Building a guest-wifi network

[ColinTaylor]

It runs the guest users using captive portal. If you look at the guest user in the display listed there is no VLAN shown so I think VLAN is not required and you have no network access other than internet if you do it this way.

Captive portal is very flexible. It can use RADIUS, Active Directory, web pages, and probably more.

Yes I read that quite carefully as well as all the other "guest setup" pages. As far as I can see the guest setup is just about user management and authentication and not about LAN isolation. If you look at the other post I linked to you can see that he has associated his guest SSID with its own VLAN which is then isolated from the LAN by the upstream router.

 

[coxhaus]

Sorry we crossed posts. I added to my old post.

The user is granted port 80 access only. This gives the user no network access. VLAN does not matter.

 

[ColinTaylor]

The user is granted port 80 access only. This gives the user no network access. VLAN does not matter.

You may well be correct, although it's not entirely clear to me that is what it's saying. Even if it was restricting guest access to HTTP and/or HTTPS I can't see how that would block access to say, a web server on the LAN. It would be nice to have it explicitly stated by Cisco one way or the other.

 

[coxhaus]

My guess is IP address is limited also probably only to the default gateway. No way Cisco is going to leave your network exposed. No this would other networks exposed. So they are doing it some how.

 

[ddaenen1]

Well, it took some time and lots of reading but eventually, i do not see any way to get this done in a manageable and flexible way without replacing all my current AP's with configurable AP's such as the Cisco WAP371 if i want to maintain the speed levels that my current Wifi network is at. What is a challenge with this though is that 2 of my 3 AP's are a Netgear R7000 and an R7500 which have great throughput and range, even when they are hidden in a wooden cabinet or behind the TV and it has been made very clear to me that mounting an AP in plain sight in the house is not an option so i am a bit concerned about the range the WAP's would have if they are stowed away in a cabinet so for now, this means i could only replace one AP with a WAP which wouldn't give me what i want so i decided to leave this one alone and do some more research.

 

[unspecified]

I came across this thread trying to figure out the easiest way to add a guest network to my existing ASUS AImesh setup. Unfortunately guest networks don't work when the asus routers are configured for mesh.

I was going to buy the ruckus AP and download the standalone unleashed firmware but I didn't want to spend that kind of money just to add a guest network to my house.

Instead I found the Engenius EAP series can run in standalone and has a guest network option. The EAP1250 being the cheapest, but I was able to buy the EAP1300EXT open box for $65 at microcenter.

The guest network works very well and only allows it to connect to the internet. It has it's own DHCP and assigns it's own addresses into a specified subnet you can assign. I tried my best but could not connect to my NAS or other computers on my LAN through the guest network, which is exactly what I want. So far the auto channel selection is playing nicely with my asus aimesh network. No interference, drop outs, slow downs or problems in the last several weeks it's been running. I'm only using 2.4ghz with the guest network.

The only limitation with engenius EAP in standalone mode is that there's no traffic shaping. This is only accomplished when managed from their server software, which can do traffic shaping. So this means that's there's no way to implement Quality of service or bandwidth limitations on the guest network.

 

[coxhaus]

I came across this thread trying to figure out the easiest way to add a guest network to my existing ASUS AImesh setup. Unfortunately guest networks don't work when the asus routers are configured for mesh.

I was going to buy the ruckus AP and download the standalone unleashed firmware but I didn't want to spend that kind of money just to add a guest network to my house.

Instead I found the Engenius EAP series can run in standalone and has a guest network option. The EAP1250 being the cheapest, but I was able to buy the EAP1300EXT open box for $65 at microcenter.

The guest network works very well and only allows it to connect to the internet. It has it's own DHCP and assigns it's own addresses into a specified subnet you can assign. I tried my best but could not connect to my NAS or other computers on my LAN through the guest network, which is exactly what I want. So far the auto channel selection is playing nicely with my asus aimesh network. No interference, drop outs, slow downs or problems in the last several weeks it's been running. I'm only using 2.4ghz with the guest network.

The only limitation with engenius EAP in standalone mode is that there's no traffic shaping. This is only accomplished when managed from their server software, which can do traffic shaping. So this means that's there's no way to implement Quality of service or bandwidth limitations on the guest network.

I think you could run any old wireless router as a guest router. The problem comes in when you need more than 1 AP in a large house.

The Cisco wireless WAP371 APs went end of sale this month so you want to buy another model. They still have a few more years of support. The wap371 will get real cheap soon. I still think it is a good unit for 5GHz.

 

[unspecified]

I think you could run any old wireless router as a guest router. The problem comes in when you need more than 1 AP in a large house.

I tried that with an old router I had laying around but it didn't offer isolation. I was still able to connect to my LAN, even though it said it was set up as a guest network option. Apparently some consumer routers only allow a proper guest network when it's directly connected to the modem.

 

[ddaenen1]

I think you could run any old wireless router as a guest router. The problem comes in when you need more than 1 AP in a large house.

The Cisco wireless WAP371 APs went end of sale this month so you want to buy another model. They still have a few more years of support. The wap371 will get real cheap soon. I still think it is a good unit for 5GHz.

I have looked at this for a long time. I believe the WAP371 was a good solution when i was still on 200Mbps internet. Now that i switched to 1Gbps however, i would want to get the max out of it even in wireless. I am getting roughly 400-500Mbps with my current AP's, an R7000, R7500 and an Asus RT-AC88u, the latter being the fastest of all 3. I have not seen any business-grade AP's that match these kind of speeds so far, at least for a decent price so it will be a waiting game until i bump into a solution that will provide the functionality i want with the speed i want.

 

[coxhaus]

I doubt you are going to get 1 gig on any wireless device including consumer gear. With that being said wireless is a shared media. I don't want any 1 device to max out the wireless.

 

[unspecified]

I have looked at this for a long time. I believe the WAP371 was a good solution when i was still on 200Mbps internet. Now that i switched to 1Gbps however, i would want to get the max out of it even in wireless. I am getting roughly 400-500Mbps with my current AP's, an R7000, R7500 and an Asus RT-AC88u, the latter being the fastest of all 3. I have not seen any business-grade AP's that match these kind of speeds so far, at least for a decent price so it will be a waiting game until i bump into a solution that will provide the functionality i want with the speed i want.

Do you really need your guests to have that kind of speeds? Are your guests power users, is this installed in a small business?

I'm using my ASUS's bandwidth limit feature to limit the guest network to 50mbps for the entire access point, I also have gigabit internet, lol. But my guests only need to connect their smartphones and tablets. Occasionally a laptop for surfing the internet and playing games. 50mbps is plenty enough to share for them. I mainly set up the guest network so my son can give out the wifi password without hesitation.

 

[sfx2000]

Captive portal is very flexible. It can use RADIUS, Active Directory, web pages, and probably more.

Which makes it interesting - a captive portal is essentially a web server, and all the risks implied there...

 

[sfx2000]

Which makes it interesting - a captive portal is essentially a web server, and all the risks implied there...

And to that end - the Linksys/Cisco/Belkin/Foxconn whatever stuff that now comprises Linksys SmartWiFi - the guest network is an Open Wifi access - with a captive portal page that is also served by the same server inside the code that handles admin access for the Router/AP.

I raised this issue with them and the security concerns around it...

 

[Greg72]

Look at https://packetfence.org/
https://www.howtoforge.com/tutorial...with-captive-page-in-linux-using-coovachilli/
https://openwrt.org/docs/guide-user/services/captive-portal/wireless.hotspot.coova-chilli

You can use something like the Raspberry Pi as your MySQL, aling with running Free Radius and another to run as the PHP Server, with 64gb and 120gb SSD’s attached via USB and SSH into them through the USB. It is all about how much time, effort and money that you wish to invest into this. I would suggest looking into investing into Business Internet with a Static IP.

 

[ddaenen1]

I doubt you are going to get 1 gig on any wireless device including consumer gear. With that being said wireless is a shared media. I don't want any 1 device to max out the wireless.

I didn't actually think of that but you are correct. I might need to be able to add some QoS for guests

 

[ddaenen1]

Look at https://packetfence.org/
https://www.howtoforge.com/tutorial...with-captive-page-in-linux-using-coovachilli/
https://openwrt.org/docs/guide-user/services/captive-portal/wireless.hotspot.coova-chilli

You can use something like the Raspberry Pi as your MySQL, aling with running Free Radius and another to run as the PHP Server, with 64gb and 120gb SSD’s attached via USB and SSH into them through the USB. It is all about how much time, effort and money that you wish to invest into this. I would suggest looking into investing into Business Internet with a Static IP.

I am afraid this is a bit out of my league and maybe a bit too complicated for SOHO usage. On the other hand, I don't have a raspberry Pi but i do have a supermicro server running with an Intel Xeon L3426 and 16Gb RAM which is currently only running Ntopng and UPS shutdown manager so i guess i could run more stuff on that one. I have been looking into the Ruckus R710 and that seems to be the perfect solution for my issue but they are pretty pricy so i am looking at the Cisco WAP571 now.

 

[ddaenen1]

I have been looking into the Ruckus R710 and that seems to be the perfect solution for my issue but they are pretty pricy so i am looking at the Cisco WAP571 now.

A quick one: would the WAP371 enable me to do the same, just with a lower spec on wifi speed?

 

[coxhaus]

A quick one: would the WAP371 enable me to do the same, just with a lower spec on wifi speed?

The WAP371 has reached end of sale so they are only available used on eBay. When I ran my 3 WAP371 APs I only used 5GHz. You would now need to buy the Cisco WAP571 APs or the newer WAP581 APs. I moved my WAP371 to my daughter's house to replace the old Cisco WAP321 AP which are no longer supported.

 

[doczenith1]

Disclaimer: I'm a noob at guest networks. Although this is only applicable to your Asus router would YazFi be of any benefit?
https://www.snbforums.com/threads/y...-merlin-guest-wifi-inc-ssid-vpn-client.45924/

 

[ddaenen1]

Disclaimer: I'm a noob at guest networks. Although this is only applicable to your Asus router would YazFi be of any benefit?
https://www.snbforums.com/threads/y...-merlin-guest-wifi-inc-ssid-vpn-client.45924/

The Asus is functioning as an Access point as are the 2 Netgear routers so unfortunately, this is not applicable for my network.