Solved

Guest Wireless

Posted on 2013-06-10
17
1,313 Views
Last Modified: 2013-06-10
I want to separate my corporate wireless network and my guest wireless network.

Rather than use the existing infrastructure I will be connecting a wireless router/access point to the ISPs router.  The ISP will then ensure that the port this is connected to can only go straight out to the internet and be blocked from accessing any of the private address ranges.

As I want to use two or more wireless devices across two rooms what would the best method and device be to do this.

My thoughts were to connect a managed switch and assign a currently unused vlan e.g. 66 to it then attach a couple of wireless access points putting them on the same vlan.  The ISP will configure the default gateway on the router for that vlan which would then pass through the traffic as required.  My problem with this scenario is their is nothing to provide dhcp to the clients as they try to connect.

I have not yet purchased any equipment and am open to any ideas.

Thanks,
0
Comment
Question by:JAM-Tech
  • 8
  • 7
  • 2
17 Comments
 
LVL 4

Expert Comment

by:thelug
ID: 39234334
Why not get access points and configure them in Bridge mode?  That way, DHCP addresses can be handed out by the router?
0
 

Author Comment

by:JAM-Tech
ID: 39234343
Let me make sure I understand exactly what you mean.

Your suggestion is to connect a switch to the access point and with the previous configuration but use bridged mode on two access points that connect to the switch.

To configure DHCP for these access points I would get the ISP to configure their router as the DHCP server?

Is that about right?
0
 
LVL 4

Expert Comment

by:thelug
ID: 39234361
Is the ISP router a wireless router as well?  If so, than it can be configured on the vlan desired, and the other AP's should be able to be configured in Bridge mode to hang off the ISP router.

If it's not wireless capable, than you could hardwire the first AP off the router, and then should be able to connect the other AP's to that in bridge mode.

DHCP addresses would be served by the ISP router to all access points.

It's similar to how I have my home network set up.  I have my main ISP wireless router with some PC's hardwired to it and another wireless router on another floor in bridge mode.  DHCP from the ISP router hands out addresses to the bridge router on the same network segment.
0
 
LVL 44

Expert Comment

by:Darr247
ID: 39234418
> Rather than use the existing infrastructure I will be connecting a wireless
> router/access point to the ISPs router.
What would provide DHCP in that scenario, and why wouldn't that same DHCP server function through/across a VLAN?
0
 

Author Comment

by:JAM-Tech
ID: 39234422
In that situation the wireless router would provide dhcp so to be separate from the corporate network.

The reason it wouldn't use the existing dhcp server is purely to separate it from the corporate network.
0
 
LVL 44

Expert Comment

by:Darr247
ID: 39234452
> In that situation the wireless router would provide dhcp so
> to be separate from the corporate network.
Why wouldn't that same wireless router pass DHCP through a VLAN?
And why would a VLAN even be needed?

Why not just use cat5e from the wireless router's LAN port[s] to the other APs?
0
 

Author Comment

by:JAM-Tech
ID: 39234483
I think the original request may have not been described correctly, let me try to get my meaning across.

I do not yet have any equipment for this project.  I am using an interface on the ISP provided router to route traffic straight out to the internet, the ISP is setting up firewall rules through their managed firewall to block the traffic on this interface from getting access to our corporate traffic.

My question is what is the best way using this interface on the ISPs router to setup guest wireless.  This would include the type of equipment, topology and configuration e.g connecting a Linksys router to the ISP interface with two APs connected to Linksys switching ports allowing the Linksys router to be the DHCP server.

Hope this makes more sense.
0
 
LVL 44

Expert Comment

by:Darr247
ID: 39234957
> My question is what is the best way using this interface
> on the ISPs router to setup guest wireless.

Well, it seems you have already decided on using a Linksys router for some reason.
Make its LAN IP a different subnet than your corporate LAN. I would even make it a different 'class' to make troubleshooting easier. e.g. if your corporate LAN is using 192.168.x.x, put the guest wireless on 10.x.x.x or 172.16-32.x.x, and vice-versa, but stick with a /24 (255.255.255.0) subnet mask.
Avoid using 192.168.0.x, 192.168.1.x or 192.168.2.x, as those are used as defaults by many consumer grade routers, and avoid 192.168.137.x as that's the subnet windows uses for Internet Connection Sharing.

For extra APs, I would recommend
EnGenius EAP600 -http://www.newegg.com/Product/Product.aspx?Item=N82E16833168107
and if you don't have AC power within 6 feet of their location, add a PoE Injector
EPE-5818GAF - http://www.newegg.com/Product/Product.aspx?Item=N82E16833999016

They sell a kit that combines those 2, but it appears to be $10 cheaper to buy them separately. Those support 802.1q tags if you decide to implement a VLAN.

An alternative, if you desire external/removable antennae, would be the
EnGenius ECB600 - http://www.newegg.com/Product/Product.aspx?Item=N82E16833168126
Those support PoE and VLAN tagging, as well.

If you haven't already bought the Linksys, I recommend the
EnGenius ESR750H - http://www.newegg.com/Product/Product.aspx?Item=N82E16833168096

I'd use a WPA2 passphrase unless the signal is not available outside the building.

The same SSID and WPA2 security can be used on each one, though I would put them on different non-overlapping channels (1, 6 or 11 on the 2.4GHz band).
That won't provide "seamless" roaming, but the connection should only drop for 15 seconds or so when they switch APs (surfing while walking isn't very safe in most work environments, anyway).

Other than that, what configuration issues were you not sure about?
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 

Author Comment

by:JAM-Tech
ID: 39235025
The IP configuration will not be a problem, my main concern was what equipment I should use and how to provision dhcp in this scenario.

Linksys is by no means my preference, its just something I've used before.  I will list the questions that I need to know below.

1. From the ISP's router, what devices are connected e.g ISP router -> EnGenius, EnGenius -> Wireless AP?
2. What device will provide DHCP with this configuration, EnGenius or ISP Router?
3. Would a managed switch be used between the three devices to carry the VLAN traffic?
0
 
LVL 44

Expert Comment

by:Darr247
ID: 39235056
What brand/model/version is the ISP router?
0
 

Author Comment

by:JAM-Tech
ID: 39235292
I have now had confirmation from the ISP that they can not provide DHCP.

The ISPs router is a Juniper SRX210.

Thanks,
0
 
LVL 44

Expert Comment

by:Darr247
ID: 39235342
OK, then... to the questions in http:#a39235025 :

1) Juniper -> your 'guest' router -> AP[s]

2) your 'guest' router could supply DHCP.

3) I don't see why a separate managed switch would be required (actually, I don't see why a VLAN would be required, if the ISP is going to sequester the port connected to the 'guest' router from the rest of your LAN); the 'guest' router will essentially be a managed switch.
0
 

Author Comment

by:JAM-Tech
ID: 39235379
If I was to use the ESR750H what AP would you recommend connecting to it?  I see it has 4 Ethernet ports I could use for additional APs.
0
 
LVL 44

Expert Comment

by:Darr247
ID: 39235446
The EAP600 is no more obtrusive than a smoke detector.
Is there some drawback you're not telling us about that would prevent the use of that model?
0
 

Author Comment

by:JAM-Tech
ID: 39235679
No reason just missed it.

So the final solution as discussed would be to connect the ESR750H router to the Juniper router and up to 4 EAP600 APs to the ESR750H.

In this configuration the ESR750H would provide DHCP while the Juniper works as the gateway.

How would the APs need to be configured?  Would they need to be bridged or is there any other considerations when connecting them?

Thanks,
0
 
LVL 44

Accepted Solution

by:
Darr247 earned 500 total points
ID: 39236877
> How would the APs need to be configured?

I would put them in Access Point mode, and for IP Settings -> IP Network Setting, select the Obtain an IP address automatically (DHCP) radio button.

On the router, set the WAN to use a Static IP, and set the LAN to use a subnet chosen using the criteria outlined in http:#a39234957 - I would set WPS to Disabled on both bands to prevent anyone that doesn't know the wireless passphrase from connecting by just pushing the WPS button.
0
 

Author Closing Comment

by:JAM-Tech
ID: 39236883
Solution provided.
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

With the purchase of CloudCommand by Comcast customers are left in a bind as subscriptions expire and render the AP's disabled. The following will explain how to flash your Ubiquiti AP's with CloudCommand firmware back to Ubiquiti firmware. HOWTO…
Using in-flight Wi-Fi when you travel? Business travelers beware! In-flight Wi-Fi networks could rip the door right off your digital privacy portal. That’s no joke either, as it might also provide a convenient entrance for bad threat actors.
This Micro Tutorial will show you how to maximize your wireless card to its maximum capability. This will be demonstrated using Intel(R) Centrino(R) Wireless-N 2230 wireless card on Windows 8 operating system.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now