Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




12 posts

Geek
+1 received by user: 1


Topic # 191474 5-Feb-2016 11:48
Send private message

I'm replacing the (ISP supplied) router in a community centre, and want to be able to offer not only 'Guest Wifi/SSID', but also be able to restrict it's bandwidth.  The building is on 100Mb Fibre which narrows the range of suitable routers.

 

It seems that most new routers offer a Guest Wifi option, with the ability to restrict access to other devices on the LAN, but not the bandwidth restriction.  The new TP-Link routers offer Guest Wifi bandwidth restriction, but don't support direct connection to Fibre (well, through the ONT), because they don't offer 'VLAN tagging'.

 

Would appreciate any advice from those who have solved this (ideally without going to DD-WRT).


Create new topic
1134 posts

Uber Geek
+1 received by user: 741

Trusted
BigPipe

  Reply # 1485844 5-Feb-2016 12:10
Send private message

some ISPs will do UFB without VLAN tagging, which would enable you to use that router if you want to.

 

Bigpipe (us)   and MyRepublic are the two I am aware of, but there may be more.





www.bigpipe.co.nz
https://www.facebook.com/BigPipeNZ
https://twitter.com/BigPipeNZ

25826 posts

Uber Geek
+1 received by user: 5555

Moderator
Trusted
Biddle Corp
Lifetime subscriber

  Reply # 1485907 5-Feb-2016 13:54
2 people support this post
Send private message

Mikrotik router with suitable AP such as a UniFi or Mikrotik. You also need to factor in the network configuration to ensure that client isolation exists on the guest WiFi and that full L2 and L3 isolation exists between the guest network and the community centre network.

 

 


 
 
 
 




12 posts

Geek
+1 received by user: 1


  Reply # 1485943 5-Feb-2016 14:26
Send private message

hadn't looked at the MicroTik range - obviously a bit more work up front, but plenty of flexibility!

 

 


What does this tag do
886 posts

Ultimate Geek
+1 received by user: 172

Subscriber

  Reply # 1485949 5-Feb-2016 14:34
Send private message

 UniFi probably quite a good option too in case you wanted to add any extra APs in future

 

Not sure what you were thinking about open wifi vs using a simple WPA2 key - can I recommend the second option to avoid someone being able to eavesdrop on the traffic with 0 effort :)


248 posts

Master Geek
+1 received by user: 20


  Reply # 1485969 5-Feb-2016 14:59
Send private message

You should be able to configure that through the QoS functionality of a lot of routers.  I have a similar situation.  We have a self-contained flat in the basement of our house, which we rent out.  We give the tenants access to our WiFi, but don't want them hogging the bandwidth and stopping our Netflix streaming etc.  

 

I use a Netgear WNDR3700 router flashed with Gargoyle firmware.  Then in the QoS set up on that, I can set bandwidth percentage limits (percentages of max when link saturated), for groups of client IP addresses.  this works really well and means when we're not using the bandwidth, they have access to it.  But when we're both using it and it saturates, then we get priority.  I imagine a lot of stock firmware would also allow QoS based in IP addresses.


25826 posts

Uber Geek
+1 received by user: 5555

Moderator
Trusted
Biddle Corp
Lifetime subscriber

  Reply # 1486013 5-Feb-2016 15:46
Send private message

Assuming there are physical PC's (such as those for the community centre) the most important aspect here is VLAN or L2/L3 isolation. It's so common to find so many places that offer free WiFi who know nothing about security.

 

Having a WPA2 key offers added security over an open network but assuming you're their tech support you'll have a nightmare on your hands if you ever decide to change the password. It's the reason captive portals are still so popular.

 

 




12 posts

Geek
+1 received by user: 1


  Reply # 1486038 5-Feb-2016 15:58
Send private message

I noticed a number of routers do offer IP address-based QoS features, but unless the 'Guest Wifi' only allocates addresses in a particular range then I'm not sure if this would work in practice.

 

We're not planning to offer 'Open' Wifi (ie. unsecured) - would definitely be using a password (which would change regularly-ish).  Yes, isolation from the rest of the network is a must do.


25826 posts

Uber Geek
+1 received by user: 5555

Moderator
Trusted
Biddle Corp
Lifetime subscriber

  Reply # 1486040 5-Feb-2016 16:01
Send private message

mvanwijk:

 

We're not planning to offer 'Open' Wifi (ie. unsecured) - would definitely be using a password (which would change regularly-ish).  

 

 

Assuming you're going to have a reasonable number of users then using WPA2 and changing it regularly will lead to support nightmares as I mentioned above.




12 posts

Geek
+1 received by user: 1


  Reply # 1486053 5-Feb-2016 16:16
Send private message

I guess to be fair we're really thinking 'open-ish' - have a password, but display it inside the building where users can see it (but not visible from outside for 'drive by wifi). Thoughts?


248 posts

Master Geek
+1 received by user: 20


  Reply # 1486055 5-Feb-2016 16:18
Send private message

mvanwijk:

 

I noticed a number of routers do offer IP address-based QoS features, but unless the 'Guest Wifi' only allocates addresses in a particular range then I'm not sure if this would work in practice.

 

 

I can't speak for most routers, but with Gargoyle that's straight forward.  You give static IP addresses to all your own known clients and have those in a particluar range (say 192.168.1.2 - 192.168.1.128).  Then you set the range for DHCP lease allocation for any other clients in a different range (say .128 - .256).  Then set your QoS rules for those two ranges.




12 posts

Geek
+1 received by user: 1


  Reply # 1486062 5-Feb-2016 16:27
Send private message

Earbanean:

 

mvanwijk:

 

I noticed a number of routers do offer IP address-based QoS features, but unless the 'Guest Wifi' only allocates addresses in a particular range then I'm not sure if this would work in practice.

 

 

I can't speak for most routers, but with Gargoyle that's straight forward.  You give static IP addresses to all your own known clients and have those in a particluar range (say 192.168.1.2 - 192.168.1.128).  Then you set the range for DHCP lease allocation for any other clients in a different range (say .128 - .256).  Then set your QoS rules for those two ranges.

 

 

OK that sounds like less work than I'd thought...


1004 posts

Uber Geek
+1 received by user: 209


  Reply # 1486096 5-Feb-2016 17:14
Send private message

Depending on requirements, the el-cheapo solution would be just NAT the TP-Link router behind the existing office router. Apply outbound IP filtering rules to drop any traffic destined to upstream main office IP ranges, Wi-Fi client isolation and disable management on the LAN side (keep open on the WAN side to access from the office network). Flick off the power after hours. All that should be easily achievable on Broadcom-based routers as many TP-Link units are.

 

If you are redoing the SOHO network all together then above suggestions are good, consider a proper firewall and separate access points.


5098 posts

Uber Geek
+1 received by user: 2125

Trusted
Subscriber

  Reply # 1486114 5-Feb-2016 17:36
Send private message

Draytek 2800 series routers will do bandwidth limiting, and a bunch of other things.




Chorus has spent $1.4 billion on making their xDSL broadband network faster. If your still stuck on ADSL or VDSL, why not spend from $150 on a master filter install to make sure you are getting the most out of your connection?
I install - Naked DSL, DSL Master Splitters, VoIP, data cabling and general computer support for home and small business.
Rural Broadband RBI installer for Ultimate Broadband and Full Flavour

 

Need help in Auckland, Waikato or BoP? Click my email button, or email me direct: [my user name] at geekzonemail dot com


2485 posts

Uber Geek
+1 received by user: 446


  Reply # 1488057 9-Feb-2016 13:38
Send private message

Actually I found that some of the TP-Link routers do support VLAN tagging.

 

I am moving to UFB on an ISP that dont use VLAN tagging and have been looking at the TP-Link Archer c7 ~$200.

 

I figured it might be good if it did support VLAN tagging if I should ever need to change ISPs - though I wouldnt really expect I would need to change.

 

 

 

Anyway - found this http://forum.tp-link.com/showthread.php?81425-Archer-C7-new-firmware-does-not-support-vlan-id-10

 

Seems that on the C7 if you email them a support ticket they let you have a beta firmware that allows setting of VLAN10 - which I gather is what you need. It seems that the standard software has something under an IPTV section that lets you set VLAN tagging - but only allows numbers from 16-???? - and wouldnt let you ordinarily set 10 as a value.

 

 

 

In fact if you go to pricespy.co.nz and query "archer c7 VLAN10" its now bringing up a model that is apparently ready off the shelf.





Nothing is impossible for the man who doesn't have to do it himself - A. H. Weiler

Create new topic



Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

New Zealand hits peak broadband data
Posted 18-Jan-2018 12:21


Amazon Echo devices coming to New Zealand early February 2018
Posted 18-Jan-2018 10:53


$3.74 million for new electric vehicles in New Zealand
Posted 17-Jan-2018 11:27


Nova 2i: Value, not excitement from Huawei
Posted 17-Jan-2018 09:02


Less news in Facebook News Feed revamp
Posted 15-Jan-2018 13:15


Australian Government contract awarded to Datacom Connect
Posted 11-Jan-2018 08:37


Why New Zealand needs a chief technology officer
Posted 6-Jan-2018 13:59


Amazon release Silk Browser and Firefox for Fire TV
Posted 21-Dec-2017 13:42


New Chief Technology Officer role created
Posted 19-Dec-2017 22:18


All I want for Christmas is a new EV
Posted 19-Dec-2017 19:54


How clever is this: AI will create 2.3 million jobs by 2020
Posted 19-Dec-2017 19:52


NOW to deploy SD-WAN to regional councils
Posted 19-Dec-2017 19:46


Mobile market competition issues ComCom should watch
Posted 18-Dec-2017 10:52


New Zealand government to create digital advisory group
Posted 16-Dec-2017 08:47


Australia datum changes means whole country moving 1.8 metres north-east
Posted 16-Dec-2017 08:39



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.