Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


12 posts

Geek
+1 received by user: 1


Topic # 191474 5-Feb-2016 11:48
Send private message

I'm replacing the (ISP supplied) router in a community centre, and want to be able to offer not only 'Guest Wifi/SSID', but also be able to restrict it's bandwidth.  The building is on 100Mb Fibre which narrows the range of suitable routers.

 

It seems that most new routers offer a Guest Wifi option, with the ability to restrict access to other devices on the LAN, but not the bandwidth restriction.  The new TP-Link routers offer Guest Wifi bandwidth restriction, but don't support direct connection to Fibre (well, through the ONT), because they don't offer 'VLAN tagging'.

 

Would appreciate any advice from those who have solved this (ideally without going to DD-WRT).


Create new topic
1142 posts

Uber Geek
+1 received by user: 748

Trusted
BigPipe

  Reply # 1485844 5-Feb-2016 12:10
Send private message

some ISPs will do UFB without VLAN tagging, which would enable you to use that router if you want to.

 

Bigpipe (us)   and MyRepublic are the two I am aware of, but there may be more.





bigpipe.co.nz
https://www.facebook.com/BigPipeNZ
https://twitter.com/BigPipeNZ


26618 posts

Uber Geek
+1 received by user: 6111

Moderator
Trusted
Biddle Corp
Lifetime subscriber

  Reply # 1485907 5-Feb-2016 13:54
2 people support this post
Send private message

Mikrotik router with suitable AP such as a UniFi or Mikrotik. You also need to factor in the network configuration to ensure that client isolation exists on the guest WiFi and that full L2 and L3 isolation exists between the guest network and the community centre network.

 

 




12 posts

Geek
+1 received by user: 1


  Reply # 1485943 5-Feb-2016 14:26
Send private message

hadn't looked at the MicroTik range - obviously a bit more work up front, but plenty of flexibility!

 

 


What does this tag do
954 posts

Ultimate Geek
+1 received by user: 193

Subscriber

  Reply # 1485949 5-Feb-2016 14:34
Send private message

 UniFi probably quite a good option too in case you wanted to add any extra APs in future

 

Not sure what you were thinking about open wifi vs using a simple WPA2 key - can I recommend the second option to avoid someone being able to eavesdrop on the traffic with 0 effort :)


269 posts

Ultimate Geek
+1 received by user: 20


  Reply # 1485969 5-Feb-2016 14:59
Send private message

You should be able to configure that through the QoS functionality of a lot of routers.  I have a similar situation.  We have a self-contained flat in the basement of our house, which we rent out.  We give the tenants access to our WiFi, but don't want them hogging the bandwidth and stopping our Netflix streaming etc.  

 

I use a Netgear WNDR3700 router flashed with Gargoyle firmware.  Then in the QoS set up on that, I can set bandwidth percentage limits (percentages of max when link saturated), for groups of client IP addresses.  this works really well and means when we're not using the bandwidth, they have access to it.  But when we're both using it and it saturates, then we get priority.  I imagine a lot of stock firmware would also allow QoS based in IP addresses.


26618 posts

Uber Geek
+1 received by user: 6111

Moderator
Trusted
Biddle Corp
Lifetime subscriber

  Reply # 1486013 5-Feb-2016 15:46
Send private message

Assuming there are physical PC's (such as those for the community centre) the most important aspect here is VLAN or L2/L3 isolation. It's so common to find so many places that offer free WiFi who know nothing about security.

 

Having a WPA2 key offers added security over an open network but assuming you're their tech support you'll have a nightmare on your hands if you ever decide to change the password. It's the reason captive portals are still so popular.

 

 




12 posts

Geek
+1 received by user: 1


  Reply # 1486038 5-Feb-2016 15:58
Send private message

I noticed a number of routers do offer IP address-based QoS features, but unless the 'Guest Wifi' only allocates addresses in a particular range then I'm not sure if this would work in practice.

 

We're not planning to offer 'Open' Wifi (ie. unsecured) - would definitely be using a password (which would change regularly-ish).  Yes, isolation from the rest of the network is a must do.


26618 posts

Uber Geek
+1 received by user: 6111

Moderator
Trusted
Biddle Corp
Lifetime subscriber

  Reply # 1486040 5-Feb-2016 16:01
Send private message

mvanwijk:

 

We're not planning to offer 'Open' Wifi (ie. unsecured) - would definitely be using a password (which would change regularly-ish).  

 

 

Assuming you're going to have a reasonable number of users then using WPA2 and changing it regularly will lead to support nightmares as I mentioned above.




12 posts

Geek
+1 received by user: 1


  Reply # 1486053 5-Feb-2016 16:16
Send private message

I guess to be fair we're really thinking 'open-ish' - have a password, but display it inside the building where users can see it (but not visible from outside for 'drive by wifi). Thoughts?


269 posts

Ultimate Geek
+1 received by user: 20


  Reply # 1486055 5-Feb-2016 16:18
Send private message

mvanwijk:

 

I noticed a number of routers do offer IP address-based QoS features, but unless the 'Guest Wifi' only allocates addresses in a particular range then I'm not sure if this would work in practice.

 

 

I can't speak for most routers, but with Gargoyle that's straight forward.  You give static IP addresses to all your own known clients and have those in a particluar range (say 192.168.1.2 - 192.168.1.128).  Then you set the range for DHCP lease allocation for any other clients in a different range (say .128 - .256).  Then set your QoS rules for those two ranges.




12 posts

Geek
+1 received by user: 1


  Reply # 1486062 5-Feb-2016 16:27
Send private message

Earbanean:

 

mvanwijk:

 

I noticed a number of routers do offer IP address-based QoS features, but unless the 'Guest Wifi' only allocates addresses in a particular range then I'm not sure if this would work in practice.

 

 

I can't speak for most routers, but with Gargoyle that's straight forward.  You give static IP addresses to all your own known clients and have those in a particluar range (say 192.168.1.2 - 192.168.1.128).  Then you set the range for DHCP lease allocation for any other clients in a different range (say .128 - .256).  Then set your QoS rules for those two ranges.

 

 

OK that sounds like less work than I'd thought...


1216 posts

Uber Geek
+1 received by user: 273


  Reply # 1486096 5-Feb-2016 17:14
Send private message

Depending on requirements, the el-cheapo solution would be just NAT the TP-Link router behind the existing office router. Apply outbound IP filtering rules to drop any traffic destined to upstream main office IP ranges, Wi-Fi client isolation and disable management on the LAN side (keep open on the WAN side to access from the office network). Flick off the power after hours. All that should be easily achievable on Broadcom-based routers as many TP-Link units are.

 

If you are redoing the SOHO network all together then above suggestions are good, consider a proper firewall and separate access points.


5217 posts

Uber Geek
+1 received by user: 2240

Trusted
Lifetime subscriber

  Reply # 1486114 5-Feb-2016 17:36
Send private message

Draytek 2800 series routers will do bandwidth limiting, and a bunch of other things.




Chorus has spent $1.4 billion on making their xDSL broadband network faster. If your still stuck on ADSL or VDSL, why not spend from $150 on a master filter install to make sure you are getting the most out of your connection?
I install - Naked DSL, DSL Master Splitters, VoIP, data cabling and general computer support for home and small business.
Rural Broadband RBI installer for Ultimate Broadband and Full Flavour

 

Need help in Auckland, Waikato or BoP? Click my email button, or email me direct: [my user name] at geekzonemail dot com


2649 posts

Uber Geek
+1 received by user: 509


  Reply # 1488057 9-Feb-2016 13:38
Send private message

Actually I found that some of the TP-Link routers do support VLAN tagging.

 

I am moving to UFB on an ISP that dont use VLAN tagging and have been looking at the TP-Link Archer c7 ~$200.

 

I figured it might be good if it did support VLAN tagging if I should ever need to change ISPs - though I wouldnt really expect I would need to change.

 

 

 

Anyway - found this http://forum.tp-link.com/showthread.php?81425-Archer-C7-new-firmware-does-not-support-vlan-id-10

 

Seems that on the C7 if you email them a support ticket they let you have a beta firmware that allows setting of VLAN10 - which I gather is what you need. It seems that the standard software has something under an IPTV section that lets you set VLAN tagging - but only allows numbers from 16-???? - and wouldnt let you ordinarily set 10 as a value.

 

 

 

In fact if you go to pricespy.co.nz and query "archer c7 VLAN10" its now bringing up a model that is apparently ready off the shelf.





Nothing is impossible for the man who doesn't have to do it himself - A. H. Weiler

Create new topic

Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Microsoft Dynamics 365 Business Central launches
Posted 10-Jul-2018 10:40


Spark completes first milestone in voice platform upgrade
Posted 10-Jul-2018 09:36


Microsoft ices heated developers
Posted 6-Jul-2018 20:16


PB Technologies charged for its extended warranties and warned for bait advertising
Posted 3-Jul-2018 15:45


Almost 20,000 people claim credits from Spark
Posted 29-Jun-2018 10:40


Cove sells NZ's first insurance policy via chatbot
Posted 25-Jun-2018 10:04


N4L helping TAKA Trust bridge the digital divide for Lower Hutt students
Posted 18-Jun-2018 13:08


Winners Announced for 2018 CIO Awards
Posted 18-Jun-2018 13:03


Logitech Rally sets new standard for USB-connected video conference cameras
Posted 18-Jun-2018 09:27


Russell Stanners steps down as Vodafone NZ CEO
Posted 12-Jun-2018 09:13


Intergen recognised as 2018 Microsoft Country Partner of the Year for New Zealand
Posted 12-Jun-2018 08:00


Finalists Announced For Microsoft NZ Partner Awards
Posted 6-Jun-2018 15:12


Vocus Group and Vodafone announce joint venture to accelerate fibre innovation
Posted 5-Jun-2018 10:52


Kogan.com to launch Kogan Mobile in New Zealand
Posted 4-Jun-2018 14:34


Enable doubles fibre broadband speeds for its most popular wholesale service in Christchurch
Posted 2-Jun-2018 20:07



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.