systems, but I was worried that they needed the controller software to be running on a connected PC all the time to work properly - maybe I read it wrong....

thanks for any advice...

Peter

1 | 2

28269 posts

Uber Geek

Moderator

Trusted

Biddle Corp

Lifetime subscriber

# 896001 15-Sep-2013 18:55

One person supports this post

You really need a multiple VLAN setup with the guest network on a VLAN isolated from the rest of the network. To do this you need a router capable of this.

Your requirements aren't just for an AP because no AP can really do what you want to do as it's always going to be plugged into the existing flat network. A UniFi doesn't need a controller running all the time but isn't the solution to your problem - it's just going to be an AP plugged into your existing network giving out the same IP addresses that all other PC's on the network use.

RunningMan

5575 posts

Uber Geek

# 896005 15-Sep-2013 19:10

sbiddle: You really need a multiple VLAN setup with the guest network on a VLAN isolated from the rest of the network. To do this you need a router capable of this.

Your requirements aren't just for an AP because no AP can really do what you want to do as it's always going to be plugged into the existing flat network. A UniFi doesn't need a controller running all the time but isn't the solution to your problem - it's just going to be an AP plugged into your existing network giving out the same IP addresses that all other PC's on the network use.

This.

Whatever device you end up with, the guest network really needs to be served from your primary router, otherwise even if it is separated from other wireless devices, you could still see wired devices on your main network.

PJ48

104 posts

Master Geek

# 896083 15-Sep-2013 22:28

Thanks for that. Looks like I might need to tackle the router after all!

What ADSL router would be capable of doing what I want?

d3Xt3r

642 posts

Ultimate Geek

Trusted

# 896100 15-Sep-2013 23:08

I recommend the ASUS RT-AC66U (which is what I use). In addition to being a really good router (with custom firmware as well as package management available for installing apps), the guest network works great and isolates guest devices from the main LAN.

If you want something cheaper and don't really need 802.11ac capability, then the ASUS RT-N66U is still a pretty good buy, with the software being pretty much the same.

Zeon

3496 posts

Uber Geek

Trusted

# 896101 15-Sep-2013 23:09

I would definitely suggest you get a modem in bridging mode for your ADSL/VDSL and something like a Mikrotik and PFsense which are routers capable of achieving your requirements. In terms of the AP, you probably could get away without a managed switch but I would suggest just get 2x APs as VLANing may be hard.

Speedtest 2019-10-14

Inphinity

2541 posts

Uber Geek

# 896149 16-Sep-2013 07:55

Asus RT-AC66U supports an isolated guest network in addition to a secured private network, and it does it well. I've seen some earlier routers that claim to do this, but if you join the guest network and manually set an IP to the private range you can access the private network, where the AC66U doesn't suffer this problem as it handles the segregation differently.

Given the RT-AC56U and RT-N65U use the same OS, I'd expect them to perform this function in the same way, but I've only tested it on the AC66U.

rhy7s

347 posts

Ultimate Geek

# 896155 16-Sep-2013 08:22

If you ran a separate AP for the guest network you might want to try out Zappie firmware, then you can restrict usage for guests but they could pay if they want more.

sbiddle

28269 posts

Uber Geek

Moderator

Trusted

Biddle Corp

Lifetime subscriber

# 896156 16-Sep-2013 08:22

If I was installing a solution it would involve a Mikrotik router with a modem in bridge mode because it offers so much more functionality and allows you to create a guest captive portal also as well as knowing there is full L2 and L3 isolation between networks.

There is a learning curve to this however so it's not going to be a solution for somebody who knows nothing about networking. You would need an expert to install it.

chevrolux

4208 posts

Uber Geek

# 896161 16-Sep-2013 08:33

We did this for a waiting room for a medical practice.

Used a Fortigate router (provides content filtering), level one managed switches, unifi ap's.

Had two SSID's, one was the 'guest wireless' the other was the private network. Separate VLANs with absolutely no routing between them. Then used the Unifi controller to do voucher based access for the guests and used WPA-Enterprise authentication with their Windows server for the private network.

They then put a little sign on the front counter with an 'access code' which is just a multi-use voucher created in the unifi software that gives a guest 30 minutes of time or 50MB of data. They just change this code monthly.

Inphinity

2541 posts

Uber Geek

# 896162 16-Sep-2013 08:35

sbiddle: If I was installing a solution it would involve a Mikrotik router with a modem in bridge mode because it offers so much more functionality and allows you to create a guest captive portal also as well as knowing there is full L2 and L3 isolation between networks.

Having actually read the OP properly and seen it's for use in a medical practice, I'd agree, get someone in if needed, but do it with full hardware isolation. Mikrotik, Cisco - something solid. But do it right, if there's patient info potentially at risk.

PJ48

104 posts

Master Geek

# 896426 16-Sep-2013 17:11

Thank you all. I can see that to do it properly it needs a professional rather than a "dabbler". I will talk more with my colleague about getting it done professionally.

MauriceWinn

140 posts

Master Geek

Trusted

# 896916 17-Sep-2013 13:26

You don't need expensive professional Geek help. Just get http://www.Zenbu.net.nz plug it in and hey presto just what you are wanting to provide. Print a bunch of access vouchers and give one to anyone who who wants to use your wifi. Total cost $249 - no other charges. Used by over 1000 places in NZ, Australia and Cook Islands over the last 6 years.

timmmay

15231 posts

Uber Geek

Trusted

Subscriber

# 897002 17-Sep-2013 15:06

Inphinity: Asus RT-AC66U supports an isolated guest network in addition to a secured private network, and it does it well. I've seen some earlier routers that claim to do this, but if you join the guest network and manually set an IP to the private range you can access the private network, where the AC66U doesn't suffer this problem as it handles the segregation differently.

Given the RT-AC56U and RT-N65U use the same OS, I'd expect them to perform this function in the same way, but I've only tested it on the AC66U.

For $350 I'd want it to make me coffee as well. That router's recommended by Astrill as being a powerful device suitable for running a whole-house VPN over.

RunningMan

5575 posts

Uber Geek

# 897038 17-Sep-2013 15:39

MauriceWinn: You don't need expensive professional Geek help. Just get http://www.Zenbu.net.nz plug it in and hey presto just what you are wanting to provide. Print a bunch of access vouchers and give one to anyone who who wants to use your wifi. Total cost $249 - no other charges. Used by over 1000 places in NZ, Australia and Cook Islands over the last 6 years.

Do you work for or have an interest in Zenbu? If so, you should really declare it when suggesting it as a solution.

raytaylor

3404 posts

Uber Geek

Trusted

# 897115 17-Sep-2013 16:52

Most medical practices I visit just use a standard dlink router or whatever telecom gives them.

If you have a mako box for healthlink then it could be a bit troublesome to set up, but in my opinion, I would just go to dick smith and get a belkin or a netgear.

Belkin's and Netgears almost all have a secondary guest AP mode with its own password and it seperates it from the standard LAN and main WIFI network that it broadcasts - all in the one simple box.

Ray Taylor
Taylor Broadband (rural hawkes bay)
www.ruralkiwi.com

There is no place like localhost
For my general guide to extending your wireless network Click Here

1 | 2