2 things: wired port access and guest WiFi on AP

[bumpengrinder]

Hello

I have recently installed a wireless repeater in AP mode (via a powerline network connection back to my router) in a spare bedroom to boost signal in the house. WiFi signal is great... but now I have two problems I did not think of before!

1 - Wireless clients on the AP have full access to my home network. The AP does not have guest mode with option to prevent intranet connection like I have set up on my nice Merlin router.

2 - Guests can unplug the AP and attach their own computer to the Ethernet socket and so presumably gain access to my home network. Can I restrict access on the wired port to to the AP only?

Question is, can I resolve these issues with the hardware I have (listed below)? If not, I would welcome suggestions for new hardware that can do it. To provide guest WiFi I suppose I could treat myself to an RT-AC86U and demote the N66U to be an AP and use its guest WiFi capability. I have no idea about the wired port issue though.

I would be very grateful for any tips.


RT-N66U running Merlin >
Netgear GS108E switch >
Zyxel PKA5205 homeplug >
Zyxel PKA5205 homeplug >
WAVLINK 1200mps dual band wifi range extender

 

[ColinTaylor]

2 - Can I restrict access on the wired port to the AP only?

No, not unless the powerline adapter has some sort of MAC address black/white list (even then you would have to put the AP into router mode). Check it's manual.

To provide guest WiFi I suppose I could treat myself to an RT-AC86U and demote the N66U to be an AP and use its guest WiFi capability.

You would have the same problem. If you configure the N66U as an AP then clients connected to its guest SSIDs can no longer be stopped from accessing the LAN.

 

[CaptainSTX]

Hello


Question is, can I resolve these issues with the hardware I have (listed below)? If not, I would welcome suggestions for new hardware that can do it. To provide guest WiFi I suppose I could treat myself to an RT-AC86U and demote the N66U to be an AP and use its guest WiFi capability. I have no idea about the wired port issue though.

I would be very grateful for any tips.


RT-N66U running Merlin >
Netgear GS108E switch >
Zyxel PKA5205 homeplug >
Zyxel PKA5205 homeplug >
WAVLINK 1200mps dual band wifi range extender

If the Netgear switch listed above is a "Smart Switch" you could setup VLANs on it so that devices connected to different VLANs would be isolated from each other. This should work.

Router-----------SmartSwitch(VLAN101)---------Powerline---------------Powerline-------AP


Double NATing would also work, but the the guest NET would have to be on the Internet facing router and unprotected LAN ports on Router 2 would be exposed if someone plugged into them.

 

[bumpengrinder]

No, not unless the powerline adapter has some sort of MAC address black/white list (even then you would have to put the AP into router mode). Check it's manual.

You would have the same problem. If you configure the N66U as an AP then clients connected to its guest SSIDs can no longer be stopped from accessing the LAN.

Oh dear, thanks for replying. I am surprised this isn't doable as I imagine I'm not the only one in this scenario.

 

[bumpengrinder]

If the Netgear switch listed above is a "Smart Switch" you could setup VLANs on it so that devices connected to different VLANs would be isolated from each other. This should work.

Router-----------SmartSwitch(VLAN101)---------Powerline---------------Powerline-------AP


Double NATing would also work, but the the guest NET would have to be on the Internet facing router and unprotected LAN ports on Router 2 would be exposed if someone plugged into them.

Ooh, yes, thank you, the GS108E does do VLAN apparently. It was same price as a GS308 at the time so thought "might as well", very glad I did now! I'll see if I can fathom it out, thanks.

 

[ColinTaylor]

Oh dear, thanks for replying. I am surprised this isn't doable as I imagine I'm not the only one in this scenario.

It's a question that has been asked many times in these forums. It's doable, but not with the equipment you have.

If the Netgear switch listed above is a "Smart Switch" you could setup VLANs on it so that devices connected to different VLANs would be isolated from each other.

Ooh, yes, thank you, the GS108E does do VLAN apparently. It was same price as a GS308 at the time so thought "might as well", very glad I did now! I'll see if I can fathom it out, thanks.

The problem with this idea is that while the GS108E supports VLANs none of the other devices do. So this scenario is only a partial solution. You still can't create guest and non-guest connections on the AP, they have to be one or the other. Assuming it's going to be "guest only", then you'd have to move any wired connections currently plugged into the router to the Netgear. Even now you still wouldn't be able to block access to the non-guest wireless devices connected directly to the router.

 

[CaptainSTX]

If you need both guest and non guest at the location where the AP is installed then yes you would might need one additional smart switch. With two smart switches you could run an 801.1Q VLAN.

Probably a simpler solution is flash your N66 with tomato firmware. Using tomato you can set up VLANs by port and also virtual APs that assign VLAN affiliation based on SSID . It works very well in experimenting on my old N66 I had three VLANs and eight SSIDs two SSIDs for normal traffic and six for "guest/IoT" and the ports and SSIDs were spread over four subnets.

 

[bumpengrinder]

It's a question that has been asked many times in these forums. It's doable, but not with the equipment you have.

I am happy to consider buying some new gear, just not quite sure what I need. For example the Netgear WAC-505 AP seems to be able to assign SSIDs to different VLAN, but not quite sure if that is what I need.

 

[ColinTaylor]

If you need both guest and non guest at the location where the AP is installed then yes you would might need one additional smart switch. With two smart switches you could run an 801.1Q VLAN.

I still don't see how this helps when the AP in question doesn't have guest/non-guest capability or VLAN support.

 

[CaptainSTX]

I still don't see how this helps when the AP in question doesn't have guest/non-guest capability or VLAN support.

You are right. Without getting some Rube Goldberg setup accomplishing what the OP wants is going to be difficult without more hardware or equipment.

 

[bumpengrinder]

If you know of a setup that could do it I'd be glad to hear it.

I'll have a look at Tomato.

 

[CaptainSTX]

1. Program a smart switch with two or more 802.1Q based VLANS
2. Purchase another smart switch for other end of powerline link and program 802.1Q VLANS. One or more ports on the second switch would be used for primary network and the rest of the ports would belong to the "guest VLAN". If security is important lock the second switch up in a box so that access to ports is blocked and someone can't rearrange the cables. Crazy Glue is also an option.
3. On switch 2 plug trunk cable into port 1, plug. Then depending on how many ports you need at switch 2 some of the ports would be members VLAN1 and the rest would be members of VLAN2 guest.
4. Buy a second AP or repurpose a router.
5. The WAVLINK extender being currently used as an AP would be used for the secure network and the new AP plugged into a guest port on the switch would be for quest access.

If you decide to go this route purchase another Netgear switch, for while 802.1Q is an industry standard trying to follow different sets of instructions from two vendors to make it work will lead to lots of frustration.

Even with equipment from the same vendor setting up 802.1Q VLANs was tricky, confusing to me so it may take some time to get it working. Google and YouTube will be your friend.

If you think you can get by using Tomato then go for it. VLANs and Virtual APs can be set up using the GUI but again plan to use Google to find all the steps.

 

[bumpengrinder]

1. Program a smart switch with two or more 802.1Q based VLANS
2. Purchase another smart switch for other end of powerline link and program 802.1Q VLANS. One or more ports on the second switch would be used for primary network and the rest of the ports would belong to the "guest VLAN". If security is important lock the second switch up in a box so that access to ports is blocked and someone can't rearrange the cables. Crazy Glue is also an option.
3. On switch 2 plug trunk cable into port 1, plug. Then depending on how many ports you need at switch 2 some of the ports would be members VLAN1 and the rest would be members of VLAN2 guest.
4. Buy a second AP or repurpose a router.
5. The WAVLINK extender being currently used as an AP would be used for the secure network and the new AP plugged into a guest port on the switch would be for quest access.

If you decide to go this route purchase another Netgear switch, for while 802.1Q is an industry standard trying to follow different sets of instructions from two vendors to make it work will lead to lots of frustration.

Even with equipment from the same vendor setting up 802.1Q VLANs was tricky, confusing to me so it may take some time to get it working. Google and YouTube will be your friend.

If you think you can get by using Tomato then go for it. VLANs and Virtual APs can be set up using the GUI but again plan to use Google to find all the steps.

Many thanks for your advice, the detail is very much appreciated. Looking forward to the challenge now.

 

[Grisu]

its done very easy with other vendors.
e.g. AVM mesh modemrouters like 7590, they support guest WiFi on mesh-nodes too and you can define LAN port 4 as guest-LAN with same rules like guest-WiFi.
But on this you wont be able to run your own scripts.