Avatar of Pkafkas
Pkafkas
 asked on

How to properly design 2 Guest Wireless networks and not to connect to the corporate network.

What is a better design regarding a company wireless network?

At my work we have 2 Guest Wireless Networks.  

1.  Guest Wireless (SSID) (172.20.102.0/24)
2.  BYOD Wireless (SSID) (172.20.103.0/24)

These 2 SSIDs are not routed to our company network in any way.  We have 2 wireless routers/controllers for high availability, our corporate network SSIDs provide DHCP from our internal DHCP server; but, both guest wireless SSIDs use the controllers for the DHCP server.  The only problem is that

Controller 1 has 1/2 of each individual DHCP scope and it has the default gateway of 102.1 and 103.1


Controller 2 has the other 1/2 of each individual scope and it has the default gateway of 102.127 and 103.127.

The Wireless Guest Lans work great and they have no connection to the corporate network; but, I noticed that if either controller is off-line the guest users must do an ipconfig /release to clear out the IP settings (default gateway for that SSSID in order to receive the correct IP settings from the other controller (Controller 2).  Hence the guest access is not a seamless fail-over process.  If you are connected to a controller 2 ( a unique gateway IP address) and already have controller 1's Default gateway ip address cacahed in memory … you will not be able to connect to the internet from controller 2 until you perform an ipconfig /release.  


Is there a better way to design the Guest Wifi Access for these 2 x GUest SSID's?  Currenlty we have 1 older WiFi Controller in production; but, it was thought to have 2 controllers for the new setup and provide High Availability.  The current WiFi setup doe snot have this DHCP design problem.

Any Ideas for a better design and easier guest access transition to truly benefit from H.A.?  The corporate networks are unaffected because their network ip addresses are originating from our corporate network and not from the Wireless controllers
Wireless NetworkingDHCPNetworking

Avatar of undefined
Last Comment
John

8/22/2022 - Mon
John

Hence the guest access is not a seamless fail-over process.

If the two kinds of devices can be on the same network (not on Corporate), use a couple of Ubiquiti Access points keyed to a main wireless router.   Then moving about will be transparent.
Pkafkas

ASKER
The wirelrss devices (wireless controllers) do need to be on the corporate network and we do not wish the 2 x SSIDs to be able to router to each other either.  The wireless controllers will need to route corporate Wi-Fi connections to the Access Points as well.

Unless are you saying to add 2 additional devices such as Ubiquiti A.P.'s or anything that can provide DHCP (or a NetGear Router).  

1 x NetGear Router with scope 172.20.102.0/24 - Def. Gtwy 102.1

1 x NetGear Router with scope 172.20.103.0/24 - Def. Gtwy 103.1


Then connect an access port from the NetGear to the Wireless controller that has a VLAN and IP address assigned that is within the same DHCP Scope but is an excluded IP address from DHCP.

[embed=file 1410685]

I think the above diagram should work, is this what you were thinking as well?  Or were you thinking something different?  Any thoughts?
New_Design_02.PNG
John

You can set one Wireless Router on your network (DHCP OFF, I use a static IP on the network). From there if you need more range, you can add a Ubiquiti AP.

Then put another Wireless Router OFF your network (DHCP ON and Different SSID - must be). Then again if you need more range, you can add a Ubiquiti AP on this one (different than the other network).

If a device switches between Guest and Company and is using vanilla DHCP, you need only disconnect from one and connect to the other. Make sure "Automatically Connect" is disabled on the unused network.
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
rwheeler23
Pkafkas

ASKER
Mr. John,

Remember that we will require 2 separate guest SSIDs (Guest access, BYOD access).  And these SDIDs should not communicate or be routable to each other.  

Question1:  Will the above design work for a hassle free failover if 1 wireless controller goes down in a planned or unplanned maintenance window?  Since the gateway IP addresses will not change for the user and the DHCP Server/Device source remains the same.

Quesiton2:  If yes, we will not have any control over the devices unless we are physically at that location and connecting to an available access port on the NetGear DHCP router.

a.  https://kb.netgear.com/24089/How-do-I-specify-the-pool-of-IP-addresses-assigned-by-my-Nighthawk-router
b.  https://kb.netgear.com/20486/How-to-enter-a-static-IP-address-on-a-NETGEAR-Router


I just want to verify that the above will provide a seamless failover for the guest clients.  Just like we currently have a seamless failover for the corporate clients.  But the problem is that if we are in our headquarters in Chicago and an office is in Seattle, then we will not have any control over the Guest Wireless Configuration unless we are physically at the Seattle location.  How can we get the same functionality but control everything from the headquarters and not have to be in the physical spot to control the guest DHCP configurations?  And still have 2 x Wireless controllers for High Availability?
John

So long as you have guests on one network, and one access point goes down, yes it should be seamless. But NOT to the Corporate network.

Question 2: Ubiquiti Access Points can be managed from the central controller. Otherwise you do not have any control if you are not there, so you need decent security if you want that for guests.
Pkafkas

ASKER
Well we already have a Controller for central management access.  It sounds as if we use Ubiquity will need another central Controller just for Guest Access and connect to that separately from the original controller.

Or use a local device for guest DHCP natting.  I am concerned about security as well.  I think that the solution is either:

1.  Use 1 Wireless controller to provide DHCP to guest clients and forget about High Availability.


2.  Live with the fact that guest access will simple need to push an ipconfig /all if 1 of the controllers goes down.


I wonder what other companies recommend with this setup?  2 separate SSIDs and have 2 Wireless controllers for redundancy; but, not an additional wireless system just for guest access and the original for corporate access.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
John

You only need one SSID for Corporate and one different SSID for Guest. If either network has more than one Access Point you can move about seamlessly.

You cannot fail over from Guest to Corporate or vice versa without compromising your Corporate network
Pkafkas

ASKER
We require 2 x Guest SSIDs?  

1 x SSID for BYOD (Bring your own device, no n corporate network access, just internet) (172.20.102.0/24)
1 x SSiD for Guest Access (172.20.103.0/24)
John

Why?  Guest and BYOD on Guest are the same thing (to me).

If you really want two Guest SSIDs, that will work, but users may need to disconnect from one before connecting to the other.
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck
Pkafkas

ASKER
Because we want to protect our corporate sponsored guests that are at our facility for work purposes from the IoT that people may bring with them like cell phones and personal tablets.

This is a higher up executive decision.
John

So then use your routine and process, but that will not allow seamless transition in the event of failure. You must disconnect and reconnect. No big deal with high quality equipment.
Pkafkas

ASKER
Just to clarify you are suggesting to use what we have in place right now without any ubiquiti or netgear DHCP roeuters.  That would mean taht if there is a maintneace window and or a surprise then the guest access devices will need to

1. Connect to the SSID.
2.  Execute ipconfig /release from the command line.
3.  Remove the SSID from the wireless networks.
4.  Re-Connect then you are good again.

On another note, I thought about using 2 available ports on our Firewall.  1 Port for each Guest network and have the Firewall act as the DHCP server for each DHCP scope.  Then connect those Firewall Zones to an individual VLan on our core switch without an assigned IP addess to those 2 VLans (1 Vlan - BYOD, 2-VLan - Guest).

Then cross-connect the 2 vlans to each wireless controller for routing within that same VLan.  I think that may work as well.  Any thoughts?  If we have a VLan on our core switch without any assigned IP address that will not be able to route to our other corporate VLans.  And we will still have management access to the DHCP scope and route it right to the internet.   How about that?
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
John

More or less, Yes. If you use good equipment and devices are correctly set up , there will not be much difficulty
Pkafkas

ASKER
Thank you for your assistance Jon.  I appreciate your feedback.  I am a little surprised no one else wieghed in, on this discussion.

Did you think the idea about the firewall is realistic?
John

Just make sure the firewall allows both sets of users . That will not be difficult
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
Pkafkas

ASKER
This is what I did.  I had an idea and it works very well.  No need to add additional equipment.  I just need to make a couple of clicks.

1.  The Guest and BYOD Wireless Networks are local on each Wireless Controller (Switch).
      a.  Hence a user with 172.20.103.10 on Controller#1 cannot ping with any 172.20.103.0 client on Controller #2.

2.  The DHCP IP address scope is intentionally split up 50% on controller 1 and 50% on Controller 2.
      a.  Controller#1 gives 172.20.103.5 - 172.20.103.126
      b.  Controller#2 gives 172.20.103.127 - 254

3.  Controller 1 had DHCP Deft. Gtwy 103.1 and that IP was assigned to a local VLan on that switch.
     a.  Controller 2 had DHCP Deft. Gtwy 103.2 and that IP 103.2 was assigned to a local vlan on that switch.
     b.  Even though the 2 local VLans did not communicate with each other on that vlan at all.
     c,  The controllers/switches used a different vlan and ip address for management purposes.

4.  That was when a fail-over happened the 103.10 IP address has the dft. gateway of 103.1.
     a.  It failed over to the other wireless switch which did not have 103.1 assigned to its VLan for internal routing purposes.
     b.  Internal routing to the local switch.  That same VLan is not connected to any other network.
     c.  Any network route that the 103.0 subnet does not know where to route to is sent to the internet only VLAN.  
     d.  So the 103.0 subnet on both controllers are not routing to eachother or any other network.
     e.  The internet only vlan has its own unique IP address for each wireless controller and each ahas its own connection to the internet only vlan.
     f. The heartbeat checks are on the management vlan, not assocaited with the 103.0 vlan at all.  
     g. The 103.0 network is isolated to each controller.

5.  What I ended up trying out, is I just changed the locally assigned VLan 103.0 IP address on each controller to be 103.1.
    a,  I also cahnged the For DHCP scope Default gateway settings on each controller to be 103.1 as well.
    b.  This way when 103.10 failed over to the other controller, then the other controller was already using 103.1 for its local internal routing.
    c.  An ipconfig /release is not necessary and the failover works like a champ!!!!
    d.  Since each wireless controller does not see the other guest vlans the failover works seamlessly, back and forth.


Any thoughts?
ASKER CERTIFIED SOLUTION
John

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
Pkafkas

ASKER
I found my own solution.
John

Thank you.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.