Building a guest-wifi network

[ddaenen1]

So, i have been busy building my home network since i first joined this forum. Every is up and running and i must say so, very stable. Now i do realise though that i do not want the many friends and visitors we have at our house, to get to any of the network equipment and potentially messing something up by accident.

Solution: time for a separate guest-wifi!

I am looking for insights and suggestions what the best and easiest approach is. As you can, see below, my network consists of 3 different Wifi-access points. 2 of them, the Asus and the Netgear, support wifi guest networks so it could be as easy as replace the linksys EA6400 with another R7000 and configure all 3 with same guest SSID and PW and we are done with it but is this really the best solution for my network setup?

 

[ColinTaylor]

When the Asus is in AP mode the "guest" SSIDs are just additional SSIDs. There is no isolation of guest users from the rest of the LAN.

 

[ddaenen1]

When the Asus is in AP mode the "guest" SSIDs are just additional SSIDs. There is no isolation of guest users from the rest of the LAN.

Very good tip. I have been doing some testing and also noticed that when i activate guest network on the R7000 in access point mode, the feature to disable guests access to my network is greyed out so this might also be a roadblock.

 

[coxhaus]

Why not setup 2 SSIDs. One being guess and one not. Setup the same SSIDs, passwords and security on all wireless APs. This way you will have some form of roaming. The next step is to fine tune placement for best roaming.

 

[dosborne]

and i must say so, very stable.

Now you've done it. *Never* say your network is working great, the gremlins are listening. LOL

Depending on physical layout and location and coverage requirements, a single 2.4ghz guest said may be the easiest solution. (But ultimately only you can decide if something more complex is worth the effort or money on infrastructure)

 

[ddaenen1]

Why not setup 2 SSIDs. One being guess and one not. Setup the same SSIDs, passwords and security on all wireless APs. This way you will have some form of roaming. The next step is to fine tune placement for best roaming.

I have this done for my main wifi network. All 3 AP's have the same SSID and PW and that works perfect. I can set up another SSID and PW for the Asus and the R7000 but that will not restrict the users connected to this SSID from accessing my network equipment. Most of it is UID/PW protected but some of them, like my PV inverter are not and cannot be configured as such. In essence, i want a separate wifi network for guests that prevent access to any other network resources except for internet access. I have no issue to spend some money on that once i know what the most favorable solution is. I know i could exchange all AP's with manageable access points like the Ubiquiti unifi AC-PRO but that brings another issue as i am currently using the switch ports of the R7000 and the EA6400 to connect some local equipment, such as my 2 smart-TV's which is a feature that managed AP's generally don't support.

Are there any wifi-routers that do support guest networks with access restriction configuration in AP-mode?

 

[Klueless]

Are there any wifi-routers that do support guest networks with access restriction configuration in AP-mode?

I did stumble into "something". Ruckus wired APs. I wired them to my main router. I set the router and APs to have two SSIDs; "Business" and "Guest". My main router is an Asus so I set guest for no access to intranet. On the Ruckuses there's a button that says "configure guest". If you click that button the Ruckus configures a bunch of rules to isolate your guests from your private network, servers, PCs and printers. It actually worked.

 

[coxhaus]

Are there any wifi-routers that do support guest networks with access restriction configuration in AP-mode?

The way to handle this is with separate network VLANs. This part is networking not wireless. I do this using a Cisco small business SG300-28 switch and Cisco small business wireless WAP371 APs. But you could use any APs as the network restrictions are done in the network not the wireless APs.

 

[ColinTaylor]

But you could use any APs as the network restrictions are done in the network not the wireless APs.

This assumes that each physical access point device is only used for either a guest network or a non-guest network. To use an access point that can provide both guest and non-guest SSIDs it would also have to support separate VLANs, something his existing devices do not do.

 

[coxhaus]

Good point. But this is the way I build networks. If you want to share printers with guest users or anything else you need to build the network my way.

And he asked for another way to do it. I do use Cisco small business APs WAP371, which do support VLANs. I am sure there are lots of other ones out there. I don't keep up.

 

[ddaenen1]

The way to handle this is with separate network VLANs. This part is networking not wireless. I do this using a Cisco small business SG300-28 switch and Cisco small business wireless WAP371 APs. But you could use any APs as the network restrictions are done in the network not the wireless APs.

The possibility with VLAN's is one that i read about and i know my Netgear GS724Tv3 managed switch supports this but i wanted to explore all possible options because a) VLAN's are unknown territory for me and b) as ColinTaylor indicated, my AP's don't support this and whilst i wouldn't have a problem buying AP's that support VLAN's, the issue with the TV connectivity would remain as i haven't seen many AP's that also have an embedded switch and at the same time are fairly priced. Of course adding a separate small unmanaged switch before each AP would eliminate that issue but it would add complexity to the network, or not?

 

[Klueless]

Now i do realise though that i do not want the many friends and visitors we have at our house, to get to any of the network equipment and potentially messing something up by accident.

Let's go back to simple. How 'bout just supporting "guest" on your main router only? True, your guests won't have "everywhere" access but, hey, they're guests, might it not be good enough? (If/when anywhere access is that important to a guest let them foot the bill with a hot spot on their phone.)

Otherwise you're footing the bill. So maybe footing the bill for enabling "guest" on just one access point will be enough (rather than all access points)?

With that in mind I looked a little more at the Ruckus access points. They come with one, two and more Ethernet ports. I saw a brand new R310 adverstised for $191. While it came with only one Ethernet port you could "front end" it with a $25 switch. No VLANs. You just configure the Ruckus (e.g., one SSID for you and a 2nd SSID for guest) and it will auto-magically respect your privates.

 

[ColinTaylor]

Let's go back to simple. How 'bout just supporting "guest" on your main router only?

I like simple but unfortunately his main router doesn't have WiFi (RB3011UiAS-RM).

 

[coxhaus]

It looks like the Cisco WAP581 wireless AP does support guest on the wireless. I don't use it as I need guests to be able to print and I use networking for my guest network to lock out access to the rest of the network. Look at step 15 which is optional but it sets up a guest. Plus under monitoring it tracks your guests. I have included the second link for looking at what it looks like under monitoring. click the guest menu.

https://www.cisco.com/c/en/us/suppo...e-setup-wizard-wap125-wap581-web-utility.html

https://www.cisco.com/assets/sol/sb/WAP581_Emulators/WAP581_Emulator_v1-0-1-3/main.htm

 

[Klueless]

I like simple but unfortunately his main router doesn't have WiFi (RB3011UiAS-RM).

Well a really big D-uh to me. I looked quick and it looked like four (4) access points home runned to a Netgear router. The Netgear is actually a switch that brings everything to the Microtek router as you mention.

Still ... replace just one access point with a Ruckus and he's got some protected guest access that he can expand at a later time if "really" needed.

 

[coxhaus]

Still ... replace just one access point with a Ruckus and he's got some protected guest access that he can expand at a later time if "really" needed.

This seems short sited to me as soon as the guess walks out of range there is no roaming and the call drops or the data stops. Are you going to say to your guess he needs to stay in his bedroom to access the internet or do Wi-Fi calling?

 

[Klueless]

It looks like the Cisco WAP581 wireless AP does support guest on the wireless. I don't use it as I need guests to be able to print and I use networking for my guest network to lock out access to the rest of the network. Look at step 15 which is optional but it sets up a guest. Plus under monitoring it tracks your guests. I have included the second link for looking at what it looks like under monitoring. click the guest menu.\

Nice catch! Still, it requires the use of VLANs (the Ruckus does not), although, the OP might prefer that? The doc says it creates a "portal" although, later on it says the portal is optional. In either case the portal might be fun as it might say, "Internet access bought and paid for by your friend ddaenen1, buy him a beer someday!"

 

[coxhaus]

Nice catch! Still, it requires the use of VLANs (the Ruckus does not), although, the OP might prefer that? The doc says it creates a "portal" although, later on it says the portal is optional. In either case the portal might be fun as it might say, "Internet access bought and paid for by your friend ddaenen1, buy him a beer someday!"

Cisco does support extensive captive portal ways for small businesses to present a web page or screen to provide what info needs to be presented.

 

[Klueless]

This seems short sited to me as soon as the guest walks out of range there is no roaming and the call drops or the data stops. Are you going to say to your guess he needs to stay in his bedroom to access the internet or do Wi-Fi calling?

Yes. He's looking at replacing four (4) APs. Do one. Put it in the most advantageous location. Add as needed. They are guests not paying customers. Yes, I'm cheap <lol>

Edit: 3 APs

 

[coxhaus]

I am trying to figure out how well does Ruckus roam with Wi-Fi calling? Do you know Kueless?