Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


Segragate WIFI guest Access Points with 2 SSID's

Posted on 2013-05-30
Medium Priority
Last Modified: 2013-06-28
Hi experts

I have been asked to setup a free wireless network at work for our customers.

The boss wants it open to the customers, but i'm a little gunshy on having that on the same address scheme as our local network.

I've purchased 4 Motorola AP6532 units which have been pre-configured with 2 SSID's. 1 for the guest (which is open) & 1 for the Business (which is secured PSK). The AP's have a static IP address in the same range as the local network.

I have a HP 2620 Poe switch & a draytek router. The AP's are Poe from the switch (currently ports 21-24).

What i would like to do, if it's possible, is have the guest SSID on a different range to everything else. E.g 192.168.1/24.

That would leave the local network & SSID 2 (business use) on the same subnet, with internet access etc.

I'm a little confused how i would achieve this when the SSID's are on the AP's. If i have to assign an IP to the AP's, will the guest wifi network be able to access the internet as required?

Is this at all possible?

Question by:cuadmin
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
LVL 10

Expert Comment

by:Mohammed Rahman
ID: 39209903
If I am assuming it correct, the ISP connects to Draytek Router. From Draytek, a cable is running to HP 2620.Then, 4 Motorola APs are connected to the Switch via port 21 to 24.

Looks like you can assign just ONE IP to the LAN interface to these access points. Hence, you might not be able to segregate the business (SSID 2) traffic from the local open (SSID 1)

From the manuals ""
I see the the AP has the option to assign two SSIDs. However, there is not option to assign to LAN IPs and bind each IP with each SSID.

Author Comment

ID: 39209916
"If I am assuming it correct, the ISP connects to Draytek Router. From Draytek, a cable is running to HP 2620.Then, 4 Motorola APs are connected to the Switch via port 21 to 24."

You are spot on...this is exactly how it is currently connected.

On the Draytek i've configured 'Vlan2' on port 4 & assigned it an address The Draytek port is connected to HP port 20. On the HP i've configured a separate Vlan for ports 20-24, being the Draytek Connection & the 4 AP's.

I can get the 2 subnets talking via interlan routing on the Draytek, but i'm not sure if there's a better or more secure way of doing things. If i can't separate the SSID's, i guess i'm left with little options.
LVL 10

Accepted Solution

Mohammed Rahman earned 2000 total points
ID: 39210002
Assuming all 4 Motorola APs have 2 SSIDs each (business and local) so that both types of users can connect to any of the 4 available access points at any give time.

Your interest is to divide the network between business and local so that the local traffic cannot access/interfere with the business traffic (due to obvious security reasons).

Assume we have the setup as described in your post above and the APs are in BRIGDE mode and not ROUTER mode. (so that they end users can get the LAN IP address from Draytek and not APs)

User 1 is connecting as BUSINESS user and getting an IP of
User 2 is connecting as LOCAL user and getting an IP
Both, secure and open users are now on same network and doesn't serve your purpose.

Now, how will a VLAN segregate the traffic/users based on SSID? Is there an option in Draytek or the APs to associate a particular VLAN to a particular SSID?

You may attempt this:
Create two VLANs on switch.
Make Port 20 member of both VLANs (Routers port)
Make 21 and 22 member of VLAN X (Business with Wireless Key)
Make 23 and 24 member of VLAN Y (local and open network)

** This will limit the coverage as each type of user will have access to 2 APs against 4 :(
Do not enable inter VLAN routing as it will enable communication between business and local (which you do not want in the first place).

Please correct me if I am going off the track and let us know if you have any other ideas.
Introducing the WatchGuard 420 Access Point

WatchGuard's newest access point includes an 802.11ac Wave 2 chipset, providing the fastest speeds for VoIP, video and music streaming, and large data file transfers. Additionally, enjoy the benefits of strong security as the 3rd radio delivers dedicated WIPS protection!


Author Comment

ID: 39211984
Your interpretation of the network layout is spot on again :)

I'll set it up this way & let you know the results.

Author Comment

ID: 39211986
On the Vlan, should the ports be tagged, untagged or something else?
LVL 10

Expert Comment

by:Mohammed Rahman
ID: 39224506
Tagging can only be done on a Trunk Port and not on Access ports.

When VLANs span multiple switches, VLAN Tagging is required. VLAN Tagging is the practice of inserting a VLAN ID into a packet header in order to identify which VLAN the packet belongs to. More specifically, switches use the VLAN ID to determine which port(s), or interface(s), to send a broadcast packet to.

In our case, we are connecting 2 APs to port 21 and 22 (that will have the wireless security enabled). And these two ports will be member of VLAN X only. Also, these ports will be Access ports and not Trunks. (Reason: We do not have the option to configure 2 SSIDs with two different IP addresses).

We are forcing port 21 and 22 to be part of one VLAN (X) and hence allowing only single network over it. As the port is configured to allow only one VLAN and not multiple, it should be forced to be in ACCESS mode.
** If you keep the port 21 and 22 as trunk, anyone from local (non secure) network can install a dummy switch emulator, make himself a member of business network VLAN and access your business network.

Hence, never configure a port as TRUNK to which the local users have access to.

So, long story short :) - Keep the port 21 and 22 as ACCESS only. So, no VLAN tagging. ONLY the port 20 must be trunk as it will have to carry two seperate VLAN traffic to Draytek router.

The same above explanation applies to port 23 and 24.

Author Comment

ID: 39224671
Ok, thanks for the explanation. I'll keep you posted.

Author Closing Comment

ID: 39286047
Sorry for the delay in responding.

Thanks for your advice. Appreciate it.

Featured Post

Learn how to optimize MySQL for your business need

With the increasing importance of apps & networks in both business & personal interconnections, perfor. has become one of the key metrics of successful communication. This ebook is a hands-on business-case-driven guide to understanding MySQL query parameter tuning & database perf

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Working settings for French ISP Orange "Prêt à Surfer" SIM cards for data connections only. Can't be found anywhere else !
The Summer 2017 Scholarship Winners have been announced!
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question