Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


ForumsLAN (ethernet/Wifi/routers/Bluetooth)Options for Separate Internet Access for Tenants
Earbanean

937 posts

Ultimate Geek


#275683 3-Sep-2020 16:33
Send private message

We have a self-contained flat in the basement of our house that we're going to rent out again.  Previously, we've let it to friends or family and they have shared our internet.  However, with potentially strangers in there, I want to look at options to offer them internet access, but keep their access separate from ours.  The flat has it's own WAP (Cambium cnPilot E400 and one ethernet socket, both cabled back to our managed switch and router (Edgerouter Lite).  We have another couple of WAPS and lots of ethernet ports in the main house and we also use a geo-unblocking dns service on the router.

 

The options I see are:

 

1. VLAN

 

Set up a new SSID on the flat WAP and VLAN tag it.  I'd also, VLAN tag the port on the switch for the flat ethernet.  This would mean I'd have to get up to speed with VLAN tagging and separation rules on the ERL.  I'd probably also need to ensure the flat VLAN didn't have the geo-unblocking DNS.

 

2. Router Port

 

I could connect the flat WAP and ethernet port to Eth2 on the ERL, thus putting them on a separate subnet.  I'd have to wipe existing SSIDs off the flat WAP and replace with just the new guest SSID.  This would be simple to set up and is easy to set DNS at interface level in the ERL.  Are the subnets completely separate?

 

3. Separate ONT

 

If for some reason the tenants wanted their own router and ISP account, could I get a second port provisioned on the ONT and patch that to the ethernet to the flat.  They could then connect their own router to the flat's ethernet socket.

 

 

 

What are the various pros and cons of these approaches and things I might have missed or need to consider?

 

 

Filter this topic showing only the reply marked as answer Create new topic
Handle9
11391 posts

Uber Geek

Trusted
Lifetime subscriber

  #2556574 3-Sep-2020 16:40
Send private message

@michaelmurfy would probably be best to comment.

 

I'd probably just do 2 and give them a nude ethernet socket to do with what they wished.



nztim
3816 posts

Uber Geek

ID Verified
Trusted
TEAMnetwork
Subscriber

  #2556577 3-Sep-2020 16:45
Send private message

I would create a separate network (however you wish to do this) with a different Subnet fire walled from your home subnet

 

If you go down the VLAN path

 

SSID with a unique VLAN which would also have to be on your switch and the Edge Router, the tagged port on the edge router would need a different subnet, with different DHCP scope from your LAN

 

If you use a different port

 

use the another port on your Edge router to a different WAP with a different subnet and DHCP scope

 

 

 

 




Any views expressed on these forums are my own and don't necessarily reflect those of my employer. 

sbiddle
30853 posts

Uber Geek

Retired Mod
Trusted
Biddle Corp
Lifetime subscriber

  #2556579 3-Sep-2020 16:51
Send private message

Remember if you're just using a different subnet (via VLAN or physical port) that you'll need appropriate firewall rules to isolate traffic.



Earbanean

937 posts

Ultimate Geek


  #2556584 3-Sep-2020 17:08
Send private message

Yeah, as I said in option 1, I'd have to get up to speed with setting rules for VLANs.  I thought maybe with the different physical port (and bridging not turned on), that I might not have to.  Is that not the case?

nztim
3816 posts

Uber Geek

ID Verified
Trusted
TEAMnetwork
Subscriber

  #2556587 3-Sep-2020 17:13
Send private message

Earbanean:

Yeah, as I said in option 1, I'd have to get up to speed with setting rules for VLANs.  I thought maybe with the different physical port (and bridging not turned on), that I might not have to.  Is that not the case?



You will need turn of bridge and assign another subnet as well as obtain another WAP and as @sbiddle said firewall the two networks from seeing each other

This is the best option if you don't understand how VLANs work




Any views expressed on these forums are my own and don't necessarily reflect those of my employer. 

shim99
104 posts

Master Geek

ID Verified

  #2556591 3-Sep-2020 17:21
Send private message

I had a similar situation a while ago and used the following blog post to help me navigate around the edgerouter and e400

 

https://blog.gruby.com/2015/07/05/setting-up-a-guest-network-with-the-edgerouter-lite/comment-page-1/

 

The most difficult part was the edgerouter, the bit on the cambium is pretty easy as its just a new SSID that uses the appropriate VLAN tag. Happy to provide more information if useful. 

PolicyGuy
1727 posts

Uber Geek

ID Verified
Lifetime subscriber

  #2556594 3-Sep-2020 17:25
Send private message

I would first ask the tenant if they want landlord-provided Internet.
They might say "no" because they've got a Wireless Internet modem & account already, or they are quite happy to hotspot off their mobile, or they just don't want Internet - yes, it does happen.
If they say "yes", get them to contact their RSP to get the second ONT port livened, you just provide an Ethernet cable from the ONT to the flat, where they can put their RSP- or self-provided router.

 

That way, it's nothing to do with you, you will have no explaining to do if they do something extremely dodgy, it won't be on your IP address.
Besides that risk, allowing a tenant to 'share' your Internet connection may be in violation of your RSP's Ts&Cs.

 

Two ports on the ONT, use them!

 

 

 

 

 

Edit: speeling

 
 
 
 

Send money globally for less with Wise - one free transfer up to NZ$900 (affiliate link).
Earbanean

937 posts

Ultimate Geek


  #2556595 3-Sep-2020 17:26
Send private message

shim99:

 

I had a similar situation a while ago and used the following blog post to help me navigate around the edgerouter and e400

 

https://blog.gruby.com/2015/07/05/setting-up-a-guest-network-with-the-edgerouter-lite/comment-page-1/

 

The most difficult part was the edgerouter, the bit on the cambium is pretty easy as its just a new SSID that uses the appropriate VLAN tag. Happy to provide more information if useful. 

 

 

Thanks, I'll have a look a that.  I was fairly confident the VLAN tagging bit would be easy, on both the WAP and the switch, but I thought the firewall rules would be a bit of a learning curve.  I'd hoped maybe different subnets from the physical ports on the router (with bridging off) might do it for me, but seems not.

Earbanean

937 posts

Ultimate Geek


  #2556596 3-Sep-2020 17:31
Send private message

PolicyGuy:
Besides that risk, allowing a tenant to 'share' your Internet connection may be in violation of your RSP's Ts&Cs

 

 

Hmm, not sure in a case where it's the same address that's not subdivided.  i.e. If I have a flatmate or boarder, they can use my internet connection.  If they're in a part of the house that happens to have it's own kitchen area and bathroom, I'm not sure it changes.

 

Although, I get your point about them potentially doing something dodgy on our connection.  

danfaulknor
939 posts

Ultimate Geek

Trusted
Prodigi

  #2556613 3-Sep-2020 19:10
Send private message

It's already been mentioned but personally I would under no circumstances allow strangers to use a residential internet account in my name. You're in for a world of hurt if they do something dumb, illegal or both. A secondary port on the existing ONT is probably the safest option, though not the cheapest.




they/them

 

Prodigi - Optimised IT Solutions
WebOps/DevOps, Managed IT, Hosting and Internet/WAN.

Filter this topic showing only the reply marked as answer Create new topic





News and reviews »

Air New Zealand Starts AI adoption with OpenAI
Posted 24-Jul-2025 16:00

eero Pro 7 Review
Posted 23-Jul-2025 12:07

BeeStation Plus Review
Posted 21-Jul-2025 14:21

eero Unveils New Wi-Fi 7 Products in New Zealand
Posted 21-Jul-2025 00:01

WiZ Introduces HDMI Sync Box and other Light Devices
Posted 20-Jul-2025 17:32

RedShield Enhances DDoS and Bot Attack Protection
Posted 20-Jul-2025 17:26

Seagate Ships 30TB Drives
Posted 17-Jul-2025 11:24

Oclean AirPump A10 Water Flosser Review
Posted 13-Jul-2025 11:05

Samsung Galaxy Z Fold7: Raising the Bar for Smartphones
Posted 10-Jul-2025 02:01

Samsung Galaxy Z Flip7 Brings New Edge-To-Edge FlexWindow
Posted 10-Jul-2025 02:01

Epson Launches New AM-C550Z WorkForce Enterprise printer
Posted 9-Jul-2025 18:22

Samsung Releases Smart Monitor M9
Posted 9-Jul-2025 17:46

Nearly Half of Older Kiwis Still Write their Passwords on Paper
Posted 9-Jul-2025 08:42

D-Link 4G+ Cat6 Wi-Fi 6 DWR-933M Mobile Hotspot Review
Posted 1-Jul-2025 11:34

Oppo A5 Series Launches With New Levels of Durability
Posted 30-Jun-2025 10:15








Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Updates »

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.







RSS feeds
Main feed
Forums feed
Copyright
©2002-2025 Geekzone®
Site features
Geekzone BI dashboard
Geekzone Badges
Geekzone Status Page

 

Affiliate links
Samsung
AliExpress
Wise
Sharesies
GoodSync
Site Information
Subscribe to Geekzone
Privacy Statement
Forum Usage Guidelines (FUG)
Advertising
Trademark and copyright