Seperating guest network from own private network with TP-Link

tipihawk

Reputable
Jun 26, 2014
9
0
4,510
Hi,

we have a guest house and provide wireless internet through TP-Link TL-WA801N configured as access point with WPA2 security.

Being in the same subnet as our private home network it is theoretically posibble for guests to connect to our private computers. That of course we don't want. Can I restrict the access with one of the other supported modes like VLAN or would I need a different device?

Zhwzczh.jpg
 
Solution
That is interesting vlan support must be getting more common. Unfortunately you need it on the DSL router...your technically could run without it on the remote device if you could run the whole device as guest.

Lets assume you have both devices that can run vlans. What you do is assign the SSID to the proper vlans. You can also assign physical ports on the routers to vlans. Between the 2 devices you would put both vlans on ports that represent the cable between them. The routers will place vlan tags on the packets to keep it separate.

The key feature though is the main router will assign a different subnet to the "guest" vlan and only allow it to route to the internet.

If you did not need dsl I would be recommending you see...
You would need a router that supports VLAN's. What make/model is your DSL router? Another way to do it would be to purchase an AP that has guest isolation like a Ubiquiti Unifi AP (http://www.amazon.com/Ubiquiti-Networks-UniFi-Enterprise-System/dp/B004XXMUCQ/ref=sr_sp-atf_title_1_1?s=electronics&ie=UTF8&qid=1403791444&sr=1-1&keywords=ubiquiti+ap )
 

tipihawk

Reputable
Jun 26, 2014
9
0
4,510
Hi,
thanks for the answer. So I'm on the right track concerning VLAN. Unfortunately I don't know how to set it up. The device on the left (see link in first post) supports VLAN in mode (2), see screenshot.

obEpRXX.jpg


Do I have to change the setup of the main router / internet modem on the right, too?
 
That is interesting vlan support must be getting more common. Unfortunately you need it on the DSL router...your technically could run without it on the remote device if you could run the whole device as guest.

Lets assume you have both devices that can run vlans. What you do is assign the SSID to the proper vlans. You can also assign physical ports on the routers to vlans. Between the 2 devices you would put both vlans on ports that represent the cable between them. The routers will place vlan tags on the packets to keep it separate.

The key feature though is the main router will assign a different subnet to the "guest" vlan and only allow it to route to the internet.

If you did not need dsl I would be recommending you see if you can flash your main router to dd-wrt but that is unlikely a option with most DSL routers.

In this case it might be better if your AP was a actual router. If all your guests where on that device you could then use it to prevent access. What you would do is say assign ip to the guest machines as 10.x.x.x and let it nat it back to a single 192.168.2.x. You could then put in a rules that say all traffic to 192.168.2.0/24 is blocked.

I have not read the manual on your AP it might have the ability to filter data and you might come up with a method of assigning IP for example statically assign all your private ones and deny access from the AP. This generally is not possible on consumer equipment, they tend to only allow filtering of traffic going from lan-wan.
 
Solution