Archer C5 setup

Forums › LAN (ethernet/Wifi/routers/Bluetooth) › Archer C5 setup

linw

2009 posts

Uber Geek
+1 received by user: 417

Subscriber

# 213817 13-Apr-2017 15:29

Trying to set up an Archer C5 v2 as an AP but seem to be finding that a reasonably secure (no LAN access) Guest login has not been catered for.

Wanting to have access to LAN/Internet from non-guest SSID, but for Guest SSID, I want no LAN access, Internet access, and active DHCP.

This seems to me to be a pretty reasonable ask but am having problems with working out DHCP. I don't want this router acting as DHCP server for the LAN (Gateway router doing this) but if I turn off DHCP on the Archer, the guest logins can't get an IP address. All but there but not quite.

Am I missing something or is what I want not possible?

(Could have done a 'proper' guest client with DD-WRT but find it is not aval for the V2!).

RunningMan

5479 posts

Uber Geek
+1 received by user: 1914

# 1763904 13-Apr-2017 15:41

For a guest network to be separated from the primary LAN, then the device providing that guest network needs to be the router at the edge of the network - if it's not, then the guests network needs to transition through the main LAN, meaning it isn't separated.

If the router and AP both support VLANs, it can be done that way.

What are you using for your router? Can the Archer tie an SSID to a VLAN?

linw

2009 posts

Uber Geek
+1 received by user: 417

Subscriber

# 1763949 13-Apr-2017 16:25

Thanks, RMan, for your succinct and knowledgeable reply. I can see that clearly, now.

This is not for me but vlans won't be possible at the install location. It would require too much extra gear to implement.

Never mind, I am sure a compromise will be OK for my friend. He wanted an extra AP downstairs (gateway is in floor above) for his BNB customers.

I can either set the Archer on a separate subnet to give LAN isolation or it can be set up for full access if my friend is happy with that (he has been doing that till now!!).

If it is set up on another subnet it just means all things needing LAN access will have to be done from his existing LAN connections.

Just a pity DD-WRT isn't aval as I have already used that to provide a segregated guest account in a club setting.

Cheers.

chevrolux

4083 posts

Uber Geek
+1 received by user: 1768

Subscriber

# 1763964 13-Apr-2017 17:11

2 people support this post

Have you already got the Archer?

A unifi AP would have been the better solution for you and provide proper guest isolation

RunningMan

5479 posts

Uber Geek
+1 received by user: 1914

# 1764028 13-Apr-2017 19:29

chevrolux: Have you already got the Archer?

A unifi AP would have been the better solution for you and provide proper guest isolation

This - in conjunction with a suitable primary router - would be ideal.

Even if you set up with separate subnets, in the great majority of instances there will still be routing between them, unless the router is specifically configured to disallow this. The result is while the networks have different address space, they simply aren't isolated from each other, which is really what the purpose of the guest network is...

What's the primary router that's being used - does it have any facility for a separate guest network?

linw

2009 posts

Uber Geek
+1 received by user: 417

Subscriber

# 1764257 14-Apr-2017 11:29

Yes, I have the Archer.

The primary router is a Netcomm NF15ACV and it does have guest logins but the wireless signal isn't strong enough downstairs.

I have tried the Archer on a different subnet and I can't see any other LAN devices when logged into it. This is acceptable to my friend, especially as he was allowing full LAN access previously!

RunningMan

5479 posts

Uber Geek
+1 received by user: 1914

# 1764409 14-Apr-2017 15:29

How are you checking whether or not you can see devices on the LAN? If the Archer is just doing NAT from the LAN, and dishing out IP addresses with DHCP, then you will still be able to connect to any device on the LAN - you may not see them from a Windows network browser, but they will be totally accessible to someone with a little knowledge.

Essentially, you are still allowing full LAN access, but there's a false sense of security because you don't see anything there - if you try connecting to a device on the LAN side, it will still connect fine. The network as is will work fine for getting internet access (and you have better wifi coverage), but please don't think it is any more secure than before - if this is OK for your friend, all good.

They only cheap/free way of getting that isolated guest wifi may be to move the main netcomm router so the wifi coverage is in a better place.

Failing that, if they want to spend a little money for a more robust setup, then come back for some recommendations - you don't say what sort of connection they currently have, but in the order of $250 for a decent router (eg. MikroTik, Edgerouter) and a couple of Unifi APs for $200 each would get a pretty solid setup.

linw

2009 posts

Uber Geek
+1 received by user: 417

Subscriber

# 1764707 15-Apr-2017 13:49

My friend has no real interest in more expense, complexity or security. Nor have I, since I would be first call for help!

I was the only one with concern for security, and as the LAN isn't easily visible, the purpose will be more than served.

Thanks again for your insight and time.

RunningMan

5479 posts

Uber Geek
+1 received by user: 1914

# 1764738 15-Apr-2017 14:39

I hope you get a free stay at the BnB for the work you put in!

linw

2009 posts

Uber Geek
+1 received by user: 417

Subscriber

# 1764744 15-Apr-2017 15:08

He's only a couple of K away so no change of scenery would be involved!!