Guest network on APs

[zsero]

I'd like to set up wireless guest networks, and I'm not yet understanding how it works properly.

What I know is that the EdgeRouter Lite what I'm using has the 2 LAN + 1 WAN Wizard which sets things up perfectly for 2 hardware separated independent networks.
One port is 192.168.1.1/24 other is 192.168.2.1/24.
Both have DHCP server with independent settings, both have NAT, etc. There is no way to see one network from the other. Perfect! So far everything is clear for me in this case.

Now my confusion comes from having to make this work with APs, which broadcast both the internal network and the guest network. Naively, I'd guess that what I need is either two cables for the APs (from the 2 LAN ports on the EdgeRouter) or to make a full managed network and use VLAN tagging, which I have never done before.

What confuses me even more is that the Ruckus APs we might end up using will be installed and managed by a professional company who say that the AP can itself make the guest network, even from a single wire of unmanaged ethernet. What they recommended was to use "restrict user access to subnets" and "client isolation".

Can you explain me how is this possible, as I thought that guest isolation can only happen on the router either with physical cabling or with VLANs?

 

[azazel1024]

I don't know exactly how they are doing it, but in all likelihood they are using some kind of VLAN tagging. Or some other proprietary tagging mechanism.

Normal wireless guest network access is done through the router and restricts access only to the WAN port. On an AP with support it is pretty easy to do VLAN tagging of a guest SSID and then have that VLAN only be able to access the router and its WAN port. Or if you need access a wired network, again use VLAN tagging to allow access to only what you want the guest network to access.

 

[zsero]

So you are pretty much saying that the only way to solve it is via VLAN tagging. I'd have guessed the same.

Now if we go with VLANs, my big question: are unmanaged switches able to pass-through VLAN tags? So if I do EdgeRouter <> unmanaged gbit switch <> wireless AP, is the VLAN tag preserved, or discarded?

 

[abailey]

Be careful with the Edgerouter Lite default configuration. Unless you have changed what the Wizard set up, the two subnets can talk to each other (192.168.1.x and 192.168.2.x). The Edgerouter automatically builds routes for the internal LAN side. Ok now about the AP's. I do not know anything about Rukus Ap's but I do know about Ubiquiti Ap's. On Ubiquiti AP's they have a guest isolation feature you can use (separate from VLANs). What it does is give the guest access to only the default gateway address to get to the internet. So it can use the same subnet as your personal PC's but cannot see them. In fact you can define what IP addresses it can and can't see if you want (or let the Wizard do it for you). That is how they make Guest Isolation possible on the same VLAN and subnet as your personal stuff.
On your last question, an unmanaged switch, it is best to not use an unmanaged switch to try to pass VLAN tags. Most can't do it and usually strip the tag off or drop the packet for being the wrong size. Now there are some that can pass the VLAN tags. It is really hit or miss because even if they can pass the tags most don't advertise that. You just have to try them. Personally, if you are going to use VLAN's I would use a managed switch. The cost have come way down on the smart switches available.

 

[zsero]

Thanks a lot for this!

So just to sum it up:
1. I can just put everything on one subnet, one ethernet, no VLAN tags. Even the default wizard is ok in Ubiquty as I'd only be using one port.
2. I can set the APs to only allow access to the gateway IP for guests.
3. I don't need managed switches and the headache they introduce if I simply want to restrict guest network like this.

Is that OK?

 

[abailey]

Thanks a lot for this!

So just to sum it up:
1. I can just put everything on one subnet, one ethernet, no VLAN tags. Even the default wizard is ok in Ubiquty as I'd only be using one port.
2. I can set the APs to only allow access to the gateway IP for guests.
3. I don't need managed switches and the headache they introduce if I simply want to restrict guest network like this.

Is that OK?

Yes that is correct. Also on the Ubiquiti AP you can put a bandwidth limit on the Guest network so they can't use up all your bandwidth. What the Wizard did at my house was put in "Restricted Subnets" where the Guest can't talk to anything on those networks (except the default gateway). In the Restricted subnets group it put all private subnets, lol (192.168, 172.16, and 10.0.0.0). Also when I say it can see the default gateway from the Guest network, I mean it can forward traffic to it. Guest can not pull up your management screen for the default gateway (if your management IP and default gateway are the same).

 

[zsero]

Thanks a lot! This seems to explain it! I was worried about the admin interface being enabled to guests, but it seems that it filters that one as well.

How is your experience with Ubiquty APs? We are considering using 4 Ubiquity ACs vs 2 Ruckus N. I've only heard 100% positive things about the Ruckus but they are really expensive and they also need a manager running 24/7.

 

[abailey]

Thanks a lot! This seems to explain it! I was worried about the admin interface being enabled to guests, but it seems that it filters that one as well.

How is your experience with Ubiquty APs? We are considering using 4 Ubiquity ACs vs 2 Ruckus N. I've only heard 100% positive things about the Ruckus but they are really expensive and they also need a manager running 24/7.

I really like the Ubiquiti AP's. They are rock solid as far as performance goes. The one in my house I got in November 2013 and have not had to reboot it yet. No hanging or performance problems at all. Now just like all of Ubiquiti's products, the interface is not the most polished, lol. It gets the job done for sure but it is a software program you have to load onto a PC and run to configure the AP's. It is controller software but it does not have to be left on all the time unless you want to use a captive portal for guest (like where they have to accept terms and conditions and such before they get access). If you get Ubiquiti AP's make sure to update the software first as the newer software has better wizards (just like the EdgeRouter). I think the performance is in line with Rukcus and Cisco for a much better price.

 

[mlg321]

I'm trying to achieve the same thing with an edge router lite. Let me know how you go about segregating the two with VLAN.

I have little experience with Ruckus, but I know that simply selecting client isolation may or may not work, depends on your larger network. VLAN tagging is the way to properly do this, as white listing the router and access points kindof defeats the purpose.

 

[azazel1024]

I'm trying to achieve the same thing with an edge router lite. Let me know how you go about segregating the two with VLAN.

I have little experience with Ruckus, but I know that simply selecting client isolation may or may not work, depends on your larger network. VLAN tagging is the way to properly do this, as white listing the router and access points kindof defeats the purpose.

I've seen it generally not work with routers in AP mode. I'll grant my experience is with consumer routers in AP mode, not dedicated consumer APs, let alone SMB or enterprise APs.

Routers in client isolation mode works fine, just in AP mode not so much.

 

[abailey]

I did many test on the Ubiquiti AP's guest isolation and found it to be very secure and solid. I see where it could become a pain if you want a guest captive portal and such. Setting up the isolation using VLAN's is also easy if you understand VLAN's and already have the equipment to do it. The Ubiquiti AP's can use up to 4 VLAN's (and SSID's).