Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




12 posts

Geek
+1 received by user: 1


Topic # 191474 5-Feb-2016 11:48
Send private message

I'm replacing the (ISP supplied) router in a community centre, and want to be able to offer not only 'Guest Wifi/SSID', but also be able to restrict it's bandwidth.  The building is on 100Mb Fibre which narrows the range of suitable routers.

 

It seems that most new routers offer a Guest Wifi option, with the ability to restrict access to other devices on the LAN, but not the bandwidth restriction.  The new TP-Link routers offer Guest Wifi bandwidth restriction, but don't support direct connection to Fibre (well, through the ONT), because they don't offer 'VLAN tagging'.

 

Would appreciate any advice from those who have solved this (ideally without going to DD-WRT).


Create new topic
1134 posts

Uber Geek
+1 received by user: 741

Trusted
BigPipe

  Reply # 1485844 5-Feb-2016 12:10
Send private message

some ISPs will do UFB without VLAN tagging, which would enable you to use that router if you want to.

 

Bigpipe (us)   and MyRepublic are the two I am aware of, but there may be more.





www.bigpipe.co.nz
https://www.facebook.com/BigPipeNZ
https://twitter.com/BigPipeNZ

25945 posts

Uber Geek
+1 received by user: 5630

Moderator
Trusted
Biddle Corp
Lifetime subscriber

  Reply # 1485907 5-Feb-2016 13:54
2 people support this post
Send private message

Mikrotik router with suitable AP such as a UniFi or Mikrotik. You also need to factor in the network configuration to ensure that client isolation exists on the guest WiFi and that full L2 and L3 isolation exists between the guest network and the community centre network.

 

 


 
 
 
 




12 posts

Geek
+1 received by user: 1


  Reply # 1485943 5-Feb-2016 14:26
Send private message

hadn't looked at the MicroTik range - obviously a bit more work up front, but plenty of flexibility!

 

 


What does this tag do
920 posts

Ultimate Geek
+1 received by user: 185

Subscriber

  Reply # 1485949 5-Feb-2016 14:34
Send private message

 UniFi probably quite a good option too in case you wanted to add any extra APs in future

 

Not sure what you were thinking about open wifi vs using a simple WPA2 key - can I recommend the second option to avoid someone being able to eavesdrop on the traffic with 0 effort :)


250 posts

Master Geek
+1 received by user: 20


  Reply # 1485969 5-Feb-2016 14:59
Send private message

You should be able to configure that through the QoS functionality of a lot of routers.  I have a similar situation.  We have a self-contained flat in the basement of our house, which we rent out.  We give the tenants access to our WiFi, but don't want them hogging the bandwidth and stopping our Netflix streaming etc.  

 

I use a Netgear WNDR3700 router flashed with Gargoyle firmware.  Then in the QoS set up on that, I can set bandwidth percentage limits (percentages of max when link saturated), for groups of client IP addresses.  this works really well and means when we're not using the bandwidth, they have access to it.  But when we're both using it and it saturates, then we get priority.  I imagine a lot of stock firmware would also allow QoS based in IP addresses.


25945 posts

Uber Geek
+1 received by user: 5630

Moderator
Trusted
Biddle Corp
Lifetime subscriber

  Reply # 1486013 5-Feb-2016 15:46
Send private message

Assuming there are physical PC's (such as those for the community centre) the most important aspect here is VLAN or L2/L3 isolation. It's so common to find so many places that offer free WiFi who know nothing about security.

 

Having a WPA2 key offers added security over an open network but assuming you're their tech support you'll have a nightmare on your hands if you ever decide to change the password. It's the reason captive portals are still so popular.

 

 




12 posts

Geek
+1 received by user: 1


  Reply # 1486038 5-Feb-2016 15:58
Send private message

I noticed a number of routers do offer IP address-based QoS features, but unless the 'Guest Wifi' only allocates addresses in a particular range then I'm not sure if this would work in practice.

 

We're not planning to offer 'Open' Wifi (ie. unsecured) - would definitely be using a password (which would change regularly-ish).  Yes, isolation from the rest of the network is a must do.


25945 posts

Uber Geek
+1 received by user: 5630

Moderator
Trusted
Biddle Corp
Lifetime subscriber

  Reply # 1486040 5-Feb-2016 16:01
Send private message

mvanwijk:

 

We're not planning to offer 'Open' Wifi (ie. unsecured) - would definitely be using a password (which would change regularly-ish).  

 

 

Assuming you're going to have a reasonable number of users then using WPA2 and changing it regularly will lead to support nightmares as I mentioned above.




12 posts

Geek
+1 received by user: 1


  Reply # 1486053 5-Feb-2016 16:16
Send private message

I guess to be fair we're really thinking 'open-ish' - have a password, but display it inside the building where users can see it (but not visible from outside for 'drive by wifi). Thoughts?


250 posts

Master Geek
+1 received by user: 20


  Reply # 1486055 5-Feb-2016 16:18
Send private message

mvanwijk:

 

I noticed a number of routers do offer IP address-based QoS features, but unless the 'Guest Wifi' only allocates addresses in a particular range then I'm not sure if this would work in practice.

 

 

I can't speak for most routers, but with Gargoyle that's straight forward.  You give static IP addresses to all your own known clients and have those in a particluar range (say 192.168.1.2 - 192.168.1.128).  Then you set the range for DHCP lease allocation for any other clients in a different range (say .128 - .256).  Then set your QoS rules for those two ranges.




12 posts

Geek
+1 received by user: 1


  Reply # 1486062 5-Feb-2016 16:27
Send private message

Earbanean:

 

mvanwijk:

 

I noticed a number of routers do offer IP address-based QoS features, but unless the 'Guest Wifi' only allocates addresses in a particular range then I'm not sure if this would work in practice.

 

 

I can't speak for most routers, but with Gargoyle that's straight forward.  You give static IP addresses to all your own known clients and have those in a particluar range (say 192.168.1.2 - 192.168.1.128).  Then you set the range for DHCP lease allocation for any other clients in a different range (say .128 - .256).  Then set your QoS rules for those two ranges.

 

 

OK that sounds like less work than I'd thought...


1031 posts

Uber Geek
+1 received by user: 216


  Reply # 1486096 5-Feb-2016 17:14
Send private message

Depending on requirements, the el-cheapo solution would be just NAT the TP-Link router behind the existing office router. Apply outbound IP filtering rules to drop any traffic destined to upstream main office IP ranges, Wi-Fi client isolation and disable management on the LAN side (keep open on the WAN side to access from the office network). Flick off the power after hours. All that should be easily achievable on Broadcom-based routers as many TP-Link units are.

 

If you are redoing the SOHO network all together then above suggestions are good, consider a proper firewall and separate access points.


5114 posts

Uber Geek
+1 received by user: 2140

Trusted
Subscriber

  Reply # 1486114 5-Feb-2016 17:36
Send private message

Draytek 2800 series routers will do bandwidth limiting, and a bunch of other things.




Chorus has spent $1.4 billion on making their xDSL broadband network faster. If your still stuck on ADSL or VDSL, why not spend from $150 on a master filter install to make sure you are getting the most out of your connection?
I install - Naked DSL, DSL Master Splitters, VoIP, data cabling and general computer support for home and small business.
Rural Broadband RBI installer for Ultimate Broadband and Full Flavour

 

Need help in Auckland, Waikato or BoP? Click my email button, or email me direct: [my user name] at geekzonemail dot com


2501 posts

Uber Geek
+1 received by user: 461


  Reply # 1488057 9-Feb-2016 13:38
Send private message

Actually I found that some of the TP-Link routers do support VLAN tagging.

 

I am moving to UFB on an ISP that dont use VLAN tagging and have been looking at the TP-Link Archer c7 ~$200.

 

I figured it might be good if it did support VLAN tagging if I should ever need to change ISPs - though I wouldnt really expect I would need to change.

 

 

 

Anyway - found this http://forum.tp-link.com/showthread.php?81425-Archer-C7-new-firmware-does-not-support-vlan-id-10

 

Seems that on the C7 if you email them a support ticket they let you have a beta firmware that allows setting of VLAN10 - which I gather is what you need. It seems that the standard software has something under an IPTV section that lets you set VLAN tagging - but only allows numbers from 16-???? - and wouldnt let you ordinarily set 10 as a value.

 

 

 

In fact if you go to pricespy.co.nz and query "archer c7 VLAN10" its now bringing up a model that is apparently ready off the shelf.





Nothing is impossible for the man who doesn't have to do it himself - A. H. Weiler

Create new topic



Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Intel reimagines data centre storage with new 3D NAND SSDs
Posted 16-Feb-2018 15:21


Ground-breaking business programme begins in Hamilton
Posted 16-Feb-2018 10:18


Government to continue search for first Chief Technology Officer
Posted 12-Feb-2018 20:30


Time to take Appleā€™s iPad Pro seriously
Posted 12-Feb-2018 16:54


New Fujifilm X-A5 brings selfie features to mirrorless camera
Posted 9-Feb-2018 09:12


D-Link ANZ expands connected smart home with new HD Wi-Fi cameras
Posted 9-Feb-2018 09:01


Dragon Professional for Mac V6: Near perfect dictation
Posted 9-Feb-2018 08:26


OPPO announces R11s with claims to be the picture perfect smartphone
Posted 2-Feb-2018 13:28


Vocus Communications wins a place on the TaaS panel
Posted 26-Jan-2018 15:16


SwipedOn raises $1 million capital
Posted 26-Jan-2018 15:15


Slingshot offers unlimited gigabit fibre for under a ton
Posted 25-Jan-2018 13:51


Spark doubles down on wireless broadband
Posted 24-Jan-2018 15:44


New Zealand's IT industry in 2018 and beyond
Posted 22-Jan-2018 12:50


Introducing your new workplace headache: Gen Z
Posted 22-Jan-2018 12:45


Jucy set to introduce electric campervan fleet
Posted 22-Jan-2018 12:41



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.