At office Wifi access
-
@JaredBusch said:
This method requires communication with the controller. The controller is handing out DHCP and such.
You will still have to setup firewall rules and routing.
On the router side, it is no different than a VLAN (because a VLAN is just a different subnet at the IP layer anyway).Agreed - looks like UNBT is just setting up VLANing inside the APs, but otherwise just using the standard network fabric - of course you either have to have two interfaces on the router/firewall one for each IP range, unless the router/firewall supports multiple IPs non VLAN'ed on a single interface.
-
@Dashrender said:
Agreed - looks like UNBT is just setting up VLANing inside the APs, but otherwise just using the standard network fabric - of course you either have to have two interfaces on the router/firewall one for each IP range, unless the router/firewall supports multiple IPs non VLAN'ed on a single interface.
Often they do.
-
@scottalanmiller said:
@Dashrender said:
Agreed - looks like UNBT is just setting up VLANing inside the APs, but otherwise just using the standard network fabric - of course you either have to have two interfaces on the router/firewall one for each IP range, unless the router/firewall supports multiple IPs non VLAN'ed on a single interface.
Often they do.
because of routing on a stick?
I guess I've never seen someone try to route on a stick that wasn't using VLAN, but I suppose there is no reason you couldn't. The main bad thing about this, is if either side can change their IP to the other network, they would gain full access to that network.
-
Here's how we have it set up. I've removed other info, but just select the Guest Policy and it limits the devices on the Guest SSID to only interwebs traffic. They do have more advanced options under the Guest Control section.
-
@Dashrender said:
@scottalanmiller said:
@Dashrender said:
Agreed - looks like UNBT is just setting up VLANing inside the APs, but otherwise just using the standard network fabric - of course you either have to have two interfaces on the router/firewall one for each IP range, unless the router/firewall supports multiple IPs non VLAN'ed on a single interface.
Often they do.
because of routing on a stick?
I guess I've never seen someone try to route on a stick that wasn't using VLAN, but I suppose there is no reason you couldn't. The main bad thing about this, is if either side can change their IP to the other network, they would gain full access to that network.
I am unfamiliar with this term.
But, in theory, they cannot change their IP address on the AP side because of the AP's security.
-
@scottalanmiller said:
@Dashrender said:
@scottalanmiller said:
@Dashrender said:
Agreed - looks like UNBT is just setting up VLANing inside the APs, but otherwise just using the standard network fabric - of course you either have to have two interfaces on the router/firewall one for each IP range, unless the router/firewall supports multiple IPs non VLAN'ed on a single interface.
Often they do.
because of routing on a stick?
I guess I've never seen someone try to route on a stick that wasn't using VLAN, but I suppose there is no reason you couldn't. The main bad thing about this, is if either side can change their IP to the other network, they would gain full access to that network.
I am unfamiliar with this term.
But, in theory, they cannot change their IP address on the AP side because of the AP's security.
In theory.
Routing on a stick - a router that routes all traffic on a single interface.
-
@Dashrender said:
Routing on a stick - a router that routes all traffic on a single interface.
Gotcha. Called those multi-homed interfaces in my day Oh, this would not be what you are thinking, still two interfaces, all routing would still go "through" the router, just separated on the other side.
So not routing on a stick then, in this case.
-
@Dashrender said:
In theory.
One could say the same thing about the routing or VLANs, though. They isolate the traffic "in theory." But in reality, the theory holds. I don't see any reason to be concerned here. It looks like a well thought out security mechanism. I would test it and not use it for military secrets or anything. But for a normal business on a scale where this would work, it seems like a simple, logical approach.
What about it causes concern?
-
@scottalanmiller said:
@Dashrender said:
Agreed - looks like UNBT is just setting up VLANing inside the APs, but otherwise just using the standard network fabric - of course you either have to have two interfaces on the router/firewall one for each IP range, unless the router/firewall supports multiple IPs non VLAN'ed on a single interface.
Often they do.
My routing on a stick comment was based on this, not the UNBT stuff. I took your meaning to be that many routers support single interface routing.
Although I see why you say it's not really routing on a stick because the traffic from network A (A and B being inside your network) and the internet, but not from A to B
-
@Dashrender said:
Although I see why you say it's not really routing on a stick because the traffic from network A (A and B being inside your network) and the internet, but not from A to B
Exactly. The one side of the router would be multi-homes but not routing between subnets on that side (if it did that, just skip the routing altogether) and instead only from multiple "inside" routes to a single external route.
-
@scottalanmiller said:
@Dashrender said:
In theory.
One could say the same thing about the routing or VLANs, though. They isolate the traffic "in theory." But in reality, the theory holds. I don't see any reason to be concerned here. It looks like a well thought out security mechanism. I would test it and not use it for military secrets or anything. But for a normal business on a scale where this would work, it seems like a simple, logical approach.
What about it causes concern?
Actually, now that I've looked at the configuration of the guest network, that network can be limited to only the specified IP range, so yeah, it's less of an issue. If that limitation wasn't there, a person could make an association, then after the association was live, manually change their IP to one on the production network and Bob's your uncle.
-
@Dashrender said:
Actually, now that I've looked at the configuration of the guest network, that network can be limited to only the specified IP range, so yeah, it's less of an issue. If that limitation wasn't there, a person could make an association, then after the association was live, manually change their IP to one on the production network and Bob's your uncle.
Right. I would agree that they could if the restrictions were not in place.
-
I have a UBNT Router and AP (UniFI). I have two SSIDs - one for the 'business' side of my home network, and another for the Kids. I have the Kids side limited to 1MBs to not saturate the main network. Work before Mindcraft.
-
OK I'm blind, I can't find the bandwidth limiting section in the controller software. And my screen does not look like those above. I'm on version 4.6.6
-
One other option that's worked for me previously is to get a cheap consumer connection and have guest / employees use that for their phones and want not. Bonus: you get an additional connection to use for testing / failover / whatever else you might need.
-
@Dashrender Should be under Settings > User Groups. Then under Wireless Networks pick the user group for the guest network.
-
@johnhooks said:
@Dashrender Should be under Settings > User Groups. Then under Wireless Networks pick the user group for the guest network.
Thanks, that seems convoluted, but gives me what I want.
-
@Dashrender No problem. Ya it would be nice if you could just set it on the guest network.
-
This post from a few years ago seems to indicate that the Guest WiFi network still gets an IP from your normal DHCP server. Now you're really trusting the AP to make sure that traffic on that SSID is only forwarded to the Default Gateway, and not allowed on the local network.
-
@Dashrender said:
This post from a few years ago seems to indicate that the Guest WiFi network still gets an IP from your normal DHCP server. Now you're really trusting the AP to make sure that traffic on that SSID is only forwarded to the Default Gateway, and not allowed on the local network.
No, not really. DHCP itself cannot be any form of security. That would be security through obscurity. You were never depending on that at all. You have a security mechanism that you need to trust the same as a router or a VLAN. I don't see any new concern here, just better design.