How to seperate guest wifi access from our LAN?

Discussion in 'Mac OS X Server, Xserve, and Networking' started by RedTomato, Dec 9, 2009.

  1. macrumors 68040

    RedTomato

    Joined:
    Mar 4, 2005
    Location:
    .. London ..
    #1
    Hiya

    I have a DrayTek Vigour 2820n wifi router, which is a nice bit of gear, and comes with the ability to have 4 seperate wifi SSIDs.

    I'm running into a bit of a problem actually using them, probably because of my limited knowledge.

    SSID 1 is our guest wifi, secured by WPA, password available to any of our clients and visitors.

    SSID 2 is our work wifi channel, again with WPA. Only staff have this.

    The problem is users on SSID 1 can also see our LAN, which is not good. I want guest users on SSID 1 to only have access to the internet, nothing else. How?

    There's a setting on the Draytek to isolate LAN from any wifi SSID, but when I activate that, I can't access internet through the wifi. I think it's because DNS and DHCP is being handled by the server, not the Draytek.

    That means when a user connects to the wifi, the draytek won't give out an IP address, and it won't let the user connect to the server to get an IP address either. But I don't want to let guest wifi clients connect to the server :)

    Any ideas?
     
  2. Guest

    spinnerlys

    Joined:
    Sep 7, 2008
    Location:
    forlod bygningen
    #2
    Can't you password protect the server or the folder lying around there?

    We also have wifi at work which give us access to the internet and our server, but we can only access the files on the server if we enter the account name (the same for all) and the password, otherwise we can't even see that there is data.
    I don't know on what OS the server is running though.
     
  3. macrumors 6502a

    Joined:
    Sep 16, 2008
    #3
    can you set it that SSID 1 can only forward port 80, 53 for guests?

    i played with a similar device Symbol wireless AP with multiple SSID support, and ended up chucking it to our test lab; and setting up a separate VLAN on the cisco switches and moved all the guest DSL line and AP's to separate my networks.
     
  4. thread starter macrumors 68040

    RedTomato

    Joined:
    Mar 4, 2005
    Location:
    .. London ..
    #4
    Spinnerlys - I'd rather have the LAN completely invisible to wifi guests, with not even computer names visible.

    Thanks Acurafan - will try playing with the ports next time I'm in. Do you mean forward ports 80 (for http) and 53 (for dns) to the server IP address?

    Another suggestion I read elsewhere was to find or buy a cheap wireless router, and connect it via the WAN port to the primary router. The firewall in the new, cheap router will cut off the LAN from the wifi.
     
  5. macrumors member

    Joined:
    Jan 14, 2008
    #5
  6. thread starter macrumors 68040

    RedTomato

    Joined:
    Mar 4, 2005
    Location:
    .. London ..
    #6
  7. macrumors 6502

    Joined:
    Sep 15, 2006
    #7
    But then you need to set up a client for your private network that also acts as a dhcp server for your public access - this seems to me to be the only solution.
     
  8. macrumors newbie

    Joined:
    Nov 1, 2006
    #8
    @RedTomato

    In your case, I would either solve it by creating a VLAN for the guest Wifi, or place it entirely outside the LAN zone altogether.

    The Apple Airport Extreme has guest wifi VLAN built-in.

    If that is not an option, I would put a small 10/100 ethernet switch between your hardware firewall and your DSL/fiber connection, and put the guest wifi router there. That way, it is completely on the outside. Some ISPs also provide a SHDSL/ADSL/Fiber router with two ethernet ports on the inside. One of my clients has one of those. I just asked the ISP to route a small network to the other port and created a private 172.1/28 net from there.

    I would also upgrade the security mechanisms from WPA to WPA2 ENTERPRISE with RADIUS on your LAN zone wifi. I would also strongly consider creating certificates with Mac OS X server and deploying those to the clients that need secure Wifi access to your LAN. It's really easy. See Apples PDF documentation for RADIUS for cook-book examples.

    Just my $0.02 - good luck!

    //Haakon Storm
     
  9. macrumors 6502a

    Chris.L

    Joined:
    Jan 8, 2009
    Location:
    UK
    #9
    I had a look at that Draytek router and am now considering buying one :p

    With your problem though, as you have said, when you click the 'Isoloate WLAN' option, the DHCP and DNS requests won't be passing through.

    Is there an option on the Draytek to allow certain protocols through?

    Can you assign a DHCP pool to that particular WLAN?

    With Wirelss Isolation Mode enabled, can you add a physical port to that configuration?

    Obviously buying additional hardware won't be an option really as the Draytek can handle multiple SSIDs.

    An an unrelated note, have you got the Wireless N model? I have read on the net that it doesn't play well with Macs. Have you got this Draytek configured to use 'N'? Does it work OK with your Mac on 'N'?
     
  10. thread starter macrumors 68040

    RedTomato

    Joined:
    Mar 4, 2005
    Location:
    .. London ..
    #10
    Hello Chris,

    Sorry it took me a while to reply.

    To be honest, I don't have enough experience with the Draytek to be able to answer your questions. I don't work there full time, and this is low on my list of priorities.

    > Can you assign a DHCP pool to that particular WLAN?

    Don't know. Not on mine (I think), however, Draytek have come out with new firmware that enables better pool handling. I haven't yet installed it.

    >With Wirelss Isolation Mode enabled, can you add a physical port to that configuration?

    Don't know, sorry. See above.

    >An an unrelated note, have you got the Wireless N model?

    Yes.

    > Have you got this Draytek configured to use 'N'?

    No.

    > Does it work OK with your Mac on 'N'?

    No idea. It works fine with my Macbook, but I have to leave the draytek on mixed mode so that it works with the various old PC laptops. I don't really have time to kick people off and then set the router on N and test it with my Macbook. Sorry.

    We had an issue with the router rebooting itself every 24 hours on the dot. At first I thought it was a firmware fault, however it seems to have been due to a clash between two DHCP servers on the same network. When I turned off the rogue DHCP server, the rebooting stopped.

    Apart from that, it's been rock solid. I do have to say, it is not very user friendly. There is no help guide at all in the web interface, and you are generally expected to know what you're doing before you set anything.

    I've skimmed through the 269 page manual that came on CD with it, and it wasn't amazingly helpful. You really do have to know your networking stuff when setting this up for anything technical. I guess if you're asking questions like what you were asking me, you'll be fine with it.
     
  11. macrumors newbie

    Joined:
    Oct 17, 2012
    #11
    Had same issue - solved it

    I was able to resolve this issue by setting a secondary DNS server entry (8.8.8.8 is google's DNS) in DHCP options. When a device connects it gets an IP from the DHCP server and then is isolated from the network. If it only has the internal DNS server it can not resolve any addresses. It needs an external DNS server set. Hence, DHCP -> scope options -> DNS -> add entry.
     
  12. thread starter macrumors 68040

    RedTomato

    Joined:
    Mar 4, 2005
    Location:
    .. London ..
    #12
    Thanks. Obvious now that you put it like that :) However I stopped working at the company I mentioned at the top of the thread nearly two years ago :eek: ...
     

Share This Page