[SOLVED] Looking to create guest wifi with access to *some* smart devices & no access to NAS

[kbro]

Hi network wizards! I'm wondering if I can get a hand with my wifi configuration for our new house. Some context:

• ISP is Telus
• router is an Actiontec 3200M (and Actiontec Web6000Q extender) - we also have multiple Telus "boosters" but none are currently in use.
• Sinope thermostats (TH1123WF)
• Western Digital MyCloud 4TB NAS
• multiple computers, tablets, smart TV, amazon fire devices, playstation, etc also connected to the network

I'm trying to set up a guest wi-fi network for both house guests (post-pandemic anyway... remember house guests?), and more importantly, for our basement suite. We're also hoping to connect a subset of our smart thermostats to that guest network, so our tenants can control them. But - we want control of them too. Also, we have a network drive that we do NOT want them to have access to.

From a security perspective, I'm almost thinking it may be even better to create 3 distinct networks if possible - (1) for our computers/phones/tablets/NAS - (2) for our smart devices, segregating them from our other systems to prevent breaches of some kind - (3) for guest wifi and tenant smart devices.

Any tips/thoughts/etc?

Thanks in advance!

 

[Alabalcho]

You'll need quite capable network infrastructure to achieve that goal, and that Actiontek won't cut it. There are other networking experts here to give their thoughts.

OTOH - my Nest thermostat does not need "direct" WiFi connection - I can control it from across the globe. Are you sure your thermostats can't be made Internet-accessible?

And last - basement and Wi-Fi don't mix well. Think about running Ethernet cable there, with AP,

 

[kbro]

You'll need quite capable network infrastructure to achieve that goal, and that Actiontek won't cut it. There are other networking experts here to give their thoughts.

OTOH - my Nest thermostat does not need "direct" WiFi connection - I can control it from across the globe. Are you sure your thermostats can't be made Internet-accessible?

And last - basement and Wi-Fi don't mix well. Think about running Ethernet cable there, with AP,

Thanks for the response - the signal strength doesn't seem to be much of a problem so far downstairs - that's where the T3200 is, and the Web6000Q extender is upstairs. Connection speeds seem fine both up and down so far - knock on wood.

I'm wondering if I set up boosters from the router, and a separate set of boosters from the extender, if I'll be able to make them boost separate networks with their own passwords, or if they'll just be boosting the same network still.

I know if I have smart steering turned off at the router I'll have distinct 2.4 and 5 GHz networks, and I believe I can set each of their passwords separately. Then if I connect boosters I'll have at least one more network (from the boosters), plus there also seems to be a way to enable a guest network on Telus (though I may need the boosters connected to have the guest network option available - still TBD).

All of the above may achieve me creating a network intended just for guests, the tenant, and smart devices in the tenant's space. If not, and more hardware is required, I'm guessing I should be able to create a wired connection from our modem to another wireless router, and have it broadcast its own wifi signal? Then use that as the guest/tenant network?

All of the above may not be the most elegant solution though, and the various networks may interfere with each other and need me to test different frequencies for each of them etc. I'd love input from someone more knowledgeable.

The last thing I'm still a little lost on is I'm not sure how to limit access to the network drive from that network. I might need to create user profiles on the drive and have my wife and I authenticate with a password to connect to it, but I'd rather not have the hassle of entering passwords. That makes it harder to view media on the drive from our TV and stuff. If possible, I'd like to just not make it available on one of our networks.

 

[kbro]

Update - I've managed to not only enable the guest wifi network on my T3200M, but also enable a smart device network. So I now have 3 networks. And that's with "smart steering" left on, so that's nice. However, a couple things I can't quite figure out.

(1) It seems like the Web6000Q extender is only extending our main network - but not the guest network or the smart device network. At least it seems that way from looking at the Web6000Q UI. I can only see one SSID. Not the end of the world, as it seems the T3200 signal is strong enough that everything can connect to it, but it sure would be nice to have the Web6000Q extending all of these networks instead of just the main one.

(2) I still don't know how to restrict access to the NAS (which is connected via LAN connection to the router itself - same with my Playstation) so it's only visible and accessible from our main network, but not the guest or smart device networks. From a preliminary test of connecting to the Guest network it seems the NAS is not visible, so perhaps this is an inherent feature in the guest network settings? I'm reluctant to rely on this without a little more information though. Is anyone familiar with this? Or do I need to play with some other settings to ensure access to the NAS is blocked?

Thanks for any help/input!!

 

[bill001g]

Consumer routers only support the very simple function of guest on the main router. What it does is force all the traffic to go to the internet and prevents any local access. It can't do much else.

What you want is much more complex and you are going to need a much more advanced device. You need some form of firewall, you can use a pc with dual nics but it will take lots of study since you do not even have the very basic knowledge or you would not be here asking.

So this solves only problem #1 of how your have 3 networks and they have restricted access. The much harder issues is how you use a wifi extender and still keep these networks straight. This I am unsure of but if you had a cable between the router and the remote extender you would have to use equipment that supported vlans to keep the stuff separate. The method used by wifi repeaters is actually a hack. They are being being tricky and using a unused field called WDS to pass the mac addresses. Wifi actually has the mac as part of the encryption keys so technically only 1 device can pass over a wifi session. What you want to do is pass vlans over this connection. Maybe someone has a way, maybe the vlan tags will just work.

Finding something like this is going to be hard. Commercial equipment generally follows the standards to the letter so they would not even support WDS likely.

 

[kbro]

Consumer routers only support the very simple function of guest on the main router. What it does is force all the traffic to go to the internet and prevents any local access. It can't do much else.

What you want is much more complex and you are going to need a much more advanced device. You need some form of firewall, you can use a pc with dual nics but it will take lots of study since you do not even have the very basic knowledge or you would not be here asking.

So this solves only problem #1 of how your have 3 networks and they have restricted access. The much harder issues is how you use a wifi extender and still keep these networks straight. This I am unsure of but if you had a cable between the router and the remote extender you would have to use equipment that supported vlans to keep the stuff separate. The method used by wifi repeaters is actually a hack. They are being being tricky and using a unused field called WDS to pass the mac addresses. Wifi actually has the mac as part of the encryption keys so technically only 1 device can pass over a wifi session. What you want to do is pass vlans over this connection. Maybe someone has a way, maybe the vlan tags will just work.

Finding something like this is going to be hard. Commercial equipment generally follows the standards to the letter so they would not even support WDS likely.

You think this is going to be a problem? It seems like I'm virtually all the way sorted out here.

I've managed to enable 3 networks through the router - (1) main, (2) guest, and (3) smart device. They all seem to have the required range, and network 1 is boosted via the range extender. That's half the battle for me. Also, I've confirmed that my NAS is not available when I'm connected to the guest network. My only remaining concern, and it's a relatively minor concern, is that the NAS is visible when I'm connected to network 3, which I intend to use for the smart devices.

Is there any way in my router settings to do either of the following:

1. Make my NAS only reachable from a subset of white-listed devices?
2. Make my NAS only available on a single SSID? (this would be much easier)

If 1 or 2 above isn't possible, I can just password protect the NAS (not a great solution), or live with the fact that the drive is visible if someone gains access to our network via a smart device.

 

[bill001g]

This is like taking masking tape and writing a different name on the antenna. All the networks are exactly the same. They all use exactly the same subnet which is a much better description of a network. The only one that is different is the one that is using the guest feature in the main router. That one the router is forcing the traffic to the internet. I guess it depends on who you are calling "guest". The guest network can not get to the smart device network but the smart device network and the main network are exactly the same network.

Since everything is all one network there is no easy way to protect the nas. If the nas has the ability you might whitelist MAC addresses not IP addresses. Problem is you can change a mac address pretty easy on most things.

So either the nas itself has some way to protect itself or you are going to have to place some hardware in front of the nas to protect it.

 

[kbro]

This is like taking masking tape and writing a different name on the antenna. All the networks are exactly the same. They all use exactly the same subnet which is a much better description of a network. The only one that is different is the one that is using the guest feature in the main router. That one the router is forcing the traffic to the internet. I guess it depends on who you are calling "guest". The guest network can not get to the smart device network but the smart device network and the main network are exactly the same network.

Since everything is all one network there is no easy way to protect the nas. If the nas has the ability you might whitelist MAC addresses not IP addresses. Problem is you can change a mac address pretty easy on most things.

So either the nas itself has some way to protect itself or you are going to have to place some hardware in front of the nas to protect it.

That's interesting to hear "the smart device network and the main network are exactly the same network" - they each have their own passwords, and I can't seem to see any devices on the main network when I'm on the smart device network, or vice versa. The only devices I can see are the ones physically connected to the router - and we only have the NAS and Playstation directly connected to the router.

When you say "depends on who you are calling 'guest'" - we would allow house guests on the guest network, and our basement tenant. It's not a public space.

I'll look into whether WD MyCloud has the ability to whitelist MAC addresses. That might add a little extra peace of mind.

Thanks for all your input!