Hotel and wifi isolation question
-
I don't have a specific job in mind just brainstorming. I was thinking about how a 50 or 100 room hotel would handle wifi for clients while also trying to lock down the system to prevent Room 101 from accessing clients in Room 102. I'm thinking hotel wifi guest clients should only be allow to access the internet and nothing else. All on the same SSID throughout the facility.
Lets say I wanted to place an AP in each room. So for a 100 room hotel, that's 100 APs dedicated for each room number (Room 101, 102, etc...). I know I can isolate clients at L2 via the AP SSID so they can't talk to one another when connected to the same AP. That would prevent in-room clients from talking to one another. But what about clients on different APs? Would a client from Room 101 still be able to talk to Room 102 because they are on different APs even with L2 isolation on?
If they could, then wouldn't you also have to have a different VLAN for each AP and setup rules in the core router to prevent inter-vlan access? That seems complicated. Having to set the switch ports for all 100 APs to a different VLAN just to keep them segregated and then setup all the same corresponding VLANS in the router.
What am I missing here? Is providing this much client isolation really this complicated?
-
@biggen said in Hotel and wifi isolation question:
I don't have a specific job in mind just brainstorming. I was thinking about how a 50 or 100 room hotel would handle wifi for clients while also trying to lock down the system to prevent Room 101 from accessing clients in Room 102. I'm thinking hotel wifi guest clients should only be allow to access the internet and nothing else. All on the same SSID throughout the facility.
Lets say I wanted to place an AP in each room. So for a 100 room hotel, that's 100 APs dedicated for each room number (Room 101, 102, etc...). I know I can isolate clients at L2 via the AP SSID so they can't talk to one another when connected to the same AP. That would prevent in-room clients from talking to one another. But what about clients on different APs? Would a client from Room 101 still be able to talk to Room 102 because they are on different APs even with L2 isolation on?
If they could, then wouldn't you also have to have a different VLAN for each AP and setup rules in the core router to prevent inter-vlan access? That seems complicated. Having to set the switch ports for all 100 APs to a different VLAN just to keep them segregated and then setup all the same corresponding VLANS in the router.
What am I missing here? Is providing this much client isolation really this complicated?
At least with a Ubiquiti system, all you have to do is enable the guest network checkbox for any given wireless network. All that's allowed on that SSID afterwords is only communication with the gateway for internet access. I haven't dug into exactly how they're doing it, but I'd imagine most wireless systems have the same feature available.
-
@travisdh1 Yes, I saw they have the option to enable a "guest network". I was just reading about that here: https://help.ui.com/hc/en-us/articles/115000166827-UniFi-Guest-Network-Guest-Portal-and-Hotspot-System
I'll have to play with it at home to see exactly what it does.
-
@biggen said in Hotel and wifi isolation question:
I was thinking about how a 50 or 100 room hotel would handle wifi for clients while also trying to lock down the system to prevent Room 101 from accessing clients in Room 102.
With many devices, like Unifi, it's a checkbox in the setup.
-
@biggen said in Hotel and wifi isolation question:
I'm thinking hotel wifi guest clients should only be allow to access the internet and nothing else. All on the same SSID throughout the facility.
Yup, that's standard. Anyone not doing that is failing pretty hard as it is a baseline feature in any modern equipment.
-
@biggen said in Hotel and wifi isolation question:
Lets say I wanted to place an AP in each room. So for a 100 room hotel, that's 100 APs dedicated for each room number (Room 101, 102, etc...). I know I can isolate clients at L2 via the AP SSID so they can't talk to one another when connected to the same AP. That would prevent in-room clients from talking to one another. But what about clients on different APs? Would a client from Room 101 still be able to talk to Room 102 because they are on different APs even with L2 isolation on?
Not on enterprise wifi. Again Unifi as the example... all APs act as one. They are not invisible to each other and they don't dump the data to the public space as soon as it leaves the AP or else the traffic would loop back and defeat the security in the first place.
-
@scottalanmiller I'm not sure I understand your last post. Are you saying that on a Unifi setup with L2 isolation activated that clients can or can't talk to other clients on different APs even on the same SSID?
Edit: So just playing with a spare Unifi AP, enabling "guest network" for a SSID fully isolates clients not only connected to the AP, but also all clients in the subnet even if those clients are plugged into a physical port on the switch. So the AP must drop all unicast destined frames which is nice.
So my brainstorming becomes a rather trivial setup of placing all the APs onto one VLAN and make sure all APs are broadcasting the same SSID with guest network checked in the controller (for Unifi). Then downstream at the router, prevent the wifi guest VLAN from accessing any other VLAN internally.
Next time I check into a hotel I'm going to fire up nmap and see how locked down they are.
-
@biggen said in Hotel and wifi isolation question:
I'm not sure I understand your last post. Are you saying that on a Unifi setup with L2 isolation activated that clients can or can't talk to other clients on different APs even on the same SSID?
I'm saying that the default private isolation let's them talk to the gateway and nothing on the LAN whatsoever.
-
@biggen said in Hotel and wifi isolation question:
So my brainstorming becomes a rather trivial setup of placing all the APs onto one VLAN and make sure all APs are broadcasting the same SSID with guest network checked in the controller (for Unifi). Then downstream at the router, prevent the wifi guest VLAN from accessing any other VLAN internally.
The point of the system is to remove the need for VLANs.
-
@scottalanmiller said in Hotel and wifi isolation question:
@biggen said in Hotel and wifi isolation question:
So my brainstorming becomes a rather trivial setup of placing all the APs onto one VLAN and make sure all APs are broadcasting the same SSID with guest network checked in the controller (for Unifi). Then downstream at the router, prevent the wifi guest VLAN from accessing any other VLAN internally.
The point of the system is to remove the need for VLANs.
Iβd still like a separate network for guest wifi and separate network for corporate trusted wifi. So, no, a vlan isnβt needed I suppose. The two networks just need different subnets.
-
@biggen said in Hotel and wifi isolation question:
@scottalanmiller said in Hotel and wifi isolation question:
@biggen said in Hotel and wifi isolation question:
So my brainstorming becomes a rather trivial setup of placing all the APs onto one VLAN and make sure all APs are broadcasting the same SSID with guest network checked in the controller (for Unifi). Then downstream at the router, prevent the wifi guest VLAN from accessing any other VLAN internally.
The point of the system is to remove the need for VLANs.
Iβd still like a separate network for guest wifi and separate network for corporate trusted wifi. So, no, a vlan isnβt needed I suppose. The two networks just need different subnets.
The guest traffic, in this case, is never on the network at all. It is end to end isolated to the firewall. Or you can think of it as automatic VLANs. But you don't need to deal with VLANs whatsoever if you don't want to.
-
@scottalanmiller Yup I understand. But my brain would have a hard to dumping wifi guests and corporate services all in the same subnet even if it knew the guests were already isolated. Personally, I'd rather do two VLANs in this case. Would be easy to remember that wifi guests are on 10.100.100.0/24 and corporate is on 10.200.200.0/24.
-
@biggen said in Hotel and wifi isolation question:
@scottalanmiller Yup I understand. But my brain would have a hard to dumping wifi guests and corporate services all in the same subnet even if it knew the guests were already isolated. Personally, I'd rather do two VLANs in this case. Would be easy to remember that wifi guests are on 10.100.100.0/24 and corporate is on 10.200.200.0/24.
Personally, I'd do a /23 or /22, it's just not worth the headache of growth in the future...
-
@dashrender said in Hotel and wifi isolation question:
@biggen said in Hotel and wifi isolation question:
@scottalanmiller Yup I understand. But my brain would have a hard to dumping wifi guests and corporate services all in the same subnet even if it knew the guests were already isolated. Personally, I'd rather do two VLANs in this case. Would be easy to remember that wifi guests are on 10.100.100.0/24 and corporate is on 10.200.200.0/24.
Personally, I'd do a /23 or /22, it's just not worth the headache of growth in the future...
Especially on the guest network. That can get a lot of devices really quickly. Any given guest room could easily hook up eight devices!
-
@scottalanmiller Or more if @scottalanmiller's family visits.
-
@dafyre said in Hotel and wifi isolation question:
@scottalanmiller Or more if @scottalanmiller's family visits.
Fo sho!
My kids each hook up a laptop, phone, Nintendo Switch, Amazon Tablet, iPad, and possibly more like instantly.
-
@scottalanmiller said in Hotel and wifi isolation question:
@dafyre said in Hotel and wifi isolation question:
@scottalanmiller Or more if @scottalanmiller's family visits.
Fo sho!
My kids each hook up a laptop, phone, Nintendo Switch, Amazon Tablet, iPad, and possibly more like instantly.
Well I mean the iPads are going bye-bye with this recent announcement from Apple, no?
-
@dustinb3403 said in Hotel and wifi isolation question:
@scottalanmiller said in Hotel and wifi isolation question:
@dafyre said in Hotel and wifi isolation question:
@scottalanmiller Or more if @scottalanmiller's family visits.
Fo sho!
My kids each hook up a laptop, phone, Nintendo Switch, Amazon Tablet, iPad, and possibly more like instantly.
Well I mean the iPads are going bye-bye with this recent announcement from Apple, no?
Yup. Xiaomi has a new tablet being announced THIS WEEK. I'm pretty excited. I hope that it is available quickly as I was about to buy an iPad for myself and this looks like a way better option. However, rumor is that no "mini" size is coming in the announcement this week