Does guest networks run on different channel than the main router?

[terminator]

I am adding some network camera/doorbell and IoT devices to the network. If I put them on one of the guest network, other than security, are there any performance gains such that they won't impact the speed of the rest of the network as it's on a different channel. I know they are still using the same internet connection and depending on whats being done on the devices, a guest network won't help with that - I have 100 Mbps up/down and I am not too worried about that.

 

[CaptainSTX]

I am adding some network camera/doorbell and IoT devices to the network. If I put them on one of the guest network, other than security, are there any performance gains such that they won't impact the speed of the rest of the network as it's on a different channel. I know they are still using the same internet connection and depending on whats being done on the devices, a guest network won't help with that - I have 100 Mbps up/down and I am not too worried about that.

Guest networks use the same radios and same channel as your regular WiFi just a different SSID. If you set the guest networks to block access to the intranet it does add some security.

 

[Grisu]

it will even slower you Wifi as this additional SSID needs time (more overhead) in the transmission, so you will loose about 3% speed per SSID, not more than about 3 guest SSID are recommended therefore.

Usually you will do this to have them separated from your home network and allow them only connection to internet.

In my case I use:
a main SSID "myhome" with full access to everywhere only for family, same for 2G (for good coverage) and 5G (for speed) and all nodes with strong password (easy connection with WPS).
1 guest SSID "myhome_guest" for friends at home, intranet disabled, easy password and more often changed
2 hidden SSID"myhome_automation" for homeautomation, strong password which will never change (would be much work on all devices to reconnect), intranet open depending to your needs and devices
3 test SSID "myhome_test2G/5G_router0/node1/node2" (temporarily activated) different for 2G/5G and all routers and nodes, so I am able to connect to a special channel and device for speed and functionality tests.

 

[CaptainSTX]

it will even slower you Wifi as this additional SSID needs time (more overhead) in the transmission, so you will loose about 3% speed per SSID, not more than about 3 guest SSID are recommended therefore.

Just curious, while there is little doubt that having multiple SSIDs will probably slow down your WiFi, how or where did you come up with 3%?

I run four guest networks for my Iot devices. Two on each radio band with one SSID being routed by the WAN and the other by a VPN. When I have house guests I turn on two additinonal SSIDs for their use. With the exception of my Roku Stick none of my IoT devices pull much bandwidth and even when streaming I don't see any problems on my 180/22 connection so even if there is a 3% slowdown having multiple multiple guest networks allows me more speration of Iot devices from each other and if one of them gets hacked there are fewer other devices exposed.

 

[sfx2000]

Just curious, while there is little doubt that having multiple SSIDs will probably slow down your WiFi, how or where did you come up with 3%?

http://bit.ly/wifissidoverhead

Each SSID does take up a certain amount of time that cannot be used for other traffic.

With 5 SSID's - you are dinging your potential bandwidth available by about 16 percent.

 

[CaptainSTX]

http://bit.ly/wifissidoverhead

Each SSID does take up a certain amount of time that cannot be used for other traffic.

With 5 SSID's - you are dinging your potential bandwidth available by about 16 percent.

Thanks for the spreadsheet.

The loss in bandwidth isn't really a problem for me as most devices that connect on the router I have setup for guest networks don't require significant bandwidth and even with a 16% loss off the top 180/22 is way more bandwidth than they need.

My primary network is double NATed behind the router used for guest networks and it has just two SSIDs one for each band and only mobil devices connect to it. On the 5 Ghz band my Iphone can run speedtests at 130 - 150 Mbps. All my heavy bandwidth reguiring devices are connected using Ethernet to this router and I get the full 180/22 and with my primary computer I can get close to gig speed across my LAN.

So in my case even though there is an inefficency created by extra SSIDs it doesn't have an impact severe enough to offset IMHO the additional security the extra SSIDs create.

 

[Grisu]

The loss in bandwidth isn't really a problem for me as most devices that connect on the router I have setup for guest networks don't require significant bandwidth and even with a 16% loss off the top 180/22 is way more bandwidth than they need.

My primary network is double NATed behind the router used for guest networks and it has just two SSIDs one for each band and only mobil devices connect to it. On the 5 Ghz band my Iphone can run speedtests at 130 - 150 Mbps. All my heavy bandwidth reguiring devices are connected using Ethernet to this router and I get the full 180/22 and with my primary computer I can get close to gig speed across my LAN.

So in my case even though there is an inefficency created by extra SSIDs it doesn't have an impact severe enough to offset IMHO the additional security the extra SSIDs create.

Your WAN throughput has nothing to do with your WiFi throughput!

Your limiting factor is WAN, on Wifi seems you got a lot more speed so how could 10% loss in WiFi be visible if you go outside maesureing your LAN and WiFi still much faster?

 

[telUK]

This is something I really need to do, never bothered with a guest network, I would only require one guest SSID.

Couple of questions

Is it wise to disable/enable guest SSID as and when required or is it ok to leave enabled 24/7, providing I use a strong password?

What is Intranet, seems like its a home network term, I gather this is best to disable to stop guests from getting into my home network?

Thanks

 

[Grisu]

This is something I really need to do, never bothered with a guest network, I would only require one guest SSID.

Couple of questions

Is it wise to disable/enable guest SSID as and when required or is it ok to leave enabled 24/7, providing I use a strong password?

What is Intranet, seems like its a home network term, I gather this is best to disable to stop guests from getting into my home network?

Thanks

never mind to have it opened all the time.
yes, internet means that what you understand the large world of computers, Intranet is meant to be all behind your modem visible only to you (except you open some ports/services to the internet via you modem).
so better to disable intranet access for guests.

 

[telUK]

never mind to have it opened all the time.
yes, internet means that what you understand the large world of computers, Intranet is meant to be all behind your modem visible only to you (except you open some ports/services to the internet via you modem).
so better to disable intranet access for guests.

Thanks, so I would need to open some ports if I disabled intranet, sorry confused.

 

[Grisu]

no, if intranet disasbled they can only asccess internet with public IP addresses, all devices within your LAN or intranet with privat IP addresses could not be reached.

but some want to have access from internet to their devices in their home-intranet, so they need to open ports on modem to have access to them.
No need to open any port for your guests to surf ...

 

[CaptainSTX]

Your WAN throughput has nothing to do with your WiFi throughput!

I through the WAN comment in just to make the point that while having multiple guest networks does have have an impact on WiFi speeds on the radio with multiple SSIDs it isn't impacting my speeds or throughput on the WiFi SSIDs that I use for non IoT devices either either on the WAN or the LAN with either wireless or wired connections and at the same time I am increasing my network's security by isolating devices which might not be secure from each other.

In some cases having multiple SSIDs could conceivably be of benefit to WiFi speed. If your neighbor's router is set to auto and it sees your four SSIDs it may shift to what it determines is a less congested channel. Same for individuals that run WiFi scans and don't understand what they are seeing is one radio with four SSIDs and switch channels to avoid what they consider a congested channel.

 

[zorax222]

In my case I use:
a main SSID "myhome" with full access to everywhere only for family, same for 2G (for good coverage) and 5G (for speed) and all nodes with strong password (easy connection with WPS).
1 guest SSID "myhome_guest" for friends at home, intranet disabled, easy password and more often changed
2 hidden SSID"myhome_automation" for homeautomation, strong password which will never change (would be much work on all devices to reconnect), intranet open depending to your needs and devices
3 test SSID "myhome_test2G/5G_router0/node1/node2" (temporarily activated) different for 2G/5G and all routers and nodes, so I am able to connect to a special channel and device for speed and functionality tests.

Can you explain how to configure devices with the Merlin firmware for the "Home Automation" method you are using? I'm using the Amazon Echo along with a Universal Devices ISY994i to control my lighting and many other things. How can I keep the Echo (and other similar devices off my intranet while still allowing it to connect to my hardwired ethernet ISY994 for voice control and other skills? Like most people, I have the normal assortment of other "smart" devices I'd like to configure similarly. I feel uncomfortable with things like the Echo connected to intranet with potential access to personal things.

 

[Grisu]

you could somehow connect your ISY over Wifi too and allow guest-Wifi devices to communicate to each other. Dont know how to define one LAN-port as guest, maybe possible.

It was never meant to be useful for your situation, only said how we use them as an example and the hidden one unnecessarily to be shown in WiFi-list to all users.

 

[zorax222]

you could somehow connect your ISY over Wifi too and allow guest-Wifi devices to communicate to each other. Dont know how to define one LAN-port as guest, maybe possible.

It was never meant to be useful for your situation, only said how we use them as an example and the hidden one unnecessarily to be shown in WiFi-list to all users.

Thanks for the response. Your information got me to look into security of IOT (internet of things). Oh goodness - there's a lot to learn! As I thought about it, I have way more devices than I originally thought with internet access that I hadn't even thought about. Your idea works for some things, and I could put my ISY on a separate wireless network, but I forgot that my ISY is tied into my automated alarm panel (ELK) to turn on all lights in the house, flash lights, secure alarm system, etc. Isolation and firewall rules get incredibly complex for someone like me who I'd consider a novice compared to everyone on this site or an intermediate to expert compared to most non-IT type users.

 

[CaptainSTX]

Thanks for the response. Your information got me to look into security of IOT (internet of things). Oh goodness - there's a lot to learn! As I thought about it, I have way more devices than I originally thought with internet access that I hadn't even thought about. Your idea works for some things, and I could put my ISY on a separate wireless network, but I forgot that my ISY is tied into my automated alarm panel (ELK) to turn on all lights in the house, flash lights, secure alarm system, etc. Isolation and firewall rules get incredibly complex for someone like me who I'd consider a novice compared to everyone on this site or an intermediate to expert compared to most non-IT type users.

I run all my IoT devices on the router connected directly to the Internet. The devices that use WiFi connect using guest networks blocked from acessing the intranet. Also by being on the first router they can't access any thing on the router double NATed behind this router but it is possible for devices on the second router to access devices on the first router.

My second router is double NATed behind the Internet connected router. From devices connected to this network I can access the IoT devices or they are accessable over the Internet using apps on phones or tablets including my security camera, garage door opener, thermostat, wifi controlled outlets. No special routing or port forwarding is required since these devices are accessable from the Internet. Same for my Amazon spot. I have no need to access things such as Dash buttons which have only a single function once setup.

My point being if you want to securely isolate your IoT devices go ahead and try it. It will probably work just fine.

 

[Grisu]

I run all my IoT devices on the router connected directly to the Internet. The devices that use WiFi connect using guest networks blocked from acessing the intranet. Also by being on the first router they can't access any thing on the router double NATed behind this router but it is possible for devices on the second router to access devices on the first router.

My second router is double NATed behind the Internet connected router. From devices connected to this network I can access the IoT devices or they are accessable over the Internet using apps on phones or tablets including my security camera, garage door opener, thermostat, wifi controlled outlets. No special routing or port forwarding is required since these devices are accessable from the Internet. Same for my Amazon spot. I have no need to access things such as Dash buttons which have only a single function once setup.

My point being if you want to securely isolate your IoT devices go ahead and try it. It will probably work just fine.

Something like your config would make sense for many in similar situation I think.

Often you get a routermodem from provider, this uses NAT but often has bad WiFi or wrong location to have good coverage (best disable it at all).
On its LAN ports you can connect unsecure devices (similar to a DMZ) and a Wifi-router (to its WAN-port), it will be double-NAT but not that bad (more work for port forwards).
Behind this WiFi-router your secured network is build up (with PC, NAS), but on its WiFi you can setup guest-SSID with only internet access, so they act like beeing only behind your first modemrouter.
Your main SSID will be secure with access to intranet like being connected on a LAN-port of the WiFi-router.

 

[zorax222]

So - Xfinity Bridged Modem to Router #1 (IOT) to Router #2 (Home PCs - Local Network)

I understand how to isolate the wireless devices on router #1. Can I also use the ethernet ports on Router #1 for wired IOT devices as well as I think I can use static IPs and turn off intranet access within the firmware?

Does router #2 need a different IP subnet and can it be a static IP (e.g. 192.168.1.20) on router #1?

I saw a post seeming to indicate to use DMZ on one of the routers (I think opening the DMZ on router #1 for the IP address of router #2 to allow router #2 to access anything without firewall rules). I'm trying to understand how devices on Router 2 can reach devices on Router 1 without IOT Router 1 devices reaching Router 2.

Your suggested design seems to really simplify things and is very intriguing.

One complicating factor as I'm currently using (all Merlin FW) the AC86U as the primary router with 2 R68Us as hardwired access points using a common SSID (e.g. Net1_2G, Net1_5G) with separate channels on each router and access point (1,6,11 and 149.153.161). We have a very large home and this has so far worked very well as my kids have a strong signal for their iPhones throughout the home and there seems to be seamless switching between the access points as the kids move throughout the house as I never hear complaints about losing connection or other issues. If I add another router with its own channel for IOT devices I'll likely have to figure out some other way to have good signal and seamless switching throughout the home. I'm in a neighborhood with single family homes with 125' lots and, so far, I don't seem to have any issues with the channel overlap with the neighbors as their signals are fairly weak inside our house when I did a wireless survey to determine which channel to use for each level / side of our home.

 

[Grisu]

WAN IP of router 2 is within router 1 subnet 192.168.1.x maybe 192.168.1.2
Subnet of router 2 must be different 192.168.2.x due to NAT.

Subnet of router 1 cant access router 2 subnet without port forward anything on router 2 and its own firewall.

 

[maxbraketorque]

http://bit.ly/wifissidoverhead

Each SSID does take up a certain amount of time that cannot be used for other traffic.

With 5 SSID's - you are dinging your potential bandwidth available by about 16 percent.

I had a look at this spreadsheet and found the original article about the spreadsheet, but I still have a few questions:

• What is now the standard beacon data rate? For the 2.4 GHz band, is it still 1 mbps using 802.11?
• What is the standard beacon data rate for the 5 GHz band?
• Does having multiple guest networks affect network latency? Or is it just a speed reduction?