[SOLVED] Secured Guest WiFi Network

[jk_ma]

I have some smart devices that are put on a guest wifi network with no intranet access to isolate them from my main home network on an ASUS RT-AC68u router. As the number of smart devices grow, I wanted to extend the guest wifi network range using ethernet backhaul with another identical ASUS router (RT-AC68u). However, both access point or Aimesh configurations does not work as AP mode does not isolate the guest network from my main network and Aimesh currently does not support guest network on nodes. I believe it is a common problem many people are faced with but I cannot find any viable solution on the web. Please advise if there is any way to achieve that. Thanks in advance,

 

[kanewolf]

You can have an isolated guest network, but not with the hardware you have. If you had Ubiquiti access points, and a managed switch, then you could create an isolated guest network.

 

[jk_ma]

You can have an isolated guest network, but not with the hardware you have. If you had Ubiquiti access points, and a managed switch, then you could create an isolated guest network.

Thanks for the quick response. In such case, would it be more efficient and cost effective to get a new mesh system such as Netgear Orbi?

 

[bill001g]

Mesh systems are mostly just fancy marketing. This word means nothing really, they likely would call your washing machine mesh if it has wifi.

You have to read the details of the system being sold. Does it actually create a separate network between all the wifi radio units. It could this is just a simple vlan but vlan support is not something you see in consumer equipment. I don't know how they would ever carry vlan tags over a wifi repeater,they are already using a hack called WDS to carry multiple mac addresses which is not actually part of the wifi protocol.

Guest networks were just a cheap add on to a router which is why you see them. The just use a feature called wireless isolation that is part of the wifi chipset and some simple firewall rule in the router that forces the traffic from the guest network to only be able to go to internet.

When you add mulitple devices it gets a lot more complex to securely accomplish this.

 

[jk_ma]

Argh... Thanks for the info. Any recommendations on guides or instructions on setting up Ubiquiti access points with a managed switch for smart devices isolation?

 

[bill001g]

The problem is not so much ubiquiti but having the general network knowledge about vlans. I am not sure if they have a sample config you could go with. For someone that understands the concept it is just a matter of looking up the commands. The general design is the same no matter the vendor.

The best way to look at it is if you had 2 completely separate physical networks and had a special router that had 2 different LAN port that you could assign different networks to.

Vlans are just virtual representations of that....ie why they care called "virtual"lan.

The key concept you need to understand is vlan tagging which is how it keeps the traffic isolated on shared cables.

You might find a cisco example and just use their general diagrams to implement it. Cisco is one of the harder ones to configure because they have massive amounts of options most of which are not used by many people.

 

[jk_ma]

The problem is not so much ubiquiti but having the general network knowledge about vlans. I am not sure if they have a sample config you could go with. For someone that understands the concept it is just a matter of looking up the commands. The general design is the same no matter the vendor.

The best way to look at it is if you had 2 completely separate physical networks and had a special router that had 2 different LAN port that you could assign different networks to.

Vlans are just virtual representations of that....ie why they care called "virtual"lan.

The key concept you need to understand is vlan tagging which is how it keeps the traffic isolated on shared cables.

You might find a cisco example and just use their general diagrams to implement it. Cisco is one of the harder ones to configure because they have massive amounts of options most of which are not used by many people.

Thanks for the reply. I am a biologist but, as my job required for robotics, I also have a CIS certificate with a couple of courses on networking. However, I do not have real practical experience on implementing complex systems. I just need to research more on vlan to understand what I need in my network.

 

[bill001g]

Yup going to take some reading. Even though what you want sounds simple it is actually something that crosses over to a business requirement which is why you do not see support in the consumer routers.

 

[jk_ma]

@bill001g Just went to Cisco site and found some articles on vlan, etc. Will see if I can successful implement that. Thanks again.

 

[kanewolf]

@bill001g Just went to Cisco site and found some articles on vlan, etc. Will see if I can successful implement that. Thanks again.

Ubiquiti isn't the only option. BUT, if you are thinking about their hardware you should definitely create an account for their board -- https://community.ui.com/
You want to look at the UniFI topics.
Also there are lots of topics for reading here -- https://help.ubnt.com/hc/en-us/categories/200320654-UniFi-Wireless
Full disclosure, I did change my home network hardware out for Ubiquiti.