How to properly design 2 Guest Wireless networks and not to connect to the corporate network.

Hence the guest access is not a seamless fail-over process.

If the two kinds of devices can be on the same network (not on Corporate), use a couple of Ubiquiti Access points keyed to a main wireless router.   Then moving about will be transparent.

The wirelrss devices (wireless controllers) do need to be on the corporate network and we do not wish the 2 x SSIDs to be able to router to each other either.  The wireless controllers will need to route corporate Wi-Fi connections to the Access Points as well.

Unless are you saying to add 2 additional devices such as Ubiquiti A.P.'s or anything that can provide DHCP (or a NetGear Router).  

1 x NetGear Router with scope 172.20.102.0/24 - Def. Gtwy 102.1

1 x NetGear Router with scope 172.20.103.0/24 - Def. Gtwy 103.1


Then connect an access port from the NetGear to the Wireless controller that has a VLAN and IP address assigned that is within the same DHCP Scope but is an excluded IP address from DHCP.

[embed=file 1410685]

I think the above diagram should work, is this what you were thinking as well?  Or were you thinking something different?  Any thoughts?
New_Design_02.PNG

You can set one Wireless Router on your network (DHCP OFF, I use a static IP on the network). From there if you need more range, you can add a Ubiquiti AP.

Then put another Wireless Router OFF your network (DHCP ON and Different SSID - must be). Then again if you need more range, you can add a Ubiquiti AP on this one (different than the other network).

If a device switches between Guest and Company and is using vanilla DHCP, you need only disconnect from one and connect to the other. Make sure "Automatically Connect" is disabled on the unused network.

Mr. John,

Remember that we will require 2 separate guest SSIDs (Guest access, BYOD access).  And these SDIDs should not communicate or be routable to each other.  

Question1:  Will the above design work for a hassle free failover if 1 wireless controller goes down in a planned or unplanned maintenance window?  Since the gateway IP addresses will not change for the user and the DHCP Server/Device source remains the same.

Quesiton2:  If yes, we will not have any control over the devices unless we are physically at that location and connecting to an available access port on the NetGear DHCP router.

a.  https://kb.netgear.com/24089/How-do-I-specify-the-pool-of-IP-addresses-assigned-by-my-Nighthawk-router
b.  https://kb.netgear.com/20486/How-to-enter-a-static-IP-address-on-a-NETGEAR-Router


I just want to verify that the above will provide a seamless failover for the guest clients.  Just like we currently have a seamless failover for the corporate clients.  But the problem is that if we are in our headquarters in Chicago and an office is in Seattle, then we will not have any control over the Guest Wireless Configuration unless we are physically at the Seattle location.  How can we get the same functionality but control everything from the headquarters and not have to be in the physical spot to control the guest DHCP configurations?  And still have 2 x Wireless controllers for High Availability?

So long as you have guests on one network, and one access point goes down, yes it should be seamless. But NOT to the Corporate network.

Question 2: Ubiquiti Access Points can be managed from the central controller. Otherwise you do not have any control if you are not there, so you need decent security if you want that for guests.

Well we already have a Controller for central management access.  It sounds as if we use Ubiquity will need another central Controller just for Guest Access and connect to that separately from the original controller.

Or use a local device for guest DHCP natting.  I am concerned about security as well.  I think that the solution is either:

1.  Use 1 Wireless controller to provide DHCP to guest clients and forget about High Availability.


2.  Live with the fact that guest access will simple need to push an ipconfig /all if 1 of the controllers goes down.


I wonder what other companies recommend with this setup?  2 separate SSIDs and have 2 Wireless controllers for redundancy; but, not an additional wireless system just for guest access and the original for corporate access.

You only need one SSID for Corporate and one different SSID for Guest. If either network has more than one Access Point you can move about seamlessly.

You cannot fail over from Guest to Corporate or vice versa without compromising your Corporate network

We require 2 x Guest SSIDs?  

1 x SSID for BYOD (Bring your own device, no n corporate network access, just internet) (172.20.102.0/24)
1 x SSiD for Guest Access (172.20.103.0/24)

Why?  Guest and BYOD on Guest are the same thing (to me).

If you really want two Guest SSIDs, that will work, but users may need to disconnect from one before connecting to the other.

Because we want to protect our corporate sponsored guests that are at our facility for work purposes from the IoT that people may bring with them like cell phones and personal tablets.

This is a higher up executive decision.

So then use your routine and process, but that will not allow seamless transition in the event of failure. You must disconnect and reconnect. No big deal with high quality equipment.

Just to clarify you are suggesting to use what we have in place right now without any ubiquiti or netgear DHCP roeuters.  That would mean taht if there is a maintneace window and or a surprise then the guest access devices will need to

1. Connect to the SSID.
2.  Execute ipconfig /release from the command line.
3.  Remove the SSID from the wireless networks.
4.  Re-Connect then you are good again.

On another note, I thought about using 2 available ports on our Firewall.  1 Port for each Guest network and have the Firewall act as the DHCP server for each DHCP scope.  Then connect those Firewall Zones to an individual VLan on our core switch without an assigned IP addess to those 2 VLans (1 Vlan - BYOD, 2-VLan - Guest).

Then cross-connect the 2 vlans to each wireless controller for routing within that same VLan.  I think that may work as well.  Any thoughts?  If we have a VLan on our core switch without any assigned IP address that will not be able to route to our other corporate VLans.  And we will still have management access to the DHCP scope and route it right to the internet.   How about that?

More or less, Yes. If you use good equipment and devices are correctly set up , there will not be much difficulty

Thank you for your assistance Jon.  I appreciate your feedback.  I am a little surprised no one else wieghed in, on this discussion.

Did you think the idea about the firewall is realistic?

Just make sure the firewall allows both sets of users . That will not be difficult

This is what I did.  I had an idea and it works very well.  No need to add additional equipment.  I just need to make a couple of clicks.

1.  The Guest and BYOD Wireless Networks are local on each Wireless Controller (Switch).
      a.  Hence a user with 172.20.103.10 on Controller#1 cannot ping with any 172.20.103.0 client on Controller #2.

2.  The DHCP IP address scope is intentionally split up 50% on controller 1 and 50% on Controller 2.
      a.  Controller#1 gives 172.20.103.5 - 172.20.103.126
      b.  Controller#2 gives 172.20.103.127 - 254

3.  Controller 1 had DHCP Deft. Gtwy 103.1 and that IP was assigned to a local VLan on that switch.
     a.  Controller 2 had DHCP Deft. Gtwy 103.2 and that IP 103.2 was assigned to a local vlan on that switch.
     b.  Even though the 2 local VLans did not communicate with each other on that vlan at all.
     c,  The controllers/switches used a different vlan and ip address for management purposes.

4.  That was when a fail-over happened the 103.10 IP address has the dft. gateway of 103.1.
     a.  It failed over to the other wireless switch which did not have 103.1 assigned to its VLan for internal routing purposes.
     b.  Internal routing to the local switch.  That same VLan is not connected to any other network.
     c.  Any network route that the 103.0 subnet does not know where to route to is sent to the internet only VLAN.  
     d.  So the 103.0 subnet on both controllers are not routing to eachother or any other network.
     e.  The internet only vlan has its own unique IP address for each wireless controller and each ahas its own connection to the internet only vlan.
     f. The heartbeat checks are on the management vlan, not assocaited with the 103.0 vlan at all.  
     g. The 103.0 network is isolated to each controller.

5.  What I ended up trying out, is I just changed the locally assigned VLan 103.0 IP address on each controller to be 103.1.
    a,  I also cahnged the For DHCP scope Default gateway settings on each controller to be 103.1 as well.
    b.  This way when 103.10 failed over to the other controller, then the other controller was already using 103.1 for its local internal routing.
    c.  An ipconfig /release is not necessary and the failover works like a champ!!!!
    d.  Since each wireless controller does not see the other guest vlans the failover works seamlessly, back and forth.


Any thoughts?

I found my own solution.

Thank you.