Setting up Guest Network (Separate Subnet?)

[cobyatch]

Hello everyone,

I am setting up the wireless network for our business and am encountering a problem. I am planning on installing an ASUS RT-AC52U to replace our current router for it's Guest Network function. When I do this, I find that guests can still access our data server. What I want to do is have two separate networks; one for guests, and one for all our workstations, iPads, and data server.

This is a picture that pretty much shows our current setup, except that our modem and router are one system (ATT U-Verse Router):

Not shown are the 4 iPads connected to the router.

As I have it set up right now, I would put the ATT router into bridge mode such that it acts just as a modem, then use the ASUS router to split the network between the guests and workstations using the Guest Network feature.

Upon reading online, I found that I need to set up different subnets for each network, which requires two routers. How would I go about this with the ASUS RT-AC52U and ATT router?

Thanks again and let me know if you need more information.

-Coby

 

[cobyatch]

Here's a quick picture of how I was about to set it up. If possible, I want to disable the WiFi on the ATT router and utilize the ASUS router for both guest and business networks, but if not that's fine.

 

[Zirescu]

Not sure which firmware you're running on your RT-AC52U, but at least in the Merlin firmware, the Guest network has an option for Enabling/Disabling access to the Intranet (Access Intranet). This setting should be set to disabled so that the guests only get access to the Internet.

 

[cobyatch]

Not sure which firmware you're running on your RT-AC52U, but at least in the Merlin firmware, the Guest network has an option for Enabling/Disabling access to the Intranet (Access Intranet). This setting should be set to disabled so that the guests only get access to the Internet.

It is currently disabled, but I am still able to talk with the server. The server is on 192.168.0.x while the guests are on 192.168.1.x. Does it seem right that I am still able to access it, or will this require something more than just changing the IP?

 

[RMerlin]

Guest Network isolation is only possible if your entire LAN is behind the Asus. In this case, you don't have any LAN on the Asus, so there's nothing to isolate from. From the Asus's point of view, everything on the WAN side is the Internet, so Guest clients will get full access to your LAN that's actually in front of the Asus router.

To achieve your goals, you need to either move the entire LAN on the Asus's own LAN side, or put a router/firewall in front of the Asus that will isolate the two subnets. A switch with VLAN support might also get the job done (and would probably be more secure).

 

[coldwizard]

Here's a quick picture of how I was about to set it up. If possible, I want to disable the WiFi on the ATT router and utilize the ASUS router for both guest and business networks, but if not that's fine.

An Access Point gets its security from the port it is plugged into. That means that all wireless and wired ports on the Access Point have the same access to the local network and Internet. The Guest wireless in Access Point mode on the Asus is only there the enable you to quickly enable/disable a guest access to your network without giving them the main wireless password.


Now if the Asus is in Router mode, then the Guest wireless can be limited to be whole network or just Internet. With Merlin's version you can, with user scripts, make one or more wired ports on the Router be on a different vlan/IP network and thus control an Access Point plugged into that port to limit access to the Internet and whole, part, or none of the local network. But to stress the above, the plugged in Access Point is treated as one unit for security.

I know this does not help you because your ATT router is also the modem so you cannot just swap roles with the Asus.

 

[coldwizard]

I found a partial solution that may work for you.

It limits the guest Wireless connections on the Asus AP to just access the AP and router (so USB devices connected to the router still accessible).
From the wireless guests you cannot access any other wired devices on the local network.

See topic "Guest Network: Not restricting local network access"
http://forums.smallnetbuilder.com/showthread.php?t=22659