adding guest wifi to an existing network

[dudemus]

we want to offer wifi for our customers but really would like to isolate them on their own, new ip range instead of our crowded business network. we actually have two different areas we want to add the customer wifi in. what is the simplest cheapest solution?

 

[sfx2000]

we want to offer wifi for our customers but really would like to isolate them on their own, new ip range instead of our crowded business network. we actually have two different areas we want to add the customer wifi in. what is the simplest cheapest solution?

Would be useful to provide a bit more information, as to what gear is already in place, what kind of connectivity, etc.... reason for this is there are many answers, and depending on what is installed, some solutions are much better than others.

 

[stevech]

we want to offer wifi for our customers but really would like to isolate them on their own, new ip range instead of our crowded business network. we actually have two different areas we want to add the customer wifi in. what is the simplest cheapest solution?

Depends too on the nature of the company's data - how sensitive, etc. Health Care? Law? Financial? Each industry has their mandates. If there is ANY chance of risk by trusting a dual-SSID WiFi, then just put WiFi in the conference room(s) and guest office, wire to a cheap DSL modem service, and keep your company's risk near 0. And improve your job security.

It's also not about real compromises, but the media/press can do great damage by publishing half-truths about how they compromised your network from the parking lot.

 

[dudemus]

thanks for the replies.

we are an auto dealership. we have two waiting areas, one serving sales and service and the other serving our quicklane department which is separated by a large parking area. we really want to add guest wifi to both of those areas.

we do have two dlink managed 24 port switches and at this time one engenius wap. i am thinking of adding a vlan to one of those switches and then creating the guest wifi on the vlan to keep it separated from our employee network which does have some sensitive data on it. the new wap i am looking at does support multiple ssid's.

since the router we now have only serves the lan, will that new wap that i am adding for the vlan need to have router capabilities as well?

 

[thiggins]

If the switches connect to your main router, then a properly configured VLAN will keep the traffic separate and allow Internet access. So, no, the AP doesn't need to be a wireless router.

 

[stevech]

agree - you can use a VLAN in all switches to get the guest APs to the edge router. Then that router must be configured to route guests ONLY to/from the Internet.

Also be certain that the AP's can prevent inter-use IP and TCP data flows even though they're in the same subnet. This prevents user A's folder shares and other services from being access by user B.

Me/I, would not use the above because someone may accidentally disable the VLAN or fixed route and you wouldn't know. I'd use a separate WAN source.

Also, if some customer does something untoward on the Internet - your company's IP address would be faulted by the authorities and there'd be some serious explaining to do!

 

[sfx2000]

agree - you can use a VLAN in all switches to get the guest APs to the edge router. Then that router must be configured to route guests ONLY to/from the Internet.

Also be certain that the AP's can prevent inter-use IP and TCP data flows even though they're in the same subnet. This prevents user A's folder shares and other services from being access by user B.

Me/I, would not use the above because someone may accidentally disable the VLAN or fixed route and you wouldn't know. I'd use a separate WAN source.

Also, if some customer does something untoward on the Internet - your company's IP address would be faulted by the authorities and there'd be some serious explaining to do!

steve raises some very good points...

Can it be done - absolutely
Can it be done safely and securely - absolutely

This is one of those things where sitting down with the IT group and legal is a very good idea. Just having "GuestNet" out there in the open is less than optimal. From the description, it sounds like this might be an auto dealership... you might not want open guest wifi in the sales dept, as the sales guys might not appreciate customers having internet access during the deal - on the other hand, the service dept, being post sales, might like it as it builds customer goodwill, and is one way to keep customers returning...

My local toyota shop has a guest network in the service dept, but even then, they've implemented a captive portal with terms and conditions that the user must agree to, and the password to the portal is printed on the service ticket. They also have some fairly restrictive firewall rules in place for inbound and outbound traffic on the guest network...

My recommendation would be to source this to a local consultant that has experience in this area, as the options are pretty varied. The money spent there will be offset against possible lawsuits and loss of customer goodwill if things go bad...