ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    At office Wifi access

    Scheduled Pinned Locked Moved Self Promotion
    46 Posts 7 Posters 12.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • scottalanmillerS
      scottalanmiller
      last edited by

      From the Unifi AP FAQ:

      I just want to provide free and simple guest access

      Recommendation: In Wireless Configuration, enable "Apply Access Policies".

      This turns on guest isolation and subnet restrictions (which can be customized in Settings->Guest Control), etc. - making sure guest cannot access your corporate network. If you choose Open for security, it's pretty much a connect-and-go, no guest portal, no "Terms of Use" or anything. UniFi controller doesn't even have to be running! You still have the option to choose WPA-Personal - just need to have a way to tell the guests the Passphrase.

      1 Reply Last reply Reply Quote 0
      • scottalanmillerS
        scottalanmiller
        last edited by

        http://wiki.ubnt.com/UniFi_FAQ#Guest_Access

        1 Reply Last reply Reply Quote 0
        • DashrenderD
          Dashrender
          last edited by

          Interesting.

          Though that would still be technically 2 networks, two different SSIDs.

          OK I will look into that.

          1 Reply Last reply Reply Quote 0
          • scottalanmillerS
            scottalanmiller
            last edited by

            I've not tried using the guest access system myself, but just basing the idea on their documentation.

            1 Reply Last reply Reply Quote 0
            • JaredBuschJ
              JaredBusch
              last edited by

              This method requires communication with the controller. The controller is handing out DHCP and such.

              You will still have to setup firewall rules and routing.
              On the router side, it is no different than a VLAN (because a VLAN is just a different subnet at the IP layer anyway).

              scottalanmillerS DashrenderD 2 Replies Last reply Reply Quote 0
              • scottalanmillerS
                scottalanmiller @JaredBusch
                last edited by

                @JaredBusch said:

                This method requires communication with the controller. The controller is handing out DHCP and such.

                You will still have to setup firewall rules and routing.
                On the router side, it is no different than a VLAN (because a VLAN is just a different subnet at the IP layer anyway).

                VLANs can be the same subnet. It's a bit different because one is hard isolation and the other is soft.

                So it's not as simple as they make it sound? That makes sense, although it seems like with logic in the bridge (AP) that they could have some serious isolation without the effort of VLANs.

                1 Reply Last reply Reply Quote 0
                • DashrenderD
                  Dashrender @JaredBusch
                  last edited by

                  @JaredBusch said:

                  This method requires communication with the controller. The controller is handing out DHCP and such.

                  You will still have to setup firewall rules and routing.
                  On the router side, it is no different than a VLAN (because a VLAN is just a different subnet at the IP layer anyway).

                  Agreed - looks like UNBT is just setting up VLANing inside the APs, but otherwise just using the standard network fabric - of course you either have to have two interfaces on the router/firewall one for each IP range, unless the router/firewall supports multiple IPs non VLAN'ed on a single interface.

                  scottalanmillerS 1 Reply Last reply Reply Quote 0
                  • scottalanmillerS
                    scottalanmiller @Dashrender
                    last edited by

                    @Dashrender said:

                    Agreed - looks like UNBT is just setting up VLANing inside the APs, but otherwise just using the standard network fabric - of course you either have to have two interfaces on the router/firewall one for each IP range, unless the router/firewall supports multiple IPs non VLAN'ed on a single interface.

                    Often they do.

                    DashrenderD 2 Replies Last reply Reply Quote 0
                    • DashrenderD
                      Dashrender @scottalanmiller
                      last edited by Dashrender

                      @scottalanmiller said:

                      @Dashrender said:

                      Agreed - looks like UNBT is just setting up VLANing inside the APs, but otherwise just using the standard network fabric - of course you either have to have two interfaces on the router/firewall one for each IP range, unless the router/firewall supports multiple IPs non VLAN'ed on a single interface.

                      Often they do.

                      because of routing on a stick?

                      I guess I've never seen someone try to route on a stick that wasn't using VLAN, but I suppose there is no reason you couldn't. The main bad thing about this, is if either side can change their IP to the other network, they would gain full access to that network.

                      scottalanmillerS 1 Reply Last reply Reply Quote 0
                      • stacksofplatesS
                        stacksofplates
                        last edited by

                        Capture.PNG

                        Here's how we have it set up. I've removed other info, but just select the Guest Policy and it limits the devices on the Guest SSID to only interwebs traffic. They do have more advanced options under the Guest Control section.

                        1 Reply Last reply Reply Quote 1
                        • scottalanmillerS
                          scottalanmiller @Dashrender
                          last edited by

                          @Dashrender said:

                          @scottalanmiller said:

                          @Dashrender said:

                          Agreed - looks like UNBT is just setting up VLANing inside the APs, but otherwise just using the standard network fabric - of course you either have to have two interfaces on the router/firewall one for each IP range, unless the router/firewall supports multiple IPs non VLAN'ed on a single interface.

                          Often they do.

                          because of routing on a stick?

                          I guess I've never seen someone try to route on a stick that wasn't using VLAN, but I suppose there is no reason you couldn't. The main bad thing about this, is if either side can change their IP to the other network, they would gain full access to that network.

                          I am unfamiliar with this term.

                          But, in theory, they cannot change their IP address on the AP side because of the AP's security.

                          DashrenderD 1 Reply Last reply Reply Quote 0
                          • DashrenderD
                            Dashrender @scottalanmiller
                            last edited by

                            @scottalanmiller said:

                            @Dashrender said:

                            @scottalanmiller said:

                            @Dashrender said:

                            Agreed - looks like UNBT is just setting up VLANing inside the APs, but otherwise just using the standard network fabric - of course you either have to have two interfaces on the router/firewall one for each IP range, unless the router/firewall supports multiple IPs non VLAN'ed on a single interface.

                            Often they do.

                            because of routing on a stick?

                            I guess I've never seen someone try to route on a stick that wasn't using VLAN, but I suppose there is no reason you couldn't. The main bad thing about this, is if either side can change their IP to the other network, they would gain full access to that network.

                            I am unfamiliar with this term.

                            But, in theory, they cannot change their IP address on the AP side because of the AP's security.

                            In theory.

                            Routing on a stick - a router that routes all traffic on a single interface.

                            scottalanmillerS 2 Replies Last reply Reply Quote 0
                            • scottalanmillerS
                              scottalanmiller @Dashrender
                              last edited by

                              @Dashrender said:

                              Routing on a stick - a router that routes all traffic on a single interface.

                              Gotcha. Called those multi-homed interfaces in my day 🙂 Oh, this would not be what you are thinking, still two interfaces, all routing would still go "through" the router, just separated on the other side.

                              So not routing on a stick then, in this case.

                              1 Reply Last reply Reply Quote 0
                              • scottalanmillerS
                                scottalanmiller @Dashrender
                                last edited by

                                @Dashrender said:

                                In theory.

                                One could say the same thing about the routing or VLANs, though. They isolate the traffic "in theory." But in reality, the theory holds. I don't see any reason to be concerned here. It looks like a well thought out security mechanism. I would test it and not use it for military secrets or anything. But for a normal business on a scale where this would work, it seems like a simple, logical approach.

                                What about it causes concern?

                                DashrenderD 1 Reply Last reply Reply Quote 0
                                • DashrenderD
                                  Dashrender @scottalanmiller
                                  last edited by Dashrender

                                  @scottalanmiller said:

                                  @Dashrender said:

                                  Agreed - looks like UNBT is just setting up VLANing inside the APs, but otherwise just using the standard network fabric - of course you either have to have two interfaces on the router/firewall one for each IP range, unless the router/firewall supports multiple IPs non VLAN'ed on a single interface.

                                  Often they do.

                                  My routing on a stick comment was based on this, not the UNBT stuff. I took your meaning to be that many routers support single interface routing.

                                  Although I see why you say it's not really routing on a stick because the traffic from network A (A and B being inside your network) and the internet, but not from A to B

                                  scottalanmillerS 1 Reply Last reply Reply Quote 0
                                  • scottalanmillerS
                                    scottalanmiller @Dashrender
                                    last edited by

                                    @Dashrender said:

                                    Although I see why you say it's not really routing on a stick because the traffic from network A (A and B being inside your network) and the internet, but not from A to B

                                    Exactly. The one side of the router would be multi-homes but not routing between subnets on that side (if it did that, just skip the routing altogether) and instead only from multiple "inside" routes to a single external route.

                                    1 Reply Last reply Reply Quote 0
                                    • DashrenderD
                                      Dashrender @scottalanmiller
                                      last edited by

                                      @scottalanmiller said:

                                      @Dashrender said:

                                      In theory.

                                      One could say the same thing about the routing or VLANs, though. They isolate the traffic "in theory." But in reality, the theory holds. I don't see any reason to be concerned here. It looks like a well thought out security mechanism. I would test it and not use it for military secrets or anything. But for a normal business on a scale where this would work, it seems like a simple, logical approach.

                                      What about it causes concern?

                                      Actually, now that I've looked at the configuration of the guest network, that network can be limited to only the specified IP range, so yeah, it's less of an issue. If that limitation wasn't there, a person could make an association, then after the association was live, manually change their IP to one on the production network and Bob's your uncle.

                                      scottalanmillerS 1 Reply Last reply Reply Quote 0
                                      • scottalanmillerS
                                        scottalanmiller @Dashrender
                                        last edited by

                                        @Dashrender said:

                                        Actually, now that I've looked at the configuration of the guest network, that network can be limited to only the specified IP range, so yeah, it's less of an issue. If that limitation wasn't there, a person could make an association, then after the association was live, manually change their IP to one on the production network and Bob's your uncle.

                                        Right. I would agree that they could if the restrictions were not in place.

                                        1 Reply Last reply Reply Quote 0
                                        • gjacobseG
                                          gjacobse
                                          last edited by

                                          I have a UBNT Router and AP (UniFI). I have two SSIDs - one for the 'business' side of my home network, and another for the Kids. I have the Kids side limited to 1MBs to not saturate the main network. Work before Mindcraft.

                                          1 Reply Last reply Reply Quote 1
                                          • DashrenderD
                                            Dashrender
                                            last edited by

                                            OK I'm blind, I can't find the bandwidth limiting section in the controller software. And my screen does not look like those above. I'm on version 4.6.6

                                            stacksofplatesS 1 Reply Last reply Reply Quote 0
                                            • 1
                                            • 2
                                            • 3
                                            • 1 / 3
                                            • First post
                                              Last post