NETWORK ISSUE - I hope I posted this in the right place

[astralbaby]

 I need some help because I have either over-thunk things, and my brain is mush, or I am just over-thinking it.. Here is my set-up.

 

I have a wireless AP for outdoors to service the people who are around the pool. I do not want "guests" browsing the network. ( local LAN ) We have DVR, Comcast Gateway, Laptop on the LAN wired with static IP's. What config can I deploy, even if I have to purchase a new router to put in -between the gateway (Concast) and my AP not NOT ALLOW wireless clients of the AP to NOT be able to access "wired resources"

 

I do not know why I am so stumped. 

[zhangm Supervisor]

Since this is a network setup question and is not specifically related to Windows, thread moved from Windows Support to Internet, Network & Security section.

[RottGutt]

If your router supports it, it should be as simple as enabling the Guest network and allowing your "guests" to only connect to it.

 

https://fieldguide.gizmodo.com/how-to-give-guests-to-access-your-wi-fi-without-exposin-1777526975

[T3X4S]

12 minutes ago, RottGutt said:

If your router supports it, it should be as simple as enabling the Guest network and allowing your "guests" to only connect to it.

 

https://fieldguide.gizmodo.com/how-to-give-guests-to-access-your-wi-fi-without-exposin-1777526975

This would be the "easiest" method.  If your router or gateway's radio reaches to the pool (I'm assuming it doesnt very well since you have an AP to address that area.)

You mentioned not being opposed to buying a router, where you would turn your Comcast gateway into a modem basically (letting the router hand out IP addresses, maybe even the firewall (depends on your gateway)
Pretty sure most decent routers nowadays have a guest network ability.  **I am not familiar with the Comcast gateways, so I do not know if your DVR and other STB would have an issue with this.**

Another thing you can consider is simply replacing the AP with one that has a guest mode.  Ubi, Meraki, can do this in spades - but it might be overkill.

[astralbaby]

13 minutes ago, T3X4S said:

This would be the "easiest" method.  If your router or gateway's radio reaches to the pool (I'm assuming it doesnt very well since you have an AP to address that area.)

You mentioned not being opposed to buying a router, where you would turn your Comcast gateway into a modem basically (letting the router hand out IP addresses, maybe even the firewall (depends on your gateway)
Pretty sure most decent routers nowadays have a guest network ability.  **I am not familiar with the Comcast gateways, so I do not know if your DVR and other STB would have an issue with this.**

Another thing you can consider is simply replacing the AP with one that has a guest mode.  Ubi, Meraki, can do this in spades - but it might be overkill.

The AP DOES have a Guest Network that hands out IP's on an different subnet, AND works great, BUT, I am unable to use that guest network to apply to a schedule of off/on times. We do not want people leaching all night. 

Budget is tight for this, and I did buy a TP link Router. GB Lan, no wireless. I was thinking of putting this in between my edge, which is a Comcast Biz router, and the AP. 

 

[T3X4S]

11 minutes ago, astralbaby said:

The AP DOES have a Guest Network that hands out IP's on an different subnet, AND works great, BUT, I am unable to use that guest network to apply to a schedule of off/on times. We do not want people leaching all night. 

Budget is tight for this, and I did buy a TP link Router. GB Lan, no wireless. I was thinking of putting this in between my edge, which is a Comcast Biz router, and the AP. 

 

"leaching all night" ? - do you have a data usage plan on your home internet ?  Are you in the US ?  I apologize, but I have not heard of data usage plans on home internet since... well the dialup days I think.

But honestly, I could not think of a scenario where people would "leach all night" - its not like internet access is rarity where someone would take advantage of it.  

If you care to explain - ?

[astralbaby]

18 hours ago, T3X4S said:

"leaching all night" ? - do you have a data usage plan on your home internet ?  Are you in the US ?  I apologize, but I have not heard of data usage plans on home internet since... well the dialup days I think.

But honestly, I could not think of a scenario where people would "leach all night" - its not like internet access is rarity where someone would take advantage of it.  

If you care to explain - ?

I am on a business connection. I am on the board of our HOA. When the park closes, it closes. Pool, wifi everything.  I am on a commercial grade AP that has good coverage. Thanks I am in the US. I do not want a WIFI network up all night after and before pool hours. It is a luxury for the homeowners.

 

If I put my new Tp-Link router between the gateway and AP, could I somehow restrict wireless clients from attempting to access our DVR system, laptop, and Comcast Gateway? In other words.. our local LAN

 

Edited May 20, 2017 by astralbaby

[T3X4S]

OK - I thought it was your pool.  Your house's wifi

[DaveLegg Developer]

What make/model is the AP?

[+BudMan MVC]

 

11 hours ago, astralbaby said:

I am on a business connection. I am on the board of our HOA. When the park closes, it closes. Pool, wifi everything.  I am on a commercial grade AP that has good coverage.

I am going to ask the same question as DaveLegg..  What AP is this?  If this is commercial/business setup your AP should have different SSID tied to different vlans, your "guest" vlan would be set to not have any access to stuff you don't want it to have access to.  And you would use a different SSID/vlan to have wireless stuff connect to stuff you need it to connect to, etc.

 

11 hours ago, astralbaby said:

Tp-Link router

Why would you be using such soho user stuff if this is a business sort of setup?  And you have a real AP??  This can be done really on the cheap..  smart switch that does vlans can be $30, AP that does vlan (unifi 90$) and then router/firewall - so what router are you using now??  When you want to isolate/firewall different networks its time to move away from the home user wifi router stuff..  Something as cheap as a pfsense sg-1000 (149$) would work, or unifi makes their security gateway for $120

 

What exact hardware are you working with.. What router, what switch?  What AP and be happy to tell you if you can isolate or not isolate - and how to isolate with vlans on the cheap, or not so cheap if you have a real budget, etc..

[xendrome]

59 minutes ago, BudMan said:

What exact hardware are you working with.. What router, what switch?  What AP and be happy to tell you if you can isolate or not isolate - and how to isolate with vlans on the cheap, or not so cheap if you have a real budget, etc..

I think he can isolate just fine with the AP, it's a time-schedule he wants to  limit which he has no options/control over in the AP.

[DaveLegg Developer]

12 minutes ago, xendrome said:

I think he can isolate just fine with the AP, it's a time-schedule he wants to  limit which he has no options/control over in the AP.

That's why we want to find out what the AP is

[+BudMan MVC]

9 hours ago, xendrome said:

I think he can isolate just fine with the AP

And you know this how?  He has not stated what AP he has.. And if he doesn't have the rest of the infrastructure to support vlans.. If his "AP" is not at the edge of his network, how is he going to isolate it with a "guest" network like many a soho router do?

[spaceelf]

On 5/19/2017 at 11:45 PM, astralbaby said:

The AP DOES have a Guest Network that hands out IP's on an different subnet, AND works great, BUT, I am unable to use that guest network to apply to a schedule of off/on times. We do not want people leaching all night. 

Budget is tight for this, and I did buy a TP link Router. GB Lan, no wireless. I was thinking of putting this in between my edge, which is a Comcast Biz router, and the AP. 

 

If the guest network is only from the AP and indoors you can get a smart plug that you can schedule to turn it on and off at certain times.  It's a bit of a wonky solution, but it should work.

[xendrome]

13 minutes ago, BudMan said:

And you know this how?  He has not stated what AP he has.. And if he doesn't have the rest of the infrastructure to support vlans.. If his "AP" is not at the edge of his network, how is he going to isolate it with a "guest" network like many a soho router do?

Well, I read all the posts...

 

"The AP DOES have a Guest Network that hands out IP's on an different subnet, AND works great, BUT, I am unable to use that guest network to apply to a schedule of off/on times."

[+BudMan MVC]

Different subnet is not a different vlan.. That is just running multiple layer 3 over the same layer 2.. So not really isolating anything..

 

Knowing what AP he is using will allow us to know how to answer both his isolation and schedule question. 

 

I also read all of the posts.. And contradicts that it works great with this statement

 

"If I put my new Tp-Link router between the gateway and AP, could I somehow restrict wireless clients from attempting to access our DVR system, laptop, and Comcast Gateway"

 

Which is afters he other post about guest network and different IPs..   So which is it?

[astralbaby]

Hey everyone. I wanted to share my solution. I am also sorry that I did not update this sooner. I appreciate all the help, and even attracting the likes of Budman, I feel even more compelled to share.

 

For the pool WIFI we are using the EnGenius ENH220EXT AP. It does support VLAN, but I haven't a router to utilize.

The AP has DHCP turned off, and is setup on the LAN static at 192.168.0.10

The AP is running behind a TP-Link TL-R600VPN. DHCP is turned on and it is handing out Ip addesses to the wireless LAN.  The AP is the only thing connected to this Router. I have setup the Router so only the local laptop can hit and open the web gui.

I have the TP-LINK running behind a Comcast Business Gateway. 

 

I have my DVR system, laptop connected to the Comcast business Gateway.

 

I wanted to be able to administrate the entire setup remotely also.

 

I RDP into my laptop, then from there I can hope over to my 192.168.0.x network to admin AP and TP-Link, and I can also admin the DVR and Comcast Gateway on the 10.1.10.x network. 

 

I am able to do this by using the onboard NIC on the laptop, and a USB Network dongle for the other network. 

 

 

 

[+BudMan MVC]

1 hour ago, astralbaby said:

I RDP into my laptop

From the public internet?  Wow that is a bad idea opening up rdp to the public internet.

 

Your just double natting - this doesn't stop any wireless network from access your 10.x network on the front of your nat..  Unless you have some firewall rules in your tplink that prevents them..

 

 

 

[astralbaby]

39 minutes ago, BudMan said:

From the public internet?  Wow that is a bad idea opening up rdp to the public internet.

 

Your just double natting - this doesn't stop any wireless network from access your 10.x network on the front of your nat..  Unless you have some firewall rules in your tplink that prevents them..

 

 

 

I know Budman. I did change the listening port for RDP. I know security by obscurity is not best practice. 

I would be interested of course in a firewall rule that I could implement on the TP Link.

 

I could perhaps VPN over RDP. That was my next step. 

[+BudMan MVC]

Yes you should vpn in if you need remote access as long as its a secure vpn - pptp for example would be pointless as well.

 

That router is horrible!!  says gig router but only has 120mbps throughput with nat?  Guess you could use ipsec into it - that is only 20mbps.. What a POS..  No vlan support?

 

You can create some access rules to block access to your 10 network other than your machine on that wifi network.

 

Your AP supports vlans.. Get a switch that supports vlans and a real router... All of which can be done cheap!  Doesn't have to be expensive.. Do you have a pc laying around - doesn't have to be fast - put in a couple of nics and install say pfsense on it there you go.. Get a smart switch for 30$ that does vlan then you can do this correctly.