Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


ForumsLAN (ethernet/Wifi/routers/Bluetooth)Setting up guest WiFi on Cambium E400 and preventing access to LAN


22 posts

Geek
+1 received by user: 5


Topic # 204743 15-Oct-2016 11:40
Send private message

Hi, 

 

I recently purchased a cambium E400 WAP which I am using in combination with a DrayTek 2760Vn modem/router. 

 

I am trying to set up a guest network that allows access to the internet only and am looking for some help. 

 

I can create a guest network on the E400 which has the appropriate splash page etc but I can still access the local network on 192.168.1.X

 

To prevent this I'm assuming I need to set some rules in the access tab under ACL but am not sure how to go about this. 

 

Can anyone please point me in the right direction?

 

Thanks in advance. 

 

Simon. 

Create new topic
21614 posts

Uber Geek
+1 received by user: 4430

Trusted
Subscriber

  Reply # 1651540 15-Oct-2016 11:55
Send private message

Ideally your router would put internet on a second vlan and then your guest network would be on that vlan so have no visibility to the wired network devices. Not sure that the draytek supports that.




Richard rich.ms

27270 posts

Uber Geek
+1 received by user: 6699

Moderator
Trusted
Biddle Corp
Lifetime subscriber

  Reply # 1651545 15-Oct-2016 12:08
One person supports this post
Send private message

You will need to buy a new router that's better suited to your task.

 

The 2760 supports a 2nd LAN network but I don't think it'll support that on an ingress VLAN on an Ethernet port meaning you can't VLAN tag the SSID and bridge it to the 2nd guest network.

 

Something like a Mikrotik is the perfect solution but if you have no knowledge of networking you'll potentially need to find or pay somebody to configure it for you.

 

 

 

 

 
 
 
 




22 posts

Geek
+1 received by user: 5


  Reply # 1651584 15-Oct-2016 13:49
Send private message

Thanks @richms and @sbiddle

 

We have UFB coming soon, so looks like I will wait until then to get something better. 

 

I'm assuming the edge router lite will also be able to function like the Mikrotik. 

 

S. 

2744 posts

Uber Geek
+1 received by user: 371

Trusted
Lifetime subscriber

  Reply # 1651586 15-Oct-2016 13:56
Send private message

The E400 supports multiple VLAN's. You should be able to just set up a second VLAN (on the E400), put the guest internet on this VLAN.

 

Cheers, Matt.




My views (except when I am looking out their windows) are not those of my employer.

27270 posts

Uber Geek
+1 received by user: 6699

Moderator
Trusted
Biddle Corp
Lifetime subscriber

  Reply # 1651612 15-Oct-2016 15:07
Send private message

hairy1:

 

The E400 supports multiple VLAN's. You should be able to just set up a second VLAN (on the E400), put the guest internet on this VLAN.

 

Cheers, Matt.

 

 

The problem is the router can't support a guest network on a VLAN. You can create a guest network on the Draytek and transmit a 2nd SSID on the wireless, but I'm pretty sure you can't ingress a VLAN on a LAN port (from an external AP) to bridge to that.

1933 posts

Uber Geek
+1 received by user: 382

Subscriber

  Reply # 1651778 16-Oct-2016 07:59
Send private message

I've followed this posting using a tp-link WR841ND.  http://blog.danjoannis.com/?p=1362

 

Works well.

 

 



22 posts

Geek
+1 received by user: 5


  Reply # 1700505 9-Jan-2017 13:20
One person supports this post
Send private message

Just following up on this topic. I have purchased an ER-Lite and followed this post on how for set up a guest network without access to the LAN. Once set-up on the ER-Lite I just created a new wireless profile on the Cambium with the corresponding VLAN and now users of the Guest network can't access LAN. 

 

https://blog.gruby.com/2015/07/05/setting-up-a-guest-network-with-the-edgerouter-lite/comment-page-1/#comment-19220

286 posts

Ultimate Geek
+1 received by user: 49


  Reply # 1714365 2-Feb-2017 11:02
Send private message

shim99:

 

...Once set-up on the ER-Lite I just created a new wireless profile on the Cambium with the corresponding VLAN and now users of the Guest network can't access LAN.

 

 

I am trying to do this with my ERL and e400 without any success - I can't even get it to assign VLAN IP addresses. On the Cambium did you just add a new WLAN under the configuration section, or did you also have to add some VLAN info under the network section etc?

Mr Snotty
8078 posts

Uber Geek
+1 received by user: 4051

Moderator
Trusted
Lifetime subscriber

  Reply # 1714386 2-Feb-2017 11:34
Send private message

I've had this running on the E400 + Edgeroute Lite successfully.

 

1) Add a new VLAN.
2) Under Services, assign a new DHCP pool for the subnet you've chosen.
3) Firewall the crap out of the new subnet preventing access to the LAN-LOCAL rule and also your LAN.

 

I've still got this running with my UniFi if anyone needs a hand.




Michael Murphy | https://murfy.nz
A quick guide to picking the right ISP | The Router GuideCommunity UniFi Cloud Controller | Ubiquiti Edgerouter Tutorial

286 posts

Ultimate Geek
+1 received by user: 49


  Reply # 1714430 2-Feb-2017 12:36
Send private message

michaelmurfy:

 

I've had this running on the E400 + Edgeroute Lite successfully.

 

1) Add a new VLAN.
2) Under Services, assign a new DHCP pool for the subnet you've chosen.
3) Firewall the crap out of the new subnet preventing access to the LAN-LOCAL rule and also your LAN.

 

 

Thanks for your response - I followed the tutorial linked to by @shim99, which says pretty much the same thing. The problem is that I can't seem to then connect to that VLAN.

 

On the E400 I use for my standard LAN I added a new WLAN, gave it a guest SSID and set the VLAN to the guest VLAN (1003 in this case, as I went back and followed the tutorial exactly.) I could then connect to this WLAN, but could not get an IP, and also had no connectivity if I assigned the client a static IP in the new guest subnet. (Although I can ping the new router VLAN IP from my standard subnet, so it definitely exists on the ERL).

 

I temporarily removed the guest firewall rules on the ERL to simplify troubleshooting, and thought that I might need to make some changes to the Network settings on the E400, but wasn't sure what. I tried adding the VLAN under the "Add new L3 Interface" button on the VLAN tab but that didn't do the trick, so I thought I would ask here.

 

Thanks,

 

tieke



22 posts

Geek
+1 received by user: 5


  Reply # 1714435 2-Feb-2017 12:45
One person supports this post
Send private message

I will have a look when I get home, but there is also the step on the e400 where in addition to creating the VLAN you need to allow the E400 to trunk multiple VLANs. I think the setting is under 'network'.

 

 

Mr Snotty
8078 posts

Uber Geek
+1 received by user: 4051

Moderator
Trusted
Lifetime subscriber

  Reply # 1714437 2-Feb-2017 12:52
One person supports this post
Send private message

@tieke have you got a managed switch? You may need to pass the VLAN over to the E400.

 

Also make sure you enable the VLAN in the E400's LAN settings (can't remember where to go - have not got a E400 anymore).




Michael Murphy | https://murfy.nz
A quick guide to picking the right ISP | The Router GuideCommunity UniFi Cloud Controller | Ubiquiti Edgerouter Tutorial

286 posts

Ultimate Geek
+1 received by user: 49


  Reply # 1714446 2-Feb-2017 13:13
Send private message

shim99:

 

... there is also the step on the e400 where in addition to creating the VLAN you need to allow the E400 to trunk multiple VLANs. I think the setting is under 'network'.

 

 

That was it - under Network/Ethernet ports was an option for single or multiple trunking of VLANs.

 

Thanks guys.

'That VDSL Cat'
9067 posts

Uber Geek
+1 received by user: 1993

Trusted
Spark
Subscriber

  Reply # 1714927 3-Feb-2017 12:28
Send private message

tieke:

 

shim99:

 

... there is also the step on the e400 where in addition to creating the VLAN you need to allow the E400 to trunk multiple VLANs. I think the setting is under 'network'.

 

 

That was it - under Network/Ethernet ports was an option for single or multiple trunking of VLANs.

 

Thanks guys.

 

 

 

 

This little bit catches me out every time!

 

 

 

add another vlan and forget to trunk the vlan in the AP or the Switch!

 

Bandwidth limits also work very well on the E400s.




#include <std_disclaimer>

 

Any comments made are personal opinion and do not reflect directly on the position my current or past employers may have.

Create new topic



Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Geekzone Live »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron


Updates »

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.