Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Setting up a Guest WiFi Network on ASUS RT-N66U

Posted on 2016-10-01
6
Medium Priority
?
1,540 Views
Last Modified: 2016-10-03
I've been using an ASUS RT-N66U in a small office as purely an access point in ROUTER MODE (as a switch and access point) connecting the device to the LAN on one of its LAN ports and DHCP disabled.  This is shown in the first figure attached: Office Network Original Diagram.

Now a Guest Network is desired.
I see that the RT-N66U has a number of Operation modes available:
- ROUTER MODE which normally expect a WAN connection and doublessly provides NAT.
- REPEATER MODE to extend a wireless network.  No NAT.  Appears to be of no interest here.
- ACCESS POINT MODE.  No NAT I'd guess.
- MEDIA BRIDGE MODE with two RT-66U devices.  Appears to be of no interest here.

So rather than continuing to use the router mode with no WAN connection, I opted for the ACCESS POINT MODE with a WAN port connection to the LAN.  
And, I set up a Guest Network which is supposed to not allow connection to the LAN devices but only the internet.
This variation is shown in the second diagram: Office Network Diagram Guest Network.

The situation when this is done is allowing connection to the LAN devices from the Guest Network.  I need to fix it so Guest access to the LAN devices doesn't happen.

In some instructions there is shown a mode that will deny access to the LAN it appears.
In the firmware we have (the latest installed) there is Enable MAC Filter instead.  If we set it to Accept, it is supposed to allow connection to the network of any listed MAC addresses.  But does this mean internet access or LAN access or both?  It's not clear.  Accept with no addresses on the list seems to stop WAN/Internet connection.  I think this is simply a typical MAC address filter and nothing more - having nothing in particular to do with the Guest/LAN access.

Under the Wireless Professional settings there is a "Set AP Isolated" Yes/No and instructions say:
"If want to limit guest to all devices behind router, connect by wireless .. choose Yes."
Setting this to Yes appears to disable Guest access to the internet.
Obviously the English isn't so good.  One would hope to interpret this as:
"If want to limit guests from all devices on the LAN, connect by wireless .. choose Yes."

Very confusing....  I somewhat expect that having the LAN on the WAN side of the RT-N66U has something to do with this but it's a bit of a surprise in Access Point mode.  It's the connection I would have expected had this been but a new installation.

I might add that I don't want to mess with the current LAN configuration as the VPN is working well for file access from afar.  So, no router / dual NAT cascading with everything at the 2nd level as that would disrupt the current scheme.

Also, as one would expect, the LAN wireless clients need to be on that same subnet - except for the Guests and for them I don't care.  Either they can be on the same subnet but have no subnet access other than the gateway OR be on another subnet with no inter-subnet access.
Since I manage this remotely at some distance, I want to be able to access everything as I do now.

I'm hoping that someone understands the RT-N66U well enough to shed some light.  Otherwise, I can see ways to "solve my problem" so that isn't so much what I'm looking for here.  I'd like to just use the RT-N66U..... THAT's the problem.
Office-Network-Original-Diagram.pdf
Office-Network-Diagram-Guest-ALT1.pdf
0
Comment
Question by:Fred Marshall
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 29

Assisted Solution

by:Dr. Klahn
Dr. Klahn earned 800 total points
ID: 41824892
In these situations, I generally tell the client to buy a second WiFi router/access point.

Assume internet connection via a cable modem with DHCP enabled.  Plug a cheap 4-port hub into the cable modem.  Now plug both WiFi routers into the hub.  Each will get an address from the modem via DHCP for its internet-facing side.  One router services the guest network, one router services the business LAN.  Either network can be subverted with no effect on the other network.  As long as each router has its firewall enabled, neither can leak information to the other network.

Note that this configuration is secure only so long as you keep the WiFi passwords secret.
0
 
LVL 31

Accepted Solution

by:
masnrock earned 1200 total points
ID: 41826334
There are a few ways you can go about it:

1) Do mostly what Dr. Klahn said. That Comcast modem has 4 ports on it, so you don't need the cheap hub that's mentioned. DHCP would serve the AP that's for the guest wireless, while the modem would serve as a passthrough for the Netgear.

2) Same as number 1, except instead of enabling DHCP on the modem, give the router for the guest wireless its own public IP address (this assumes you have some addresses available).

3) Create a separate subnet on one of the interfaces on the Netgear, and don't let it communicate with the existing one. Buy an AP to attach to that interface for that subnet. If you don't want to deal with configuring VLANs on the switch, attach that interface directly to the correct patch panel port that you're dedicating exclusively to the guess network AP.

4) Create a VLAN on the Netgear (you will also have to some configuration on the Cisco switch) and replace the existing Asus with a UniFi AP (I pick this model since it's not an expensive unit by any means that would help you accomplish your goal), and have the AP set so that there is the existing staff network, and the guest network (which you need tell which tagged VLAN to place users onto). They'd exist on separate subnets that you don't have to allow to communicate with one another.


Personally speaking, I'd go with options 3 or 4. However, options 1 and 2 are the simplest.
0
 
LVL 26

Author Comment

by:Fred Marshall
ID: 41826877
masnrock:
It appears using the ASUS RT-N66U and adding a Guest network is out of the question in view of our configuration.  
Yes, I know how to do these things.  Although you give some good information about the ports on the modem (I'm not there to see it).    

It's not clear why you mention the Cisco switch in 3.
It's not clear why you would replace the ASUS.  Why not just leave it alone as it is in the first diagram?

If I put the guest router on the modem with its own public address (which is really what I'd favor doing) then I'd want a router with a half-way decent firewall that can be accessed remotely.  Any suggestions for such a wireless router?  My sense is that almost any commodity router will do.
0
Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.

 
LVL 31

Expert Comment

by:masnrock
ID: 41827098
Fred,

You could techinically do the guest network and isolation as long as you ran the ASUS in Access Point mode, but I would never recommend it. Not because of wanting to drive up the cost up or adding more stuff, but more in keeping things well segregated. In the most ideal scenarios, you'd rather have people on separate subnets or VLANs if possible. Also would show a much stronger control for any compliance that your client may deal with (I know you cited they're small, but not sure if they have to deal with anything like PCI).

With the first 3 options, you can use your existing ASUS. However, you'd need to get an additional wireless device because you'd be using separate wireless devices for the staff and guests.

Option 3 I mention the switch because you'd have to deal with VLAN configurations on it if you connect the AP for the guest network (be it the ASUS or another device) to it. If you bypass the switch totally and go straight to the patch panel for the guest subnet, then there's no need to change anything on the switch.

Option 4 is the one where you'd take out the ASUS totally because UniFis are capable of seeing multiple VLANs over the wire.


I forgot to answer one of your questions from your original post: The MAC filter you were mentioning is just a plain MAC filter, that would deny access to the wireless network in general. And I believe that is in general, not a per network filter (based on the documentation for the Netgear).
0
 
LVL 26

Author Comment

by:Fred Marshall
ID: 41827192
Masnrock:  heh... I agree totally with that segregated approach!  Yet, I was starting with what I had.

Thanks for the clarification re: the switch.  Yes, I was intending to connect separately.  It makes little sense for me to put one cable into a switch in order to run one cable out.  One to many is more normal switch application, eh?  Well, unless one needs port monitoring, SNMP, etc.

I started this question because I'd implemented what's in the "original" diagram but with a Guest network configured in the RT-N66U.  That worked but allowed Guest access to the LAN.  When I think about it, all Guest traffic would have to run over the same wire so it's hard to imagine any internal router mechanism that could keep them separate .. being on the same subnet.

I then tried connecting the WAN/Internet side of the RT-N66U to the LAN as shown in the ALT 1 diagram with the RT-N66U in Access Point mode.  So, I believe no NAT, etc. but still have the issue of all the traffic showing up on that wire.  So this case also didn't separate the LAN from the Guest network.  I believe the proper functional block diagram for the RT-N66U is as if the router has a number of VLANs: one for each wireless signal and connects them to the internal LAN switch EXCEPT the Guest network which is isolated from that switch.  Then, assuming NAT, the traffic goes to the WAN port on the WAN subnet and must go upstream to the gateway without interaction.

Had I been willing to run everything though the RT-N66U and allow double NAT then it likely would have worked just fine.
Just info.

Fortunately the users have a wireless router already available...
0
 
LVL 26

Author Closing Comment

by:Fred Marshall
ID: 41827194
Thank you all for the suggestions!
0

Featured Post

NFR key for Veeam Agent for Linux

Veeam is happy to provide a free NFR license for one year.  It allows for the non‑production use and valid for five workstations and two servers. Veeam Agent for Linux is a simple backup tool for your Linux installations, both on‑premises and in the public cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

MAC Filtering: MAC filtering is like handing a list of names to a doorman. If someone comes to the door and mentions a name, this name is checked by the doorman on his list and granted or denied access by this. This means that if someone menti…
In this article I will describe how to setup a Cisco WLC 5508 to work with Apple's Bonjour protocol across VLANs.  I will also discuss using screen mirroring and Airplay on an AppleTV v3.  This article covers the wireless network only and requires m…
This Micro Tutorial will show you how to maximize your wireless card to its maximum capability. This will be demonstrated using Intel(R) Centrino(R) Wireless-N 2230 wireless card on Windows 8 operating system.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question