ubnt guest wireless or separate VLAN?
-
I have a remote office that used to have a local internet connection and a site to site MetroE link. The local internet is going away. For guest wireless access, I set up a separate VLAN and created a SSID for guest internet on that VLAN. The SonicWall sent all that traffic straight out to the internet.
Now that I'm removing the local internet, I have to decide if I should keep the VLAN and try to trunk that across the MetroE circuit, or just turn Ubiquiti's guest mode, put them back in the default VLAN and call it a day. What do you think? I realize it's probably more secure with the VLAN, but it's also more confusing for other admins.
-
While Personal use is a bit different from office use, I have three SSIDs on my UBNTs.
- Primary devices
- Kids Wireless (throttled)
- Guest (throttled)
-
Right. Currently there are two SSIDs. I'll be keeping those because one of them only works with RADIUS, etc. The guest wifi currently uses VLANs to keep them off the LAN. Unnecessary complexity?
-
@Mike-Davis said in ubnt guest wireless or separate VLAN?:
Right. Currently there are two SSIDs. I'll be keeping those because one of them only works with RADIUS, etc. The guest wifi currently uses VLANs to keep them off the LAN. Unnecessary complexity?
I wouldn't say unnecessary at all. This is how we have our network setup as well.
Guest network is VLAN'd off so that "guest" devices are unable to get to our network. The corporate network is radius controlled.
It really makes life simple.
-
Guest mode works a lot like a VLAN. In most cases, I would just use that.
-
The biggest benefit to guest mode is it stops other devices talking to each other, so even on an internal wifi if you have lax security and just need users to get their ipads to the internet it works a treat.
In 1 setup, The VLAN 100 goes directly to the firewall, which then runs DHCP/DNS for anyone on the guest network.
The internal VLAN then is Microsoft world on a different IP range.
-
I'd keep the VLANs for 2 reasons... 1) is it's already set up. Yes, it may be more confusing, but it's nothing some clear documentation can't fix.
and 2) It's more secure. the Guest mode on the UBNT would still have to pass across the MetroE connection, and your systems at the other end would still need to know how to deal with it.
-
I really need to figure out how to set this mode up. I keep meaning to do this in order to flatten out networks as much as possible.
I've started to like twice and never completed it.
-
@JaredBusch said in ubnt guest wireless or separate VLAN?:
I really need to figure out how to set this mode up. I keep meaning to do this in order to flatten out networks as much as possible.
I've started to like twice and never completed it.
It's a tick box in the controller per SSID.
Go to settings, wireless networks, edit, then check the box for guest mode.
-
@Breffni-Potter said in ubnt guest wireless or separate VLAN?:
@JaredBusch said in ubnt guest wireless or separate VLAN?:
I really need to figure out how to set this mode up. I keep meaning to do this in order to flatten out networks as much as possible.
I've started to like twice and never completed it.
It's a tick box in the controller per SSID.
Go to settings, wireless networks, edit, then check the box for guest mode.
It is not as easy as that to make it a secure guest network.
-
@dafyre said in ubnt guest wireless or separate VLAN?:
and 2) It's more secure. the Guest mode on the UBNT would still have to pass across the MetroE connection, and your systems at the other end would still need to know how to deal with it.
So.... exactly like a VLAN? You just described a VLAN, in fact.
-
@scottalanmiller said in ubnt guest wireless or separate VLAN?:
@dafyre said in ubnt guest wireless or separate VLAN?:
and 2) It's more secure. the Guest mode on the UBNT would still have to pass across the MetroE connection, and your systems at the other end would still need to know how to deal with it.
So.... exactly like a VLAN? You just described a VLAN, in fact.
No. Completely not like a VLAN. Even if @dafyre doesn't know how to phrase it correctly.
-
@JaredBusch said in ubnt guest wireless or separate VLAN?:
@scottalanmiller said in ubnt guest wireless or separate VLAN?:
@dafyre said in ubnt guest wireless or separate VLAN?:
and 2) It's more secure. the Guest mode on the UBNT would still have to pass across the MetroE connection, and your systems at the other end would still need to know how to deal with it.
So.... exactly like a VLAN? You just described a VLAN, in fact.
No. Completely not like a VLAN. Even if @dafyre doesn't know how to phrase it correctly.
I meant the description was exactly the same... that it has to transit the metroE and if the equipment on the other end doesn't honour it the security evaporates.
-
@scottalanmiller said in ubnt guest wireless or separate VLAN?:
@JaredBusch said in ubnt guest wireless or separate VLAN?:
@scottalanmiller said in ubnt guest wireless or separate VLAN?:
@dafyre said in ubnt guest wireless or separate VLAN?:
and 2) It's more secure. the Guest mode on the UBNT would still have to pass across the MetroE connection, and your systems at the other end would still need to know how to deal with it.
So.... exactly like a VLAN? You just described a VLAN, in fact.
No. Completely not like a VLAN. Even if @dafyre doesn't know how to phrase it correctly.
I meant the description was exactly the same... that it has to transit the metroE and if the equipment on the other end doesn't honour it the security evaporates.
That was my point.
-
@dafyre said in ubnt guest wireless or separate VLAN?:
@scottalanmiller said in ubnt guest wireless or separate VLAN?:
@JaredBusch said in ubnt guest wireless or separate VLAN?:
@scottalanmiller said in ubnt guest wireless or separate VLAN?:
@dafyre said in ubnt guest wireless or separate VLAN?:
and 2) It's more secure. the Guest mode on the UBNT would still have to pass across the MetroE connection, and your systems at the other end would still need to know how to deal with it.
So.... exactly like a VLAN? You just described a VLAN, in fact.
No. Completely not like a VLAN. Even if @dafyre doesn't know how to phrase it correctly.
I meant the description was exactly the same... that it has to transit the metroE and if the equipment on the other end doesn't honour it the security evaporates.
That was my point.
But you said that you would keep VLANs because .... and it seemed like you were saying that VLANs were more secure in this case.
-
@scottalanmiller said in ubnt guest wireless or separate VLAN?:
@dafyre said in ubnt guest wireless or separate VLAN?:
@scottalanmiller said in ubnt guest wireless or separate VLAN?:
@JaredBusch said in ubnt guest wireless or separate VLAN?:
@scottalanmiller said in ubnt guest wireless or separate VLAN?:
@dafyre said in ubnt guest wireless or separate VLAN?:
and 2) It's more secure. the Guest mode on the UBNT would still have to pass across the MetroE connection, and your systems at the other end would still need to know how to deal with it.
So.... exactly like a VLAN? You just described a VLAN, in fact.
No. Completely not like a VLAN. Even if @dafyre doesn't know how to phrase it correctly.
I meant the description was exactly the same... that it has to transit the metroE and if the equipment on the other end doesn't honour it the security evaporates.
That was my point.
But you said that you would keep VLANs because .... and it seemed like you were saying that VLANs were more secure in this case.
I would. What happens when the Guest traffic gets to the other end of the Metro E connection? Does it drop it? Does it send it on to the internet? Or what?
With VLANs (and good documentation), you know exactly what it does.
-
@dafyre said in ubnt guest wireless or separate VLAN?:
@scottalanmiller said in ubnt guest wireless or separate VLAN?:
@dafyre said in ubnt guest wireless or separate VLAN?:
@scottalanmiller said in ubnt guest wireless or separate VLAN?:
@JaredBusch said in ubnt guest wireless or separate VLAN?:
@scottalanmiller said in ubnt guest wireless or separate VLAN?:
@dafyre said in ubnt guest wireless or separate VLAN?:
and 2) It's more secure. the Guest mode on the UBNT would still have to pass across the MetroE connection, and your systems at the other end would still need to know how to deal with it.
So.... exactly like a VLAN? You just described a VLAN, in fact.
No. Completely not like a VLAN. Even if @dafyre doesn't know how to phrase it correctly.
I meant the description was exactly the same... that it has to transit the metroE and if the equipment on the other end doesn't honour it the security evaporates.
That was my point.
But you said that you would keep VLANs because .... and it seemed like you were saying that VLANs were more secure in this case.
I would. What happens when the Guest traffic gets to the other end of the Metro E connection? Does it drop it? Does it send it on to the internet? Or what?
With VLANs (and good documentation), you know exactly what it does.
My point was that that's the same in both cases. Both of your posts describe the same situation for both approaches. VLAN only works because you handle it on both ends. Guest works too in the same situation.
-
The VLAN concept depends on end to end network support and planning. Identical to how the UBNT guest system works.
-
Or does it... That'd be a good question for a UBNT person...
There's a number of ways they could achieve this without relying on the "other end" of the connection supporting their guest mode stuff.
-
@dafyre said in ubnt guest wireless or separate VLAN?:
Or does it... That'd be a good question for a UBNT person...
There's a number of ways they could achieve this without relying on the "other end" of the connection supporting their guest mode stuff.
That would make it better than VLAN then
