Guest network with a Wirelesss AP?

[MrFixit]

Hi,

Is it possible to buy a Wireless Access Point that supports guest network access?

Basically I want to be able to provide guest access to the internet (with no security) for "foreign" mobile devices e.g. iPhones etc (we have teenagers with teenage friends!) but I also want to connect an internet radio device wirelessly that will also be able to stream from my NAS (QNAP TS-509), so this would need access to the LAN.

Although I have Cat 6 wiring in parts of the house, it does not extend to the kitchen where I want to put the internet radio (probably a Logitech SqueezeBox).

While I can set up a VLAN on my router (Netgear UTM5) to isolate the Ethernet port into which I can plug an AP, this would deny the internet radio access to my NAS. BTW - I am also running an HP 1810g-24 switch which also supports VLANs.

I guess I could run two APs - one isolated as above on a VLAN, and the other (with WPA security) for the internet radio on the LAN - but this seems excessive and costly.

Alternatively, could I use something like a Netgear WNDR3700 set up as an AP but retaining the guest network capability (I am thinking not, as this is a router function)?

Any ideas?

 

[MrFixit]

Update:

I have been looking at the Netgear WNAP210 which supports VLANs. Might I use this?

I guess I am going to have to understand about VLAN tagging in order to set this up correctly. Can anyone help?

 

[overdrive31]

The WNDR3700 firmware does have the capability of having separate SSID's guest/local with VLAN, but you want to know if with DHCP turned off, is it still going to function. I don't have the answer, but why would an AP like the WNAP210 support it sans DHCP? Maybe it's because the fact the VLAN's are not customizable on the router like they are on the AP.

My guess is the router would work. I have an DIR-825 with VLAN's for wireless and a guest SSID, guess I could test the theory.

The advantage of the WNAP210 is it's POE capability for placement location choices, client mode bridging/repeating, and having more than just two SSID's.

Update: Just tested it, enabling the VLAN segregation between SSID #1 and #2(guest) breaks routing for the guest clients so they can't get DHCP nor does it allow static addresses. My guess was wrong, the router will not work with VLAN's while setup as an AP, or maybe Netgear's firmware is different in how it implements it's VLAN's even though the hardware between these routers is pretty much the same. Could try 3rd party firmware on the router for a customized VLAN feature set.

I should mention enabling client isolation/partition(which puts each wireless client in it's own VLAN) after turning off the guest VLAN did nothing, leads me to believe that either a router's DHCP server has everything to do with VLAN control or client isolation just doesn't work after turning off the VLAN for the guest SSID.

Update 2: Setup as an AP with VLAN on for guest network(2.4GHz) and no guest clients(they don't work in this mode anyway), enabling client isolation(VLAN) works, but only one-way. Both radio's have client isolation enabled, yet the 5GHz clients can communicate with the 2.4GHz clients, but the 2.4GHz clients cannot communicate back. Neither radio's clients should be able to talk to one another with client isolation enabled even if only one of the radio's had it turned on. Turning off the guest network as an AP with client isolation on still allows one-way traffic between each radio. So it seems for VLAN's to function correctly at all they require the DHCP server on the router to be enabled, no VLAN support as an access point.

Update 3: Back to router mode, client isolation tests were done using ping. The one-way results were because of the XP client's firewall blocking pings(user error), not the VLAN. Testing with a http server and ping(after allowing through firewall) shows no VLAN functionality preventing communication even when in router mode between 2.4GHz and 5GHz clients. Turns out client isolation only blocks communication between clients on the same radio band(I had assumed it blocked all clients, including wired). Don't take my findings to be what you'd expect from the Netgear router, give it a try. At least it can run 3rd party firmware that could allow it to perform almost all the functions the AP products can plus be a router if you needed to re-purpose it.

 

[Osamede]

On the D-Link DAP-2553 wireless access point you can set it such that any device on a given SSID will not see other devices connected to the AP.

 

[MrFixit]

overdrive31,

Many thanks for testing this out. It seems it is as I feared - it probably won't work as an AP. Shame, as the WNDR3700 has good range.

Osamede,

In fact I have just started looking at the D-Link DAP-2553 and the somewhat cheaper DAP-1353. Both of these "real" APs seem to offer multiple SSIDs (4) which would provide the isolation I am looking for (much like the Netgear WNAP210) and rely on 802.1q VLAN technology to achieve this.

I guess now I just need to decide which one will work best for me and then fathom out how to configure it (more reading of the manuals I fear ).

 

[Osamede]

I just got the DAP-2553 myself after a fiasco with the DIR-825. I can say that the DAP-2553 is rock solid. Setup is a bit quirky but once you do that is super reliable and strong signal. Not one single second of downtime in about 3 weeks of use so far. No over heating, not crashing, no dropouts - it just works. Which is what wireless equipment is supposed to do, that we often forget in these days of spending half your life on a forum to deal with products that have been butchered to hit a price point.

 

[MrFixit]

Got one!

Hi,

Thanks to the advice here I picked up a D-Link DAP2553. I had a little trouble figuring how to set up MSSIDs and VLANs to achieve an Open Guest network limited to Internet access only, together with a Secure network with full access to my LAN, but this link helped: http://www.dlink.com/support/faqDetail/?prod_id=3498

The AP is plugged directly into my router (Netgear UTM5). Although I could just as easily plug it into my main switch (HP ProCurve 1810G-24) as long as I configured it for the VLANs .