Setting up guest WiFi on Cambium E400 and preventing access to LAN

Forums › LAN (ethernet/Wifi/routers/Bluetooth) › Setting up guest WiFi on Cambium E400 and preventing access to LAN

shim99

104 posts

Master Geek

ID Verified

#204743 15-Oct-2016 11:40

Hi,

I recently purchased a cambium E400 WAP which I am using in combination with a DrayTek 2760Vn modem/router.

I am trying to set up a guest network that allows access to the internet only and am looking for some help.

I can create a guest network on the E400 which has the appropriate splash page etc but I can still access the local network on 192.168.1.X

To prevent this I'm assuming I need to set some rules in the access tab under ACL but am not sure how to go about this.

Can anyone please point me in the right direction?

Thanks in advance.

Simon.

richms

28171 posts

Uber Geek

Trusted

Lifetime subscriber

#1651540 15-Oct-2016 11:55

Ideally your router would put internet on a second vlan and then your guest network would be on that vlan so have no visibility to the wired network devices. Not sure that the draytek supports that.

Richard rich.ms

sbiddle

30853 posts

Uber Geek

Retired Mod

Trusted

Biddle Corp

Lifetime subscriber

#1651545 15-Oct-2016 12:08

You will need to buy a new router that's better suited to your task.

The 2760 supports a 2nd LAN network but I don't think it'll support that on an ingress VLAN on an Ethernet port meaning you can't VLAN tag the SSID and bridge it to the 2nd guest network.

Something like a Mikrotik is the perfect solution but if you have no knowledge of networking you'll potentially need to find or pay somebody to configure it for you.

shim99

104 posts

Master Geek

ID Verified

#1651584 15-Oct-2016 13:49

Thanks @richms and @sbiddle.

We have UFB coming soon, so looks like I will wait until then to get something better.

I'm assuming the edge router lite will also be able to function like the Mikrotik.

hairy1

3332 posts

Uber Geek

ID Verified

Trusted

Lifetime subscriber

#1651586 15-Oct-2016 13:56

The E400 supports multiple VLAN's. You should be able to just set up a second VLAN (on the E400), put the guest internet on this VLAN.

Cheers, Matt.

My views (except when I am looking out their windows) are not those of my employer.

sbiddle

30853 posts

Uber Geek

Retired Mod

Trusted

Biddle Corp

Lifetime subscriber

#1651612 15-Oct-2016 15:07

hairy1:

The E400 supports multiple VLAN's. You should be able to just set up a second VLAN (on the E400), put the guest internet on this VLAN.

Cheers, Matt.

The problem is the router can't support a guest network on a VLAN. You can create a guest network on the Draytek and transmit a 2nd SSID on the wireless, but I'm pretty sure you can't ingress a VLAN on a LAN port (from an external AP) to bridge to that.

linw

2849 posts

Uber Geek

#1651778 16-Oct-2016 07:59

I've followed this posting using a tp-link WR841ND. http://blog.danjoannis.com/?p=1362

Works well.

shim99

104 posts

Master Geek

ID Verified

#1700505 9-Jan-2017 13:20

Just following up on this topic. I have purchased an ER-Lite and followed this post on how for set up a guest network without access to the LAN. Once set-up on the ER-Lite I just created a new wireless profile on the Cambium with the corresponding VLAN and now users of the Guest network can't access LAN.

https://blog.gruby.com/2015/07/05/setting-up-a-guest-network-with-the-edgerouter-lite/comment-page-1/#comment-19220

Tradepub

Free professional, reference and technical white papers (affiliate link).

tieke

674 posts

Ultimate Geek

ID Verified

#1714365 2-Feb-2017 11:02

shim99:

...Once set-up on the ER-Lite I just created a new wireless profile on the Cambium with the corresponding VLAN and now users of the Guest network can't access LAN.

I am trying to do this with my ERL and e400 without any success - I can't even get it to assign VLAN IP addresses. On the Cambium did you just add a new WLAN under the configuration section, or did you also have to add some VLAN info under the network section etc?

michaelmurfy

meow
13242 posts

Uber Geek

Moderator

ID Verified

Trusted

Lifetime subscriber

#1714386 2-Feb-2017 11:34

I've had this running on the E400 + Edgeroute Lite successfully.

1) Add a new VLAN.
2) Under Services, assign a new DHCP pool for the subnet you've chosen.
3) Firewall the crap out of the new subnet preventing access to the LAN-LOCAL rule and also your LAN.

I've still got this running with my UniFi if anyone needs a hand.

Michael Murphy | https://murfy.nz
Referral Links: Quic Broadband (use R122101E7CV7Q for free setup)

Are you happy with what you get from Geekzone? Please consider supporting us by subscribing.
Opinions are my own and not the views of my employer.

tieke

674 posts

Ultimate Geek

ID Verified

#1714430 2-Feb-2017 12:36

michaelmurfy:

I've had this running on the E400 + Edgeroute Lite successfully.

1) Add a new VLAN.
2) Under Services, assign a new DHCP pool for the subnet you've chosen.
3) Firewall the crap out of the new subnet preventing access to the LAN-LOCAL rule and also your LAN.

Thanks for your response - I followed the tutorial linked to by @shim99, which says pretty much the same thing. The problem is that I can't seem to then connect to that VLAN.

On the E400 I use for my standard LAN I added a new WLAN, gave it a guest SSID and set the VLAN to the guest VLAN (1003 in this case, as I went back and followed the tutorial exactly.) I could then connect to this WLAN, but could not get an IP, and also had no connectivity if I assigned the client a static IP in the new guest subnet. (Although I can ping the new router VLAN IP from my standard subnet, so it definitely exists on the ERL).

I temporarily removed the guest firewall rules on the ERL to simplify troubleshooting, and thought that I might need to make some changes to the Network settings on the E400, but wasn't sure what. I tried adding the VLAN under the "Add new L3 Interface" button on the VLAN tab but that didn't do the trick, so I thought I would ask here.

Thanks,

tieke

shim99

104 posts

Master Geek

ID Verified

#1714435 2-Feb-2017 12:45

I will have a look when I get home, but there is also the step on the e400 where in addition to creating the VLAN you need to allow the E400 to trunk multiple VLANs. I think the setting is under 'network'.

michaelmurfy

meow
13242 posts

Uber Geek

Moderator

ID Verified

Trusted

Lifetime subscriber

#1714437 2-Feb-2017 12:52

@tieke have you got a managed switch? You may need to pass the VLAN over to the E400.

Also make sure you enable the VLAN in the E400's LAN settings (can't remember where to go - have not got a E400 anymore).

tieke

674 posts

Ultimate Geek

ID Verified

#1714446 2-Feb-2017 13:13

shim99:

... there is also the step on the e400 where in addition to creating the VLAN you need to allow the E400 to trunk multiple VLANs. I think the setting is under 'network'.

That was it - under Network/Ethernet ports was an option for single or multiple trunking of VLANs.

Thanks guys.

hio77

12999 posts

Uber Geek

ID Verified

Trusted

Lizard Networks

#1714927 3-Feb-2017 12:28

tieke:

shim99:

... there is also the step on the e400 where in addition to creating the VLAN you need to allow the E400 to trunk multiple VLANs. I think the setting is under 'network'.

That was it - under Network/Ethernet ports was an option for single or multiple trunking of VLANs.

Thanks guys.

This little bit catches me out every time!

add another vlan and forget to trunk the vlan in the AP or the Switch!

Bandwidth limits also work very well on the E400s.

#include <std_disclaimer>

Any comments made are personal opinion and do not reflect directly on the position my current or past employers may have.