At office Wifi access
-
@scottalanmiller said:
VLANs are always separate. They are their own networks. Just don't create a route between networks and you have full isolation.
I never created the route between the networks - the Switch did that on it's own, perhaps because I gave the switch an IP in both VLANs.
-
@scottalanmiller said:
My first thoughts are...
- No need for two networks. Treat the employees as guests as far as anonymous public access is concerned.
- Ubiquiti APs can do guest networking without need for complex VLANs. Consider just using that.
How does using a Guest network protect my servers from users of the Guest network?
-
@scottalanmiller said:
- Ubiquiti APs can do guest networking without need for complex VLANs. Consider just using that.
Umm, no....
Without a VLAN or completely separate AP not plugged into the core switch, the traffic is on the internal network.
-
@JaredBusch said:
@scottalanmiller said:
- Ubiquiti APs can do guest networking without need for complex VLANs. Consider just using that.
Umm, no....
Without a VLAN or completely separate AP not plugged into the core switch, the traffic is on the internal network.
Exactly, While Scott might have thought I am only giving access to employees, that wouldn't be my end goal. Even if it was though, I would not want the user's personal devices infecting my business network.
-
@Dashrender said:
How does using a Guest network protect my servers from users of the Guest network?
It doesn't.
-
@scottalanmiller said:
- No need for two networks. Treat the employees as guests as far as anonymous public access is concerned.
Now this, I agree with. There is no reason for two networks. Employees with devices should still have no access to the local network. The caveat here is that you will likely need to allow the OWA connection to your mail server if it is internal. If that is not internal, then there is zero reason for any contact between the guest WiFi network and the LAN.
Just reread your post I don't see you mentioning two wireless networks other than a public one and the current private one.. So no idea what @scottalanmiller was getting at there? But the point is valid.
-
Ubiquiti has a guest networking option that does isolation without VLANs. It's not as secure as a VLAN and requires that you use a different subnet for the guest network for it to be effective, but they do offer a VLAN-less guest network isolation feature where the AP blocks traffic to everything but the designated gateway, DNS and DHCP servers.
-
From the Unifi AP FAQ:
I just want to provide free and simple guest access
Recommendation: In Wireless Configuration, enable "Apply Access Policies".
This turns on guest isolation and subnet restrictions (which can be customized in Settings->Guest Control), etc. - making sure guest cannot access your corporate network. If you choose Open for security, it's pretty much a connect-and-go, no guest portal, no "Terms of Use" or anything. UniFi controller doesn't even have to be running! You still have the option to choose WPA-Personal - just need to have a way to tell the guests the Passphrase.
-
-
Interesting.
Though that would still be technically 2 networks, two different SSIDs.
OK I will look into that.
-
I've not tried using the guest access system myself, but just basing the idea on their documentation.
-
This method requires communication with the controller. The controller is handing out DHCP and such.
You will still have to setup firewall rules and routing.
On the router side, it is no different than a VLAN (because a VLAN is just a different subnet at the IP layer anyway). -
@JaredBusch said:
This method requires communication with the controller. The controller is handing out DHCP and such.
You will still have to setup firewall rules and routing.
On the router side, it is no different than a VLAN (because a VLAN is just a different subnet at the IP layer anyway).VLANs can be the same subnet. It's a bit different because one is hard isolation and the other is soft.
So it's not as simple as they make it sound? That makes sense, although it seems like with logic in the bridge (AP) that they could have some serious isolation without the effort of VLANs.
-
@JaredBusch said:
This method requires communication with the controller. The controller is handing out DHCP and such.
You will still have to setup firewall rules and routing.
On the router side, it is no different than a VLAN (because a VLAN is just a different subnet at the IP layer anyway).Agreed - looks like UNBT is just setting up VLANing inside the APs, but otherwise just using the standard network fabric - of course you either have to have two interfaces on the router/firewall one for each IP range, unless the router/firewall supports multiple IPs non VLAN'ed on a single interface.
-
@Dashrender said:
Agreed - looks like UNBT is just setting up VLANing inside the APs, but otherwise just using the standard network fabric - of course you either have to have two interfaces on the router/firewall one for each IP range, unless the router/firewall supports multiple IPs non VLAN'ed on a single interface.
Often they do.
-
@scottalanmiller said:
@Dashrender said:
Agreed - looks like UNBT is just setting up VLANing inside the APs, but otherwise just using the standard network fabric - of course you either have to have two interfaces on the router/firewall one for each IP range, unless the router/firewall supports multiple IPs non VLAN'ed on a single interface.
Often they do.
because of routing on a stick?
I guess I've never seen someone try to route on a stick that wasn't using VLAN, but I suppose there is no reason you couldn't. The main bad thing about this, is if either side can change their IP to the other network, they would gain full access to that network.
-
Here's how we have it set up. I've removed other info, but just select the Guest Policy and it limits the devices on the Guest SSID to only interwebs traffic. They do have more advanced options under the Guest Control section.
-
@Dashrender said:
@scottalanmiller said:
@Dashrender said:
Agreed - looks like UNBT is just setting up VLANing inside the APs, but otherwise just using the standard network fabric - of course you either have to have two interfaces on the router/firewall one for each IP range, unless the router/firewall supports multiple IPs non VLAN'ed on a single interface.
Often they do.
because of routing on a stick?
I guess I've never seen someone try to route on a stick that wasn't using VLAN, but I suppose there is no reason you couldn't. The main bad thing about this, is if either side can change their IP to the other network, they would gain full access to that network.
I am unfamiliar with this term.
But, in theory, they cannot change their IP address on the AP side because of the AP's security.
-
@scottalanmiller said:
@Dashrender said:
@scottalanmiller said:
@Dashrender said:
Agreed - looks like UNBT is just setting up VLANing inside the APs, but otherwise just using the standard network fabric - of course you either have to have two interfaces on the router/firewall one for each IP range, unless the router/firewall supports multiple IPs non VLAN'ed on a single interface.
Often they do.
because of routing on a stick?
I guess I've never seen someone try to route on a stick that wasn't using VLAN, but I suppose there is no reason you couldn't. The main bad thing about this, is if either side can change their IP to the other network, they would gain full access to that network.
I am unfamiliar with this term.
But, in theory, they cannot change their IP address on the AP side because of the AP's security.
In theory.
Routing on a stick - a router that routes all traffic on a single interface.
-
@Dashrender said:
Routing on a stick - a router that routes all traffic on a single interface.
Gotcha. Called those multi-homed interfaces in my day
Oh, this would not be what you are thinking, still two interfaces, all routing would still go "through" the router, just separated on the other side.So not routing on a stick then, in this case.
