Go Back   MacRumors Forums > Apple Systems and Services > OS X > Mac OS X Server, Xserve, and Networking

Reply
 
Thread Tools Search this Thread Display Modes
Old Dec 9, 2009, 05:45 AM   #1
RedTomato
macrumors 68040
 
RedTomato's Avatar
 
Join Date: Mar 2005
Location: .. London ..
How to seperate guest wifi access from our LAN?

Hiya

I have a DrayTek Vigour 2820n wifi router, which is a nice bit of gear, and comes with the ability to have 4 seperate wifi SSIDs.

I'm running into a bit of a problem actually using them, probably because of my limited knowledge.

SSID 1 is our guest wifi, secured by WPA, password available to any of our clients and visitors.

SSID 2 is our work wifi channel, again with WPA. Only staff have this.

The problem is users on SSID 1 can also see our LAN, which is not good. I want guest users on SSID 1 to only have access to the internet, nothing else. How?

There's a setting on the Draytek to isolate LAN from any wifi SSID, but when I activate that, I can't access internet through the wifi. I think it's because DNS and DHCP is being handled by the server, not the Draytek.

That means when a user connects to the wifi, the draytek won't give out an IP address, and it won't let the user connect to the server to get an IP address either. But I don't want to let guest wifi clients connect to the server

Any ideas?
__________________
This is a signature.
RedTomato is offline   0 Reply With Quote
Old Dec 9, 2009, 05:58 AM   #2
spinnerlys
Guest
 
Join Date: Sep 2008
Location: forlod bygningen
Can't you password protect the server or the folder lying around there?

We also have wifi at work which give us access to the internet and our server, but we can only access the files on the server if we enter the account name (the same for all) and the password, otherwise we can't even see that there is data.
I don't know on what OS the server is running though.
spinnerlys is offline   0 Reply With Quote
Old Dec 9, 2009, 06:06 AM   #3
acurafan
macrumors 6502a
 
Join Date: Sep 2008
can you set it that SSID 1 can only forward port 80, 53 for guests?

i played with a similar device Symbol wireless AP with multiple SSID support, and ended up chucking it to our test lab; and setting up a separate VLAN on the cisco switches and moved all the guest DSL line and AP's to separate my networks.
__________________
macbook (alum) - 2.4ghz, 4gb ram, 480gb ssd | macbook (pro) - 2.4ghz i5, 8gb ram, 480gb ssd | google nexus 4, iphone 4s
"if you got a gun up in your waist, please don't shoot up the place."
acurafan is offline   0 Reply With Quote
Old Dec 9, 2009, 06:18 AM   #4
RedTomato
Thread Starter
macrumors 68040
 
RedTomato's Avatar
 
Join Date: Mar 2005
Location: .. London ..
Spinnerlys - I'd rather have the LAN completely invisible to wifi guests, with not even computer names visible.

Thanks Acurafan - will try playing with the ports next time I'm in. Do you mean forward ports 80 (for http) and 53 (for dns) to the server IP address?

Another suggestion I read elsewhere was to find or buy a cheap wireless router, and connect it via the WAN port to the primary router. The firewall in the new, cheap router will cut off the LAN from the wifi.
__________________
This is a signature.
RedTomato is offline   0 Reply With Quote
Old Dec 9, 2009, 09:40 AM   #5
ramases
macrumors member
 
Join Date: Jan 2008
Does this help, from the Draytek faq?

http://www.draytek.co.uk/support/kb_...tiplessid.html
ramases is offline   0 Reply With Quote
Old Dec 9, 2009, 11:26 AM   #6
RedTomato
Thread Starter
macrumors 68040
 
RedTomato's Avatar
 
Join Date: Mar 2005
Location: .. London ..
Quote:
Originally Posted by ramases View Post
Does this help, from the Draytek faq?

http://www.draytek.co.uk/support/kb_...tiplessid.html
Hi that's exactly what I refered to in my first post. The 'Isolate LAN' setting becomes worthless if the Draytek doesn't also handle the DNS and DHCP.
__________________
This is a signature.
RedTomato is offline   0 Reply With Quote
Old Dec 9, 2009, 02:48 PM   #7
mufflon
macrumors 6502
 
Join Date: Sep 2006
But then you need to set up a client for your private network that also acts as a dhcp server for your public access - this seems to me to be the only solution.
mufflon is offline   0 Reply With Quote
Old Dec 11, 2009, 08:09 AM   #8
powdR
macrumors newbie
 
Join Date: Nov 2006
@RedTomato

In your case, I would either solve it by creating a VLAN for the guest Wifi, or place it entirely outside the LAN zone altogether.

The Apple Airport Extreme has guest wifi VLAN built-in.

If that is not an option, I would put a small 10/100 ethernet switch between your hardware firewall and your DSL/fiber connection, and put the guest wifi router there. That way, it is completely on the outside. Some ISPs also provide a SHDSL/ADSL/Fiber router with two ethernet ports on the inside. One of my clients has one of those. I just asked the ISP to route a small network to the other port and created a private 172.1/28 net from there.

I would also upgrade the security mechanisms from WPA to WPA2 ENTERPRISE with RADIUS on your LAN zone wifi. I would also strongly consider creating certificates with Mac OS X server and deploying those to the clients that need secure Wifi access to your LAN. It's really easy. See Apples PDF documentation for RADIUS for cook-book examples.

Just my $0.02 - good luck!

//Haakon Storm

Last edited by powdR; Dec 11, 2009 at 08:16 AM.
powdR is offline   0 Reply With Quote
Old Dec 11, 2009, 12:41 PM   #9
Chris.L
macrumors 6502a
 
Chris.L's Avatar
 
Join Date: Jan 2009
Location: UK
I had a look at that Draytek router and am now considering buying one

With your problem though, as you have said, when you click the 'Isoloate WLAN' option, the DHCP and DNS requests won't be passing through.

Is there an option on the Draytek to allow certain protocols through?

Can you assign a DHCP pool to that particular WLAN?

With Wirelss Isolation Mode enabled, can you add a physical port to that configuration?

Obviously buying additional hardware won't be an option really as the Draytek can handle multiple SSIDs.

An an unrelated note, have you got the Wireless N model? I have read on the net that it doesn't play well with Macs. Have you got this Draytek configured to use 'N'? Does it work OK with your Mac on 'N'?
__________________
New to forums?
Chris.L is offline   0 Reply With Quote
Old Jan 21, 2010, 08:20 AM   #10
RedTomato
Thread Starter
macrumors 68040
 
RedTomato's Avatar
 
Join Date: Mar 2005
Location: .. London ..
Hello Chris,

Sorry it took me a while to reply.

To be honest, I don't have enough experience with the Draytek to be able to answer your questions. I don't work there full time, and this is low on my list of priorities.

> Can you assign a DHCP pool to that particular WLAN?

Don't know. Not on mine (I think), however, Draytek have come out with new firmware that enables better pool handling. I haven't yet installed it.

>With Wirelss Isolation Mode enabled, can you add a physical port to that configuration?

Don't know, sorry. See above.

>An an unrelated note, have you got the Wireless N model?

Yes.

> Have you got this Draytek configured to use 'N'?

No.

> Does it work OK with your Mac on 'N'?

No idea. It works fine with my Macbook, but I have to leave the draytek on mixed mode so that it works with the various old PC laptops. I don't really have time to kick people off and then set the router on N and test it with my Macbook. Sorry.

We had an issue with the router rebooting itself every 24 hours on the dot. At first I thought it was a firmware fault, however it seems to have been due to a clash between two DHCP servers on the same network. When I turned off the rogue DHCP server, the rebooting stopped.

Apart from that, it's been rock solid. I do have to say, it is not very user friendly. There is no help guide at all in the web interface, and you are generally expected to know what you're doing before you set anything.

I've skimmed through the 269 page manual that came on CD with it, and it wasn't amazingly helpful. You really do have to know your networking stuff when setting this up for anything technical. I guess if you're asking questions like what you were asking me, you'll be fine with it.
__________________
This is a signature.
RedTomato is offline   0 Reply With Quote
Old Oct 17, 2012, 02:58 PM   #11
strikerforce777
macrumors newbie
 
Join Date: Oct 2012
Had same issue - solved it

I was able to resolve this issue by setting a secondary DNS server entry (8.8.8.8 is google's DNS) in DHCP options. When a device connects it gets an IP from the DHCP server and then is isolated from the network. If it only has the internal DNS server it can not resolve any addresses. It needs an external DNS server set. Hence, DHCP -> scope options -> DNS -> add entry.
strikerforce777 is offline   0 Reply With Quote
Old Oct 26, 2012, 05:47 PM   #12
RedTomato
Thread Starter
macrumors 68040
 
RedTomato's Avatar
 
Join Date: Mar 2005
Location: .. London ..
Quote:
Originally Posted by strikerforce777 View Post
I was able to resolve this issue by setting a secondary DNS server entry (8.8.8.8 is google's DNS) in DHCP options. When a device connects it gets an IP from the DHCP server and then is isolated from the network. If it only has the internal DNS server it can not resolve any addresses. It needs an external DNS server set. Hence, DHCP -> scope options -> DNS -> add entry.
Thanks. Obvious now that you put it like that However I stopped working at the company I mentioned at the top of the thread nearly two years ago ...
RedTomato is offline   0 Reply With Quote

Reply
MacRumors Forums > Apple Systems and Services > OS X > Mac OS X Server, Xserve, and Networking

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Similar Threads
thread Thread Starter Forum Replies Last Post
Time Capsule file server access outside LAN. TechiEmmanuel Mac Peripherals 25 Apr 30, 2014 06:00 PM
Can Connect to Guest Wifi but not Regular Wifi Aragornii MacBook Pro 2 Aug 18, 2013 05:04 PM
Wake on Lan via Wifi hkbladelawkhk iMac 4 Feb 9, 2013 02:45 PM
Odd wifi issue. iPhone 4S, wifi randomly LAN only shel1 iPhone Tips, Help and Troubleshooting 0 Oct 26, 2012 04:06 PM
WiFi issues on corp. guest portal jshephe2 MacBook Pro 1 Jun 18, 2012 09:45 AM

Forum Jump

All times are GMT -5. The time now is 11:31 AM.

Mac Rumors | Mac | iPhone | iPhone Game Reviews | iPhone Apps