I'd like to implement my guest network using a remotely located WAP for better coverage. Is there any way to have the guest network appear on one of the four 10/100/1000 Ethernet ports on the G1100 so I can wire it to the WAP? I'm looking for the same kind of isolation between the guest and regular networks that's provided by the WiFi Guest. I'd want to disable the WiFi Guest in the G1100 once I have it on the WAP.
04-04-2016 06:43 AM
Unfortunately from my experiences the G1100 is not advanced enough to handle segmenting individual LAN ports. I accomplish this myself using a pFsense router and a managed switch, but I don't believe the G1100 can do this on its own.
04-06-2016 08:24 PM - edited 04-06-2016 08:25 PM
I've read this a couple times, and I'm not clear on what it is you are trying to accomplish.
It took a bit of digging to find a G1100 User's Manual with Guest Wi-Fi mentioned. They must have a half-dozen versions of routers with the model number G1100. From what I can tell, Guest Wi-Fi just sets up a second, separate SSID (with its own password) that uses the same radios/channels as the "main" Wi-Fi.
What I think you are saying is that you want to run an Ethernet cable from one of the ports on the G1100 to the Ethernet port for the WAP. If that's the case, just give the WAP its own SSID and pass phrase. You could reuse what you have for the current guest network or just use a new SSID and password. The advantage here is that you are using a separate radio and can set separate channels so that the guest and main networks don't use the same ones. It's possible that the Guest Wi-Fi did that anyway.
You probably want to set up the WAP to have a static IP address (using the Add Static Connection option on page 165 of the manual in the link above) so that you can administer it remotely without the possibility of it getting a different DHCP address. (Most DHCP routers tend not to change IPs given to the same device if they can help it, but sometimes they do.)
This would give guests their own wireless LAN, but without many restrictions. You may want to limit what your guests can do, and it looks like using the access control (starting on page 96 of the manual linked above), you could do that by adding rules to deny everything except a few protcols (like port 80 and 443 for http and https, respectively) that you specifically allow. Unfortunately the manual appears to leave out some steps, and I don't have one of those to play with, so I can't be more specific.
04-07-2016 05:14 AM - edited 04-07-2016 06:21 AM
What the G1100 does with its built-in Guest WiFi (and what I want to accomplish using an Ethernet port and remote WAP) is put the Guest Network on a different subnet. I think it's 192.168.200.xxx. Anyone logged into the Guest WiFi is isolated from my private network and has no access to the resources on it: computers, printers, Sonos, Chromecast, etc. All they get is internet access.
The built-in Guest WiFi has two disadvantages that I’m looking to resolve:
* Coverage due to the G1100’s physical location -- hence my desire for a remote WAP.
* It shares capacity with my (private) network’s WiFi channel.
04-07-2016 12:16 PM
Thanks for the reply JustinG!!!
Is there any way you can supply a block diagram and details of your setup? Either post here or PM me.
Sorry, my setup is extremely complex and probably not what your looking for. All I could really suggest at this point is use a different WiFi Router as the guest router, plug that into the G1100, and set some firewall rules on there to ensure that no one can access your LAN subnet.
04-07-2016 09:40 PM - edited 04-07-2016 10:12 PM
I don't think a WAP will be able to do what you want. A typical WAP is meant to bridge a network from wired (via the Ethernet cable) to wireless. It does not attempt to isolate that two. (In fact, it's the opposite.) What you really want is just a second wireless router that you can use to create a guest network. Such a router is often cheaper than a WAP anyways since WAPs have a more specific purpose and there's not as much competition in their pricing.
You can get just about any router you like as the second router so long as it has the wireless capabilities you want your guests to have. It could be 802.11ac or just 802.11n.
1. Hook a laptop or desktop to the second router and allow it to connect to the second router by DHCP. (Many routers come with their wireless radios switched off, so expect to connect with an Ethernet cable. That also avoids a couple potential problems of going the wireless route.)
2. Log into the second router's management page, go to the LAN settings and change the internal LAN to 192.168.200.x from whatever it is now. Technically, it just has to differ from the private LAN, so anything but 192.168.1.x is fine. Even 192.168.0.x. 200 is as good as any. As part of that, make sure the DHCP server gets changed as well. In most routers, the DHCP server is "slaved" to the LAN address you set. You just pick the last "octet" (.0-.255) range you want it to serve. The numbers .0 and .255 are reserved for network use (always) and .1 will be the address of the gateway - that is the second router itself. (There's typically a router reboot/reset after you commit those changes. You may have to do an ipconfig /release and ipconfig /renew to get a new IP address on the 192.168.200.x network for the laptop/desktop you are using to configure the second router.)
3. While you are in the Second Router, you may as well set up the wireless network settings to use a guest SSID and password of your choosing. You could enable the wireless network after that, too, if it's not already. (Turn on the transceiver radios.)
4. Connect the second router's WAN port (WAN port, WAN port - not one of the LAN ports) to one of the G1100's LAN ports (LAN port, not WAN port) via an Ethernet cable.
5. Log into the G1100 (from some other laptop or desktop probably) and statically assign an address on your internal, private LAN to the second router (which should show up once connected. You may have to match up MAC addresses to be sure.) The reason you want it to be static is so you can administer that second router from any device on your private LAN. It would be better if that didn't move around from time to time. That brings me to ...
6. On the Second Router, enable router administration via the external WAN port. Typically, you can only log into a router on a LAN port to perform administration. That keeps the script kiddie's from trying to get in. However, in this case, you are the script kiddie. Every router I've ever used will let you enable remote administration (along with allowing PING and the like).
7. You could also set the Second Router to use a fixed (static) IP on the WAN side that matches whatever you statically assigned to it, but so long as the G1100 always gives the Second Router the same private IP address on the WAN side, it is not necessary.
8. Test some devices on the private and guest networks an make sure the can't see each other across the router.
9. Add any special routing rules/restrictions you want to the second router to further lock down your guests.
PS, the "WAPs" in the diagram above are the WAPs built into the wireless routers, not separate WAPs.
04-08-2016 05:09 AM
Thanks for the reply. I agree that a WAP alone would not do what I want. Ideally, the WAP would be connected to a managed switch that understands VLANs (can buy these for not too much $$) which then connects to a router that understand VLANs (unfortunately, the G1100 doesn’t). That setup would allow many types of custom network segmentation.
I’ve previously considered an idea like your proposal and will give it some more thought. A couple issues come to mind. Maybe you’ve already considered these:
* Clients on the Guest WiFi would get double Net Address Translation (NAT):
192.168.200.xxx <----> 192.168.1.xxx <----> Routable External IP Address
Maybe this isn’t a big deal.
* Since Clients on the Guest WiFi first get NATed to the 192.168.1.xxx network, wouldn’t the gateway function in the G1100 allow them to see the other resources on the (private) 192.168.1.xxx network?
Also, wondering if the secondary (guest) router should be placed in the G1100’s DMZ?
Appreciate your thoughts.
04-08-2016 08:10 AM - edited 04-08-2016 08:33 AM
I'll caveat this by saying setting up and managing VLANs is at the very edge of my understanding of networking.
That said, if you can get a managed switch with VLAN support and a router that understands VLAN tagging for less than the $70 - $80 another wireless router would cost, that could work. I know you can spend more than that on the wireless router, but given what you need it for, I don't see a need to. It depends on what wireless speeds you want. If you wanted to provide 802.11ac, you might spend $130 or so. If there's a possibility you would ever want to route between VLANs, you'd need a layer 3 switch. I think those switches start at $300+.
I assume you'd replace the G1100 with the new router or place the G1100 in bridge mode then, correct? So Verizon ONT to your new router (or G1100 in bridge mode and then G1100 to your new router). Two LAN ports from the router would go via Ethernet cables to the two VLANs on the managed switch. From the switch, one VLAN would be your private LAN and the other VLAN would be the guest LAN. Assuming your new router has wireless built in, set that up as the private WLAN. (I don't know if the G1100's WLAN would still function in bridge mode.) Connect your existing equipment to the private VLAN. Connect the WAP to the guest VLAN and set that up as the guest WLAN. that's pretty much it. There's certainly more flexibility going this way.
Assuming you see a placeholder for the image I uploaded (like I am), here's a link to the picture I uploaded. I have no idea what they are "reviewing ..." I see they finally finished reviewing it. Here is a larger version of the diagram: Two router setup It's a Visio diagram.
You are correct that the guest (W)LAN will be double NAT-ed, but for what you plan to use it for, that's not likely to be an issue. For simple access to the Internet via the guest (W)LAN, your guests would never notice the difference.The extra wrapping/unwrapping of NAT embedded in NAT is pretty insignificant for pretty much any router.
With double-NATed networks, an issue crops up if something on the guest network needs special routing. If you wanted to put some type of server on the guest network (something like a temporary gaming server for a weekend - perhaps an XBox or PS4 qualifies here, but I'm not sure) that would require port forwarding, you would need to add port forwarding to the G1100 (to forward to the second router's WAN address on the private network [192.168.1.2 in my example]) and also the second router (to forward from the WLAN side to the gaming server on 192.168.200.x). TL;DR - if the source of the Internet traffic comes from the WAN outside the network, but is directed to/intended for a machine within the LAN, special handling is required (always). I've some UPnP routers do a pretty good job getting port forwarding working on a device connected to their LAN or WLAN, but I'm not sure another router upstream would do likewise. Probably not.
A guest on the 192.168.200.x network had better not be able to see anything on the 192.168.1.x network or that firewall has serious issues. The manufacturer should be forced to eat their device. In your setup, the purpose of the firewall on the second router is to prevent traffic originating from the 192.168.1.x subnet (that the second router considers to be the WAN) from ever being seen on the 192.168.200.x network (that the second router considers to be the LAN). The exception is traffic that is specifically destined for the guest network (with a destination address of 192.168.1.2 in my example) that is in response to a request that originated within the guest LAN. (e.g., a request for https://www.google.com from a web browser on a guest's laptop). The NAT firewall will block everything else.
The reverse, however, is not true. Since all of the guest network traffic comes from/goes to a single IP address on the private network and travels through the 192.168.1.x network, you could set up something like Wireshark to snoop on all of the traffic to and from that IP address. Also, different routers have different approaches to what they will filter originating from the LAN with a destination address outside of the LAN. Things like DHCP requests and NetBIOS services are usually filtered. That is, you shouldn't see DHCP requests from the second router's LAN (192.168.200.x) on your private LAN (192.168.1.x), but you might see things like UPnP requests.
You could put the second router on the DMZ and that might avoid the issues with setting up port forwarding rules and other double NATed issues. It will still be double-NATed though. If you do put a device in a DMZ, you definitely want that device (e.g., router) to have a firewall equal to or better than the router's firewall. A DMZed device still has an ([a] statically assigned) IP address on the LAN.
As I was poking around trying to make certain I wasn't out of touch with the current reality, I looked at the Linksys WRT1200AC router at Newegg for $130. Looking more at the product pages at Linksys, I saw it supports a guest WLAN setup. More details about that here. As part of it's Smart Wi-Fi support, if you "cascade" that router with an existing router, it's smart enough to recognize that and configure itself to make sure it's LAN is a different subnet than the the one it sees on the WAN port. (About time.)
I also ran across an older setup I drew in response to (I presume) a similar question. It involves using two routers connected to the ISP's router. You can see that here. It's effectively the same as the setup with VLANs you were thinking of. If you set the "private" router as the DMZ host, you probably avoid some of the port-forwarding issues from double-NATing. IIRC, that person wanted a public WiFi setup for thier store and a private setup for their business side.