dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
4361
share rss forum feed


Neoprimal

join:2002-09-13
Alexandria, VA

3 edits

Some Advice (I need more robust guest network control)

Hey all, I'd just like a bit of advice on this. I have a few requirements, well - 1 or 2 main ones really.

[Updated to be easier to read]:

1. I don't want to have to set up another router or use ddwrt.
2. Nothing extraneous, please and kindly.

The part of this that's relevant is the first section. The next is for background, in case you're curious as to why I need this done.

Thanks in advance.

What I'm asking of you.

My question to the community is, do any of you own a router with a guest network that is detailed or thorough? I'm looking for something with similar functionality to opendns.com.

Important:

Easily monitor traffic, preferably by domain names. (So I can quickly see if they're going any place funky).

*Block certain websites by type, specifically vs. website name.
So for example, I know some routers can block the traffic by specifying torrent/p2p, etc. I would like to have this for the guest network.

Nice to have:
*Separate dns on the guest network. Note: if there was a router that allowed this, I wouldn't need to block traffic using the router, as I could delegate the task to opendns.

Monitor & cap Bandwidth on the guest network

In the time being, I am using opendns just to see if I have anything to be worried about for 2 weeks or so. I have I think 90 days to return the router...maybe less (I got it at Walmart, I don't remember their policy). I'd rather return it sooner than later though.

Here's the background.

I have some neighbors that recently moved in and requested access to my Wifi. It's a couple of them in a single apartment and they don't know how long they'll be there and don't want to pay the big bills for Comcast or deal with Clear (since they have to buy the device). They initially asked this about a month ago.

Yesterday one of them comes to me and asks if they can continue using it. They are still month to month and aren't sure when they'll be leaving. He asked if he could give me $20 to keep giving him access...(mind you, I never turned the access off, he approached me on his own).

I reluctantly agreed. I would feel awful saying, "sorry, you need to get your own so and so". The last month has been fine, they don't seem to be doing anything that affects my music or video streams, so I'm OK in that aspect. My data usage spiked a bit, as to be expected. At the time I had given them my main 2.4Ghz wifi access. I'm not stupid, I know there are liabilities to sharing wifi which is why I've never opened mine to the public. Since this is going to seemingly be more long term than expected I decided to try to protect myself. I'm a bit paranoid. I really don't want to get in trouble for something they do using my IP. I got a router with guest access, which at the very least separates them from my local network. The problem is that the solution isn't as thorough as I'd liked it to be.

I have never owned a router with guest access. I thought that there'd be independent logs and a way to block traffic or types of sites and such but there's none of that in what I got. I got the EA3500 by Cisco/Linksys. It is super basic, to say the least. I can't even change the guest network name, just the password.

Getting the router was super rushed. I got it the very evening he asked me. I'm aware there are many alternatives, but if I'm going to return this one, I want to make sure the next one has at least a few of the features I need. I haven't been able to source any reviews or youtube videos showcasing detailed guest network functionality....which leads me to ask here.


HELLFIRE
Premium
join:2009-11-25
kudos:16

1 recommendation

Look up smallnetbuilder.net or similar and search for any products with 'guest wireless' would be my thought.

Keep in mind, there is no one 'standard' (that I'm aware of anyways) that defines what constitutes a guest wireless.
Some vendors do a 2nd seperate SSID, while others (can) do up to full isolation from the main wireless and LAN networks
and more.

So if I got your requirements list right :

Must Have :
- router which would allow you to put in separate dns addresses for the guest network via OpenDNS

Nice to Have :

- block all torrents on the guest network side of things.
- block anything that has the possibility of getting me in trouble or making me liable for something I did not perpetrate / content filtering
- traffic and bandwidth monitor
- something to give the guest network a speed and data cap

Another question is what kind of budget do you have in mind at this time? Maybe someone else can chime in, but you're
basically looking at a prosumer / low-end enterprise piece of gear to fill in the whole wishlist, which at a rough
guesstimate is about $300 - $500. Toss in a commercial content filter subscription (likely) and you may be looking at
a recurring annual fee just to shut out these freeloaders from doing something screwy on the web.

If you're a DIY kind of techie, you could probably do this with something like Untangle and a spare PC...

Just my 00000010bits.

said by Neoprimal:

I have some neighbors that recently moved in and requested access to my Wifi.

If you're REALLY paranoid about liability, should never have said yes in the first place, but it's a moot point now
if you're looking to go this far.

Regards


Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:4
reply to Neoprimal

One way to discourage torrenting is by rate limiting or bw control.
A cheaper way to do this, albeit perhaps not the most comprehensive is to look into DDWRT or Tamato or one of those 3rd party firmwares that work on many stock consumer routers. Look for the ones that have a hotspot type functionality, or guest SSID and BW management control.......



Neoprimal

join:2002-09-13
Alexandria, VA
reply to HELLFIRE

Thanks for the responses.

I made my list a little easier to read and checked out smallnetbuilder.com but it didn't help too much because it's not geared toward guest access really. Any true net architect is simply going to get what they want with a multi router setup or a business router (as you mentioned). I don't want to spend $300 or more for a router. I don't even want to spend $200, which is why I posted here.

I know there's no standard for the guest network. With all the routers out now, I was sure at least a few of them had really great guest access options. I was hoping I'd get lucky and someone who had a router that at least allowed some more flexibility with the guest access part of it would speak up. Maybe a router like that doesn't exist OR the right person hasn't come across this yet.



Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:4

Your better bet is to research the third party firmwares, once youve got the version and firmware nailed down, then research which routers are compatible, and then at smallnet builder which is the better router of the bunch youve narrowed it down to.



SoonerAl
Premium,MVM
join:2002-07-23
Norman, OK
kudos:5

1 recommendation

reply to Neoprimal

Curmudgeon alert...

Personally I would not share my connection with a neighbor, well known or otherwise. There are mobile month by month plans available for laptops, etc that would work for these folks if they don't want to install a more permanent solution or walk/drive down to a local public hotspot...
--
"When all else fails read the instructions..."
MS-MVP Windows Expert - Consumer



Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:4

and I thought folks from Oklahoma were neighborly.


ipv6huh

join:2012-06-26
reply to Neoprimal

Your not going to find all those features in a single hardware/router/wirelessAP - the hardware is too memory/processor constrained to do all that.

I think you should be looking at separate products, connected to a router/firewall and access points that support multiple VLANs and therefore multiple SSIDs. Basically you create two networks like this:
VLAN1 - internal - SSID with WPA2
VLAN2 - public - SSID open and:
+ QoS bandwidth restrictions in your router/firewall
+ some other products/service for content control, for example:
dnsredirector.com
m86security.com
nortondns.com
opendns.com
untangle.com


gaylordsecur

join:2012-07-02
reply to Neoprimal

Hey,
You should advises a hardware. It is best for you.


twixt

join:2004-06-27
North Vancouver, BC

1 recommendation

reply to Neoprimal

said by Neoprimal:

Hey all, I'd just like a bit of advice on this. I have a few requirements, well - 1 or 2 main ones really.

[Updated to be easier to read]:

My question to the community is, do any of you own a router with a guest network that is detailed or thorough? I'm looking for something with similar functionality to opendns.com.

[stuff deleted in the interests of brevity]

Here's the background.

I have some neighbors that recently moved in and requested access to my Wifi. It's a couple of them in a single apartment and they don't know how long they'll be there and don't want to pay the big bills for Comcast or deal with Clear (since they have to buy the device). They initially asked this about a month ago.

Yesterday one of them comes to me and asks if they can continue using it. They are still month to month and aren't sure when they'll be leaving. He asked if he could give me $20 to keep giving him access...(mind you, I never turned the access off, he approached me on his own).

I have never owned a router with guest access. I thought that there'd be independent logs and a way to block traffic or types of sites and such but there's none of that in what I got. I got the EA3500 by Cisco/Linksys. It is super basic, to say the least. I can't even change the guest network name, just the password.

Getting the router was super rushed. I got it the very evening he asked me. I'm aware there are many alternatives, but if I'm going to return this one, I want to make sure the next one has at least a few of the features I need. I haven't been able to source any reviews or youtube videos showcasing detailed guest network functionality....which leads me to ask here.

-

The most practical and inexpensive way to solve this problem is to have two routers - one for your own personal use and the other for guest use - connected to the same ADSL or Cable modem.

This solution is predicated on an ISP option - you will have to check with your ISP as to whether or not they can provide this.

-

Concept is as follows:

1. Does your ISP permit multiple external IP addresses on your modem? Some ISPs permit two external addresses.

What the above means is you can connect two routers to that modem and each router gets its own external IP. As a result, the two routers then operate with two separate external independent connections to the internet (which is what they are in logical terms as far as the routers are concerned).

The advantage to this is the two routers are utterly separate - as far as settings are concerned - no differently than if you were setting up the second router on a different account on an ADSL or Cable modem somewhere down the street.

All that changes in the two-IP scenario - compared to two separate accounts - is the bandwidth for the two routers on the same ADSL or Cable modem is limited to the maximum that particular ADSL or Cable modem can supply - as per the modem's operating profile which is set up when the modem connects to your ISP.

2, You then reuse your old existing router as router2 and your new router as router1. Each router can be configured independently with its own router-assigned DNS as you desire.

Note: Because the two routers are utterly separate, there will be no shared access between the two LANs. Thus, no printer sharing, media sharing, etc.

3. You require a simple network switch, which goes between your ADSL or Cable Modem and the Routers, which splits the ethernet cable connected to the Modem into the two cables connected to the WAN input on each of the two routers.

-

Obtaining the required switch:

1. Because the throughput of the switch in this situation is limited to the maximum bandwidth the ADSL or Cable modem can accommodate (this switch handles only the network traffic to the Internet - no LAN traffic goes through this device) - the switch does not have to be rated for GigE if your ISP profile for your ADSL or Cable modem is specified as less than 100Mb/s. (This is the case for all but the most expensive ISP connections.)

2. A simple 4-port 10/100 Ethernet Switch is all you require to obtain the abovementioned functionality. These are inexpensive and commonly available on Craiglist or Amazon or Ebay for under $15. The ASUS GX1005B is an example of what you are looking for.

-

Setup:

1. Once you have the switch and the two routers connected through the switch to the ADSL or Cable modem - you set up each router just as if it was the only router connected to the modem. Each router gets its own external IP - you confirm this in the status report for each router as you perform the setup for that particular router.

2. Set up router1 (use whichever of the two routers you wish) as your own "Main" personal router with your own personal SSID and password. This SSID and password is for your own personal use - and is not shared with the people staying with you.

3. Set up router2 as your "Guest" router. Set the router itself to use whatever DNS you specify. Thus, your "Guest" router has the desired security characteristics - and your "Main" router has the freedom-of-access you expect for your own use.

4. Set up your "Guest" router to have a separate SSID and password - which are different from those used for your "Main" router. Only the wireless connection SSID and password for the "Guest" router is shared with the people staying with you.

-

Considerations:

1. The scenario suggested above only works when your ISP permits your modem to obtain two independent IP addresses.

2. In most cases, the above is an exception - and you will have to contact your ISP to have your modem profile updated to permit the modem to grant two external IP addresses.

3. If you contact your ISP and the representative you are talking to goes "huh?" - you need to talk with someone more knowledgeable. Request escalation ("I need to talk with your supervisor") until you get hold of someone competent to discuss your situation.

4. If your ISP does not offer the desired option - check to see if a local competitor has the option you desire. If so, tell your current ISP their intransigence is a dealbreaker - and they are going to lose your business if they don't get off the stick and provide what you require. Threatening the ISP's wallet is always the most-effective way of obtaining what you want.

5. The particular procedure required to grant a separate IP to each of your two routers varies according to your ISP. Ensure you get the necessary information on how to set up your ADSL or Cable modem (if required) to ensure you get a separate external IP address for each of your two routers.

Hope this helps.


SoonerAl
Premium,MVM
join:2002-07-23
Norman, OK
kudos:5
reply to Anav

said by Anav:

and I thought folks from Oklahoma were neighborly.

Neighborly only goes so far...
--
"When all else fails read the instructions..."
MS-MVP Windows Expert - Consumer


Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:4

I think its due to the spelling, your missing a part of being neighboUrly.



HRM
God Bless America
Premium,MVM
join:2002-02-03
Darien, CT
kudos:1
reply to Neoprimal

Fatwallet had a wireless Bufallo wireless router for under $20 last week. (Bufallo router has dd wrt as stock firmware.)
Set it up as a gateway on a different subnet. THat should be cheap and easy.

Edit
Lol@op post date ooops


cwcjr

join:2002-08-02
Huntsville, AL
Reviews:
·WOW Internet and..
·Knology
reply to Neoprimal

Not a recommendation, but just noting that the Netgear 3700 series does have routers with separate passwords and network names for 2.4 and 5 bands AND for 2.4 and 5 Guest. (You have to go into Advanced setup after using the Wizard to have separate passwords for 2.4 and 5) You have the options for WiFi isolation and from blocking Guest access to local network (wired and wireless) resources.

I just purchased it and am having some issues with not being able to specify different IP address ranges for local versus Guest, but you could implement that using IP address reservation for local resources. (For instance, my DHCP does not start at .2 and my network printer is under the DHCP starting point.)

Under $100 last weekend.

Interesting trick. Setup the Guest network using the security (SSID, security type and PW) of the old WiFi network and select to isolate it from the 'local' network. Now, everything WiFi still works and all your relatives and friends with your WiFi access don't have to change anything. Also, previous shared WiFi resources are still shared with Guests until you move it to the 'local' network and/or select wireless isolation.

For the main computers, Create a new 'local network with a different SSID and stronger/different security and passwords.
1) the old "Guests" still are.
2) the Shared resources that are moved to the new SSID, are now not shared with Guests but still shared 'locally'
3) Guest Internet access can be controlled seperately, including time of day.

the particular router I bought has parental control capability, customizable for login groups and remotely controllable.

Just a thought...