VLAN for guest wifi

[KenZ71]

So, now that I got my stand alone Edgerouter X running I am wondering what is the most efficient way to put my guest & kids wifi on a vlan for isolation & security.

I could continue running dd-wrt on my two wndr3700s which has worked well. Or would I be better with another approach? Ubiquity WiFi would be great but that's out of the budget for a few months.

 

[kvic]

Practically I would configure your ER-X with two LANs. Attach one wndr3700s to each LAN. Simple firewall rules in ruleset WAN_in can isolate your guest and kids lan from the other but access to Internet. A few more firewall rules can selectively allow them to access some resource on ur main lan. Simple, efficient and getting the job done well. And re-use.

In my dreams, I would dump all consumer router and AP's that are rubber stamped out of SoC's reference design. The more I learned about them the uglier they appear under the hood. Hate to break the news..Asus included. Go for something with better minds behind will reward in subtle way. Plus VLAN. Looks like a fun project as hobby.

 

[sfx2000]

Many enterprise oriented AP's will map SSID's to VLAN's, which is what the general ask is - whether it is a guest VLAN or perhaps one for Work and one for Home usage - or VOIP services that need different QoS treatment.

The UniFI's can do this, and there are items like the Engenius AP's as well - and a total hidden secret apparently is that Airports can also do this (secondary SSID is mapped out to a dedicated VLAN, and one can apply whatever policy there they want).

OpenWRT/DDWRT has some flexibility here - check and see what is available for the old Router/AP in AP/Bridge mode...

Just keep in mind, with VLAN tags, I always try to keep them above 100, as many vendors will use those lower numbers for internal purposes..

 

[KenZ71]

Edit, nevermind. Was responding to kvic.

Really no need for guests to be on the same vlan so I will just have two - one on each AP.

 

[sfx2000]

Edit, nevermind. Was responding to kvic.

Really no need for guests to be on the same vlan so I will just have two - one on each AP.

Not a good idea if you are considering some level of roaming between AP's, as each VLAN would present a different distribution system behind the SSID - so the clients would stick to the old SSID, and until it's lost, and then perhaps rejoin to the other SSID..

AP's that support VLAN binding - e.g. SSID1 to VLAN(1), and SSID2 to VLAN(2) - you can then spread it from 2 to many, and this is what we do in enterprise networks...

So consider this first - adding VLAN's adds complexity to your network - powerful they are without a doubt, but make sure you're addressing a "need" vs. a "want"...