Separate guest wifi
- House with ajoining holiday let;
- Currently with dial-up access but new ADSL line now going in;
- Owners want wifi access for their two laptops in and around property in addition to wired access for one desktop;
- Wifi access to be provided for guest use in and around property but separated from accessing owner's private network;
In past days I have done similar by using IPCOP to separate the networks, each with their own wifi AP with different SSIDs, and have the IPCOP going out to a single router/modem. However, I'd rather stick with a single, small, appliance type solution if possible.
They need to buy a router/modem anyway for the new ADSL line so I was looking at the Netgear DGN2000 as it has the ability to set multiple SSIDs but I'm not sure if this then separates them into VLANs - if not, I can't see the point of multiple SSIDs unless you have devices that can't use higher security methods.
What would you do to achieve the required result?
I'd recommend grabbing a router that can run DD-WRT (Linksys WRT54 series ftw). In the past I've had my main SSID (WPA2) and then a second with WEP for my sister's DS, this was on a different VLAN and could only access the internet and had MAC filtering.
Take a look at this Multiple BSSIDs with DD-WRT - Interactive HowTo
Slightly different/less comprehensive from the official DD-WRT site VLAN Detached Networks each with Wireless and Internet - DD-WRT Wiki
It can probably be done with Tomato firmware as well although I wouldn't know where to start with that.
I've not had a good track record with Linksys equipment (probably just unlucky) but could be persuaded to look again. I would also prefer to go with a solution that had 802.11n and gigabit ports built in too.
I think you'll struggle finding a cheap gigabit adsl all in one router.
My advice would be to echo the DD-WRT suggestion (recently done this myself) and if you need gigabit (why if there's only 1 hard wired PC?) put a switch in behind the router to provide this.
Linksys WRT320N Wireless-N Dual-band Gigabit Router - Ebuyer
That'll run DD-WRT, 802.11n and gigabit. You can use any old ADSL router as the modem... the DD-WRT router will deal with the connection, as in, the connection settings will go into the router rather than the modem.
OK, changing the plan slightly... The areas that guests and owners will need to pick up a WiFi signal are physically separate so I will probably need to put in a separate AP for guest access. How would this change opinions? Are there any modem/routers that are able to firewall off specific LAN ports?
One desktop PC but potentially network attached CCTV (in some guise) in the near-ish future. However, this will probably end up needing a separate switch anyway!
Originally Posted by kmount
Anything running DD-WRT understands what VLANs are. Just do it that way.
I was going to mention DD-WRT again but didn't want to sound like I was going on about it, haha. DD-WRT is the ultimate geek home networking toy. I'd hate to not have it.
Originally Posted by Geoff
Ok, Ok - you've sold me on Linksys and DD-WRT! How about this then:
ADSL -> old Netgear DG834G router (with WiFi disabled) -> WRT320N with DD-WRT (in main house for owners WiFi and wired devices) -> WAP610N (or other similar/suitable AP in holiday let for guest access). Guest access on different SSID and using DD-WRT to route, on separate VLAN, directly to the internet bypassing owner's LAN.
How does that sound? Just another thought - if any IP cameras were plugged diretly into the LAN ports of the DG834, would they be viewable internally on the owner's LAN?
Thanks for sticking with me on this one!
Your above plan looks sound. As for the IP Cameras, put them on a separate VLAN and IP range and use the DG834G to setup a static route between that VLAN/IP range and the Owners VLAN/IP Range. Keeps everything neat.
I just bought a Netgear DGN3300 router with 802.11N and it does prevent traffic from the "guest" networks (you can have two- one b/g and one n) from pinging or connecting to traffic on the wired or wireless restricted networks.
There are different DHCP servers for each SSID but I haven't actually tested if traffic is VLANed by the router or if it's the VLAN on the ProSafe switch that sits behind it that keeps them from accessing my wired equipment.
I'll test changing the subnets on a guest and trusted wireless laptop this evening and see if I can ping or connect in either direction to see if this is VLAN security or just using different subnets.
As far as I can tell though, the guest network heads straight out to the internet with no LAN access.
@pwds: Did you discover anything definitive?
I have setup DD-WRT on the WRT320N connected to the dg834g (in modem only mode). DD-WRT successfully passes on the login details and the DG834G connects. However, as PPPoE (which is what I have setup to pass login details) has a maximum MTU of 1492 and XP/7 use a default of 1500, I have run into issues whilst browsing some sites (usually larger domains or those using https). It had me stumped for ages! As soon as I changed the MTU in XP/7 everything worked smoothly.
Originally Posted by Geoff
I have the guest WiFi setup correctly and clients connected to that on their own dedicated VLAN etc, etc. as intended however, they will also need to have the MTU settings changed which is not an acceptable solution in this case. Therefore, is there another way of connecting the DG834G and DD-WRT that will enable me to have the DG834G connect on its own and then route everything to DD-WRT (thus avoiding the need to alter MTU values) which will then do the necessary in terms of VLANs, DHCP, etc for the connected LAN clients?
Use DHCP option 26 to inform your clients of the non-default MTU required to use your network.
Will get shot down in flames no doubt for this but what about the apple airport extreme base station
Apple - AirPort Extreme - Features - 802.11n Wi-Fi
Not sure how it does the wireless with ref to using a VLAN or what exactly but you enable the guest account and it seperates your main wifi network from the guest one.