2 WiFi SSIDs with no access to LAN

Hi, I require a guest and office SSIDs networks preferably from 1 access point but so that the wireless clients can't see the Office LAN PCs. I asked this question before and was pointed to the TP-Link 1750 but the Guest Network can still see the devices on the LAN so it's not any use. I recently bought Netgear GS108E which support VLANs but now the WiFi Clients don't get an IP Address from dhcp unless enabled on the Wifi router but then they can't ping the Internet router so no Internet access, Help !
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

James BunchSystems EngineerCommented:
You will need to set the VLAN (Guest) to receive DHCP with a different scope of IP addresses. If you use on the main LAN then give the VLAN as an example. Then make sure the VLAN has proper rules on the router to allow access to the WAN. Depending on what Firwall/Router you are using, you may be able to configure a different LAN port to passthrough traffic not associated with the original.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Tom CieslikIT EngineerCommented:
I have same setup.
2 Wireless networks, one for Office second for Guests.
Guest network after connection doesn't have access to LAN, so they can use only internet access without accessing company network.

This is very simple to do by using Unifi devices.
All you have to do is set POST AUTHORIZATION RESTRICTION for IP address from your LAN.

After authentication yours from Guest network will be prohibited to use LAN IP so they can't see LAN, only internet.
You can set more than one subnet :)

PeterNairnAuthor Commented:
Hi James, is this in relation to the TP-Link AC1750 ? I know this is the basics for setting up VLANs but it doesn't look like the AC1750 can do this and also that the Netgear GS108E can either.
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

Most newer TP-Link models can isolate guests from your LAN (without the need fro VLAN function, it just handles this function internally). It's usually a checkbox in one of the menus (and the description similar to "isolate" or "can see LAN"). Did you flash the newest firmware?

edit: In the older cases it's called AP Isolation:

Enabled AP Isolation - This function can isolate wireless stations on your network from
each other. Wireless devices will be able to communicate with the router but not with each
other. To use this function, check this box. AP Isolation is disabled by default.

This of course applies to ALL wifi clients. Only in the newer TP-Links will this similar function be there in the Guest section (sometimes called "Allow Guests to Access my Local Network", which means, DO NOT tick this checkbox)
James BunchSystems EngineerCommented:

      The Netgear GS108E is a managed switch that you can adjust the GB ports directly or create VLAN tagging. This is also accompanied by the firewall/router rules. What brand and model is the firewall you have in place?
PeterNairnAuthor Commented:
Hi, maybe I should have mentioned earlier that I already have a DHCP Router on the Lan which runs off a Fritz box.
PeterNairnAuthor Commented:
Hi James, it has very limited configuration for the VLANs, basically all I can do is configure the ports in to VLANS, no routing options.
James BunchSystems EngineerCommented:

      Then you are stuck with using a device on the AP level that will actually segregate and DHCP a different subnet. Look at the link below, toward the bottom are options to "Allow guests to see each other, or See my Network" and make sure those are not enabled.

PeterNairnAuthor Commented:
The issue is that to allow guests to get an IP Address from the DHCP Server then they need access to the LAN, if we block them from the LAN then they get no ip address. That's why I purchased the Netgear Switches which have VPN built in but I still have the same issues as they seem to block everything on the second VLAN so no access to the DHCP Server.
James BunchSystems EngineerCommented:
The DHCP functions your mentioning have to be available on the device serving the DHCP. In order for true isolation like you are mentioning, you have to have a firewall/router, AP and switch that is capable of handling that segregation. If any of these devices are limited in this then you will have to create a Faux guest LAN, which is on the same subnet as your main network but not able to visibly see them.
Buy a cheap wifi router specific for the guests, put in on the VLAN. That way, you have DHCP available (in the Wifi router), and you have it separated from the network (because you put the WAN port of the Wifi router on the VLAN port of the switch)
If having separate office and guest WLANs is important, then it's equally important to use kit that is capable of properly supporting this. You already have a VLAN-capable switch, so a WAP (or two) that fully supports WLAN separation is needed. I find the Ubiquiti Unifi products mentioned above to be excellent for such applications. However, be aware that Ubiquiti WAPs require a software controller to be running in order to manage them, either locally or in the cloud.
You don't say how many office and guest users need to be supported or whether capacity for future expansion is required, but if your organisation is a business then it needs business-class hardware. Cheap residential-grade products will commonly lack the bandwidth to support more than a handful of users, and security options are often very basic.
PeterNairnAuthor Commented:
Had to use Managed Network Switch
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.