Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


Earbanean

465 posts

Ultimate Geek


#275683 3-Sep-2020 16:33
Send private message quote this post

We have a self-contained flat in the basement of our house that we're going to rent out again.  Previously, we've let it to friends or family and they have shared our internet.  However, with potentially strangers in there, I want to look at options to offer them internet access, but keep their access separate from ours.  The flat has it's own WAP (Cambium cnPilot E400 and one ethernet socket, both cabled back to our managed switch and router (Edgerouter Lite).  We have another couple of WAPS and lots of ethernet ports in the main house and we also use a geo-unblocking dns service on the router.

 

The options I see are:

 

1. VLAN

 

Set up a new SSID on the flat WAP and VLAN tag it.  I'd also, VLAN tag the port on the switch for the flat ethernet.  This would mean I'd have to get up to speed with VLAN tagging and separation rules on the ERL.  I'd probably also need to ensure the flat VLAN didn't have the geo-unblocking DNS.

 

2. Router Port

 

I could connect the flat WAP and ethernet port to Eth2 on the ERL, thus putting them on a separate subnet.  I'd have to wipe existing SSIDs off the flat WAP and replace with just the new guest SSID.  This would be simple to set up and is easy to set DNS at interface level in the ERL.  Are the subnets completely separate?

 

3. Separate ONT

 

If for some reason the tenants wanted their own router and ISP account, could I get a second port provisioned on the ONT and patch that to the ethernet to the flat.  They could then connect their own router to the flat's ethernet socket.

 

 

 

What are the various pros and cons of these approaches and things I might have missed or need to consider?

 

 


Filter this topic showing only the reply marked as answer Create new topic
Handle9
4747 posts

Uber Geek

Trusted
Lifetime subscriber

  #2556574 3-Sep-2020 16:40
Send private message quote this post

@michaelmurfy would probably be best to comment.

 

I'd probably just do 2 and give them a nude ethernet socket to do with what they wished.


nztim
972 posts

Ultimate Geek

Subscriber

  #2556577 3-Sep-2020 16:45
Send private message quote this post

I would create a separate network (however you wish to do this) with a different Subnet fire walled from your home subnet

 

If you go down the VLAN path

 

SSID with a unique VLAN which would also have to be on your switch and the Edge Router, the tagged port on the edge router would need a different subnet, with different DHCP scope from your LAN

 

If you use a different port

 

use the another port on your Edge router to a different WAP with a different subnet and DHCP scope

 

 

 

 


 
 
 
 


sbiddle
29268 posts

Uber Geek

Moderator
Trusted
Biddle Corp
Lifetime subscriber

  #2556579 3-Sep-2020 16:51
Send private message quote this post

Remember if you're just using a different subnet (via VLAN or physical port) that you'll need appropriate firewall rules to isolate traffic.


Earbanean

465 posts

Ultimate Geek


  #2556584 3-Sep-2020 17:08
Send private message quote this post

Yeah, as I said in option 1, I'd have to get up to speed with setting rules for VLANs.  I thought maybe with the different physical port (and bridging not turned on), that I might not have to.  Is that not the case?


nztim
972 posts

Ultimate Geek

Subscriber

  #2556587 3-Sep-2020 17:13
Send private message quote this post

Earbanean:

Yeah, as I said in option 1, I'd have to get up to speed with setting rules for VLANs.  I thought maybe with the different physical port (and bridging not turned on), that I might not have to.  Is that not the case?



You will need turn of bridge and assign another subnet as well as obtain another WAP and as @sbiddle said firewall the two networks from seeing each other

This is the best option if you don't understand how VLANs work

shim99
33 posts

Geek


  #2556591 3-Sep-2020 17:21
Send private message quote this post

I had a similar situation a while ago and used the following blog post to help me navigate around the edgerouter and e400

 

https://blog.gruby.com/2015/07/05/setting-up-a-guest-network-with-the-edgerouter-lite/comment-page-1/

 

The most difficult part was the edgerouter, the bit on the cambium is pretty easy as its just a new SSID that uses the appropriate VLAN tag. Happy to provide more information if useful. 


PolicyGuy
853 posts

Ultimate Geek

Lifetime subscriber

  #2556594 3-Sep-2020 17:25
Send private message quote this post

I would first ask the tenant if they want landlord-provided Internet.
They might say "no" because they've got a Wireless Internet modem & account already, or they are quite happy to hotspot off their mobile, or they just don't want Internet - yes, it does happen.
If they say "yes", get them to contact their RSP to get the second ONT port livened, you just provide an Ethernet cable from the ONT to the flat, where they can put their RSP- or self-provided router.

 

That way, it's nothing to do with you, you will have no explaining to do if they do something extremely dodgy, it won't be on your IP address.
Besides that risk, allowing a tenant to 'share' your Internet connection may be in violation of your RSP's Ts&Cs.

 

Two ports on the ONT, use them!

 

 

 

 

 

Edit: speeling


 
 
 
 


Earbanean

465 posts

Ultimate Geek


  #2556595 3-Sep-2020 17:26
Send private message quote this post

shim99:

 

I had a similar situation a while ago and used the following blog post to help me navigate around the edgerouter and e400

 

https://blog.gruby.com/2015/07/05/setting-up-a-guest-network-with-the-edgerouter-lite/comment-page-1/

 

The most difficult part was the edgerouter, the bit on the cambium is pretty easy as its just a new SSID that uses the appropriate VLAN tag. Happy to provide more information if useful. 

 

 

Thanks, I'll have a look a that.  I was fairly confident the VLAN tagging bit would be easy, on both the WAP and the switch, but I thought the firewall rules would be a bit of a learning curve.  I'd hoped maybe different subnets from the physical ports on the router (with bridging off) might do it for me, but seems not.


Earbanean

465 posts

Ultimate Geek


  #2556596 3-Sep-2020 17:31
Send private message quote this post

PolicyGuy:
Besides that risk, allowing a tenant to 'share' your Internet connection may be in violation of your RSP's Ts&Cs

 

 

Hmm, not sure in a case where it's the same address that's not subdivided.  i.e. If I have a flatmate or boarder, they can use my internet connection.  If they're in a part of the house that happens to have it's own kitchen area and bathroom, I'm not sure it changes.

 

Although, I get your point about them potentially doing something dodgy on our connection.  


danielfaulknor
664 posts

Ultimate Geek

Trusted
Prodigi
Subscriber

  #2556613 3-Sep-2020 19:10
Send private message quote this post

It's already been mentioned but personally I would under no circumstances allow strangers to use a residential internet account in my name. You're in for a world of hurt if they do something dumb, illegal or both. A secondary port on the existing ONT is probably the safest option, though not the cheapest.





Prodigi - Optimised IT Solutions
WebOps/DevOps, Managed IT, Hosting and Internet/WAN.


Filter this topic showing only the reply marked as answer Create new topic





News »

Nanoleaf enhances lighting line with launch of Triangles and Mini Triangles
Posted 17-Oct-2020 20:18


Synology unveils DS1621+ 
Posted 17-Oct-2020 20:12


Ingram Micro introduces FootfallCam to New Zealand channel
Posted 17-Oct-2020 20:06


Dropbox adopts Virtual First working policy
Posted 17-Oct-2020 19:47


OPPO announces Reno4 Series 5G line-up in NZ
Posted 16-Oct-2020 08:52


Microsoft Highway to a Hundred expands to Asia Pacific
Posted 14-Oct-2020 09:34


Spark turns on 5G in Auckland
Posted 14-Oct-2020 09:29


AMD Launches AMD Ryzen 5000 Series Desktop Processors
Posted 9-Oct-2020 10:13


Teletrac Navman launches integrated multi-camera solution for transport and logistics industry
Posted 8-Oct-2020 10:57


Farmside hits 10,000 RBI customers
Posted 7-Oct-2020 15:32


NordVPN starts deploying colocated servers
Posted 7-Oct-2020 09:00


Google introduces Nest Wifi routers in New Zealand
Posted 7-Oct-2020 05:00


Orcon to bundle Google Nest Wifi router with new accounts
Posted 7-Oct-2020 05:00


Epay and Centrapay partner to create digital gift cards
Posted 2-Oct-2020 17:34


Inseego launches 5G MiFi M2000 mobile hotspot
Posted 2-Oct-2020 14:53









Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.