G to AC66 Dual Band Architecture feedback

[kenhlan]

All,

First Post. Finally looking to upgrade from my old faithful Buffalo HP-G54 w/Tomato to an AC66 I just caught on sale refurb.

With the Dual Band and guest wireless/SSID network capability, I am looking to do some logical separation of all my devices, but need some feedback on capabilities and limitations of my thoughts, and the router.

Using the capabilities of the AC66 to separate 3 (VLANs?/SSID) each in 2.4G and 5G bands, here is what I am considering.

Basically put the kids, media players, guests, and my main gadgets on different band/vlans/SSID:
Main - 2.4G #1
Kids - 2.4G #2
Spare - 2.4G #3
Media Gear - 5G #1
Guests - 5G #2
Spare - 5G #3

Wondering what the pros and cons are. I'll have my main computer, one printer, and a NAS and/or USB drive hard wired to the AC66. Conceptual diagram as below.



Here are some dumb questions:
- I assume the devices on their own 'wireless branch' can only connect/see each other on their own VLAN (branches) or not?
- Can they 'see'/access the hard wired NAS/USB connected drives? (e.g. read/write/share files or recv DLNA streams?)
- Can the hard wired main computer access all the wired branch devices, and vice versa if there is a file share on the main computer?
- If I end up needing a (dual band) range extender or repeater, will that device support/rebroadcast all branches/SSIDs?
- Any other considerations pros, cons, caps/lims, drawbacks, performance considerations, raw comments?

Acknowledgements:
As a novice, I may be incorrectly using VLANs in my description, but they will be separate SSIDs as I believe the AC66 can support.
I am sure not all the media/game devices I have (adn have listed on one branch) can 'speak' 5G, so I'm sure some will fall in the 2.4G arena/grouping.
Reading up while lurking unregistered, I will probably will Merlin it (verb ), when I get things set up, although Tomato (not Tomato USB) was ROCK solid on my old faithful Buffalo.

I appreciate any feedback or thoughts, particularly to capabilities and limitations or the concept, and how the AC66 might support it or limitations.

 

[azazel1024]

I would keep one SSID across everything, at most use one for each band. Possibly have a guest one if you need to limit what a machine has access to.

Answered in the order asked.

No, they can see all other devices, unless you have network segregation setup (generally can be enabled for just the guest SSID, or all, or the main and guest SSIDs seperately. Might be able to do it per SSID if your router allows 3 SSIDs per band). In which case devices cannot see ANY other devices connected to the network, they can ONLY access the internet.

Seperate SSIDs are NOT seperate VLANs. There is no tagging that occurs, nor is any of the other functionality similar to a VLAN.

If network segmentation is enabled, it depends on the router. Most likely no, they won't be able to access anything attached to the router for storage.

Anything wired to the router/wired on the network can see everything else wired on the network, and anything wireless...again unless network segregtation is up and running, in which case network segregation ONLY applies to wireless devices, it doesn't segment out wired devices (but wired devices cannot see any wireless devices that are connected to a "segregated" SSID).

For an access point, router in AP mode or range extender, it will only rebroadcast what it supports for SSIDs. In the case of most range extenders it will ONLY extend a SINGLE SSID. Occasionally you'll find a range extender that supports a main SSID and a guest SSID. I have never seen or heard of one that supports 3. For AP, most are also a main SSID and a guest. Same with routers. Though you could get the exact same model of router that supports 3 SSIDs, and use that in AP mode. Just set it's SSIDs to the same as the other router. Just keep in mind, network segregation here is going to get tricky/probably not work once you add in an access point.

As a performance consideration, the more SSIDs you have, the slower everything is. For each SSID on a band you lose around 2.5% of your maximum possible bandwidth due to beaconing (IE the router/AP announcing the SSID and the capabilities, which is done every ~100ms). This gets multiplied by the number of basestations announcing SSIDs.

So if you are running 3 SSIDs and just one router, you are losing 7.5% of your maximum possible performance (compared to 2.5% for a single SSID). If you have 3 SSIDs and add in an access point to go with the router, you are losing 15% due to beaconing overhead (because each basestation is shouting out each of their SSIDs x3).

What is the reason/need for all of those SSIDs? If you want to segment out bands, it makes sense to have a different SSID for each band. If you need a guest network that has limited access, that also makes sense to create another SSID. If you need your kid's computer connected with limited privelages, then it makes sense to have them connect to the guest SSID that is setup for network segregation...just keep in mind, they then cannot access ANY network resources, like a printer.

If you don't want them accessing things like network storage, that should be done with user name/passwords to restrict their access. Need more secure/stricter access privelages? Then you need wireless clients that support VLANs and a router that supports VLANs and control access that way.

 

[azazel1024]

Personally I control access on my network through user access privelages and I use one SSID for everyone and unified across bands. I don't have guests all that often and when I do, they are people I trust (otherwise I don't give out my wifi password). When my kids are a bit older, I'll probably lock things down a little more using VLANs for their wired devices (just to ensure that there is no way they can say, access my desktop from their desktop) and institute a guest SSID with some more control there too for their wireless devices (mostly so that I can turn off the guest SSID from, say, 9pm till 7am).

 

[kenhlan]

Thanks azazel, that was really helpful.

I did not mention sequestration, although that was a feature I had read about.

I realized after posting that I really did not mention some of the requirements I was considering in thinking about this approach.

One was some level of security and control.
A) From the security/vulnerability aspect there were two areas I was envisioning:
1) Minimizing/controlling Points of entry - I don't see a reason for my streaming devices like my Roku and DVD internet enabled players/TV to have access to all aspects to my main network. Less DLNA/media access, they only need internet access to stream online media.
2) Vulnerability - I trust my pre-teen kids, but despite my best efforts, I am sure they will navigate or otherwise surf or download something suspect, disguised as a game/trojan from some suspect sites. I was thinking of some type of protection/isolation from the main network to minimize any potential malware etc propagation. Question: a) If I sequester a printer along with the KIDS SSID, I assume they will be able to print to it. Correct? b) From my main wired computer, could I still VNC into their computers for remote spot check and management?

B) From a management and control aspect, kids time online management aspect (which you addressed, and possibly site filtering (which I suspect might be MAC dependent (vs SSID customizable)

Appreciate the feedback and insight. Some things to think about....

 

[azazel1024]

No, if something is segregate/sequestered it cannot access ANYTHING else, only the WAN port on the router.

If you want to get that paranoid, what you are going to want are multiple access points in addition to the router. Setup the streamers so that they are connecting to the AP, and then on a managed switch, set the port that the AP is connect to to a VLAN that can only access the router (don't hang anything off the router then). Same thing with your kids computers. Either connect it to another AP off that swith on a VLAN that can only access the internet, or allow them access to the printer and the router and that is it.

Especially if the kids computers are wired, that is best. Easy to then segregate each computer to only be able to access the router and the printer and nothing else (not even the other kids computers).

Some switches also allow timed port shut downs, so even if wired you can shut off access between certain times (this does not appear to be a common feature though).

On your last, a number of routers have both site control, as well as internet and wireless control. It depends heavily on the router if it has any of that or how it is setup. Some do it based on MAC, some apply it to ALL clients (site filtering and internet access control, wireless on/off is obviously for all clients, but most you can alternately shut down the guest or main SSIDs on a timer).

I would in general not rely on network segregation as a security feature unless it it SOLELY for your network streamers and any actual guests connecting to your network. It will not allow them to access ANY network resources, only the internet (no router attached storage, no devices hanging off the network, wired or wireless). For your kids, if you need to segregate them, you are going to need to look at a semi-managed/managed switch and VLANs (and possibly another router/access point, or a router that supports VLANs), that or user access privelages and trust to proper security and firewalling on each device on the network.