Setting up guest WiFi on Cambium E400 and preventing access to LAN

Forums › LAN (ethernet/Wifi/routers/Bluetooth) › Setting up guest WiFi on Cambium E400 and preventing access to LAN

shim99

27 posts

Geek
+1 received by user: 6

Topic # 204743 15-Oct-2016 11:40

Hi,

I recently purchased a cambium E400 WAP which I am using in combination with a DrayTek 2760Vn modem/router.

I am trying to set up a guest network that allows access to the internet only and am looking for some help.

I can create a guest network on the E400 which has the appropriate splash page etc but I can still access the local network on 192.168.1.X

To prevent this I'm assuming I need to set some rules in the access tab under ACL but am not sure how to go about this.

Can anyone please point me in the right direction?

Thanks in advance.

Simon.

richms

21910 posts

Uber Geek
+1 received by user: 4603

Trusted

Subscriber

Reply # 1651540 15-Oct-2016 11:55

Ideally your router would put internet on a second vlan and then your guest network would be on that vlan so have no visibility to the wired network devices. Not sure that the draytek supports that.

Richard rich.ms

sbiddle

27572 posts

Uber Geek
+1 received by user: 7032

Moderator

Trusted

Biddle Corp

Lifetime subscriber

Reply # 1651545 15-Oct-2016 12:08

One person supports this post

You will need to buy a new router that's better suited to your task.

The 2760 supports a 2nd LAN network but I don't think it'll support that on an ingress VLAN on an Ethernet port meaning you can't VLAN tag the SSID and bridge it to the 2nd guest network.

Something like a Mikrotik is the perfect solution but if you have no knowledge of networking you'll potentially need to find or pay somebody to configure it for you.

shim99

27 posts

Geek
+1 received by user: 6

Reply # 1651584 15-Oct-2016 13:49

Thanks @richms and @sbiddle.

We have UFB coming soon, so looks like I will wait until then to get something better.

I'm assuming the edge router lite will also be able to function like the Mikrotik.

hairy1

2781 posts

Uber Geek
+1 received by user: 393

Trusted

Lifetime subscriber

Reply # 1651586 15-Oct-2016 13:56

The E400 supports multiple VLAN's. You should be able to just set up a second VLAN (on the E400), put the guest internet on this VLAN.

Cheers, Matt.

My views (except when I am looking out their windows) are not those of my employer.

sbiddle

27572 posts

Uber Geek
+1 received by user: 7032

Moderator

Trusted

Biddle Corp

Lifetime subscriber

Reply # 1651612 15-Oct-2016 15:07

hairy1:

The E400 supports multiple VLAN's. You should be able to just set up a second VLAN (on the E400), put the guest internet on this VLAN.

Cheers, Matt.

The problem is the router can't support a guest network on a VLAN. You can create a guest network on the Draytek and transmit a 2nd SSID on the wireless, but I'm pretty sure you can't ingress a VLAN on a LAN port (from an external AP) to bridge to that.

linw

1972 posts

Uber Geek
+1 received by user: 398

Subscriber

Reply # 1651778 16-Oct-2016 07:59

I've followed this posting using a tp-link WR841ND. http://blog.danjoannis.com/?p=1362

Works well.

shim99

27 posts

Geek
+1 received by user: 6

Reply # 1700505 9-Jan-2017 13:20

One person supports this post

Just following up on this topic. I have purchased an ER-Lite and followed this post on how for set up a guest network without access to the LAN. Once set-up on the ER-Lite I just created a new wireless profile on the Cambium with the corresponding VLAN and now users of the Guest network can't access LAN.

https://blog.gruby.com/2015/07/05/setting-up-a-guest-network-with-the-edgerouter-lite/comment-page-1/#comment-19220

tieke

290 posts

Ultimate Geek
+1 received by user: 50

Reply # 1714365 2-Feb-2017 11:02

shim99:

...Once set-up on the ER-Lite I just created a new wireless profile on the Cambium with the corresponding VLAN and now users of the Guest network can't access LAN.

I am trying to do this with my ERL and e400 without any success - I can't even get it to assign VLAN IP addresses. On the Cambium did you just add a new WLAN under the configuration section, or did you also have to add some VLAN info under the network section etc?

michaelmurfy

Mr Snotty
8421 posts

Uber Geek
+1 received by user: 4349

Moderator

Trusted

Lifetime subscriber

Reply # 1714386 2-Feb-2017 11:34

I've had this running on the E400 + Edgeroute Lite successfully.

1) Add a new VLAN.
2) Under Services, assign a new DHCP pool for the subnet you've chosen.
3) Firewall the crap out of the new subnet preventing access to the LAN-LOCAL rule and also your LAN.

I've still got this running with my UniFi if anyone needs a hand.

Michael Murphy | https://murfy.nz
A quick guide to picking the right ISP | The Router Guide | Community UniFi Cloud Controller | Ubiquiti Edgerouter Tutorial

tieke

290 posts

Ultimate Geek
+1 received by user: 50

Reply # 1714430 2-Feb-2017 12:36

michaelmurfy:

I've had this running on the E400 + Edgeroute Lite successfully.

1) Add a new VLAN.
2) Under Services, assign a new DHCP pool for the subnet you've chosen.
3) Firewall the crap out of the new subnet preventing access to the LAN-LOCAL rule and also your LAN.

Thanks for your response - I followed the tutorial linked to by @shim99, which says pretty much the same thing. The problem is that I can't seem to then connect to that VLAN.

On the E400 I use for my standard LAN I added a new WLAN, gave it a guest SSID and set the VLAN to the guest VLAN (1003 in this case, as I went back and followed the tutorial exactly.) I could then connect to this WLAN, but could not get an IP, and also had no connectivity if I assigned the client a static IP in the new guest subnet. (Although I can ping the new router VLAN IP from my standard subnet, so it definitely exists on the ERL).

I temporarily removed the guest firewall rules on the ERL to simplify troubleshooting, and thought that I might need to make some changes to the Network settings on the E400, but wasn't sure what. I tried adding the VLAN under the "Add new L3 Interface" button on the VLAN tab but that didn't do the trick, so I thought I would ask here.

Thanks,

tieke

shim99

27 posts

Geek
+1 received by user: 6

Reply # 1714435 2-Feb-2017 12:45

One person supports this post

I will have a look when I get home, but there is also the step on the e400 where in addition to creating the VLAN you need to allow the E400 to trunk multiple VLANs. I think the setting is under 'network'.

michaelmurfy

Mr Snotty
8421 posts

Uber Geek
+1 received by user: 4349

Moderator

Trusted

Lifetime subscriber

Reply # 1714437 2-Feb-2017 12:52

One person supports this post

@tieke have you got a managed switch? You may need to pass the VLAN over to the E400.

Also make sure you enable the VLAN in the E400's LAN settings (can't remember where to go - have not got a E400 anymore).

Michael Murphy | https://murfy.nz
A quick guide to picking the right ISP | The Router Guide | Community UniFi Cloud Controller | Ubiquiti Edgerouter Tutorial

tieke

290 posts

Ultimate Geek
+1 received by user: 50

Reply # 1714446 2-Feb-2017 13:13

shim99:

... there is also the step on the e400 where in addition to creating the VLAN you need to allow the E400 to trunk multiple VLANs. I think the setting is under 'network'.

That was it - under Network/Ethernet ports was an option for single or multiple trunking of VLANs.

Thanks guys.

hio77

'That VDSL Cat'
9672 posts

Uber Geek
+1 received by user: 2244

Trusted

Spark

Subscriber

Reply # 1714927 3-Feb-2017 12:28

tieke:

shim99:

... there is also the step on the e400 where in addition to creating the VLAN you need to allow the E400 to trunk multiple VLANs. I think the setting is under 'network'.

That was it - under Network/Ethernet ports was an option for single or multiple trunking of VLANs.

Thanks guys.

This little bit catches me out every time!

add another vlan and forget to trunk the vlan in the AP or the Switch!

Bandwidth limits also work very well on the E400s.

#include <std_disclaimer>

Any comments made are personal opinion and do not reflect directly on the position my current or past employers may have.