I believe you should be natted in the rooftop radio or at least supply a router, and cut off the cable tabs so the customer requires a drawing pin to unplug the cable between the router wan port and the lan port of the poe injector.
On the ubnt radios (not sure about canopy) the nat works fine for voip and vpn's - and if a customer has any issues they can either phone you for a port forward, use upnp, or use the dmz.
Adding vlans and all that other stuff - how much extra administration is required to setup the customer?
I stay away from that. When the installer points a radio at an AP, it gets a private ip address and he can login through our walled garden/hotspot system to test it and have it working instantly.
Then i just log into the radio remotley from the office, give it a public /static private ip address on its wan and set our system to automatically authenticate by the ip address.
The beauty is that customers can still talk to each other - for gaming etc. But they are protected at the rooftop by the NAT firewall and from plugging a dhcp server into our network etc.
here is a rundown of what i posted in the ubnt forums a while ago that explains my natting procedure
The rooftop radio is the primary gateway.
WLAN is their public ip address
LAN is their gateway address
Then in the rooftop radio i set the following port forwards
x.x.x.x:8080 = radio managment port
x.x.x.x:8082 > 10.1.1.2:80
x.x.x.x:8083 > 10.1.1.3:80
x.x.x.x:8084 > 10.1.1.4:80
x.x.x.x:DMZ > 10.1.1.254 (for xboxes / ps2's / servers before upnp)
And uPnp is enabled.
The DHCP range is 10.1.1.20 - 10.1.1.40 with a lease time of 32000 seconds.
Now if the customer decides they want a wireless router, i have airrouters preprogrammed with an SSID and password and a sticker on the front with a company logo, phone number, and the password. I just get the courier to pick one up and deliver it to the customer's home with their normal mail.
The preprogrammed airrouters are in bridge mode and are set to either 10.1.1.2 (master) or 10.1.1.3 (slave)
The master routers have a diagram that shows you how to plug it in between the cable coming into the house from the roof, and the desktop computer if they have one.
The slave routers come with a 40m length of cat5 cable for them to install themselves if they want, and a diagram showing them how to plug the router into the master router.
Both air routers are just in bridge mode with an ip address of 10.1.1.2 and 10.1.1.3
The idea is that i have simply turned them into a dumb switch and access point with no internal routing enabled. I can then manage them through the port forwards on the rooftop radio.
If they want a telephone line, i just courier them a linksys voip ata preprogrammed to 10.1.1.4 (primary) or 10.1.1.5 (secondary)
So with the port forwarding set, i can login and edit router settings if a customer needs assistance, or if i need to update firmware.
If they have a printer, it usually gets set to 10.1.1.50 or 10.1.1.51 however i dont manage those - but will set them to those static ip's at the time of installation.
Customers are forced to use our internal ip address scheme within their homes.
If they want to use their own, they must buy their own router, and set its wan interface to the 10.1.1.254 so it gets a "transparent" connection to the internet by means of the DMZ set in the rooftop radio. They can then manage their own ip addresses, dhcp and port forwards with their own router.
However if a customer buys their own routers, we will not support them. Telephone support involves plugging the incoming cable directly into a computer and checking if it gets issued an ip address in the 10.1.1.x range, and if internet works. If it does, they sort out their own router problems or pay us to come out and have a look.
I do have a few people who dont realise we sell routers (because they dont regularly visit the data usage meter page to see our news and latest pricing)
Its easy enough for us. A typical router (tp-link / linksys) sells for NZ $89 in the local walmart equivalant. Our airrouters sell for $99 for a master, and $139 for a slave airrouter, or $149 for a slave pico which includes the 40m cable.
If a customer buys a slave router, we will happily log in remotley and duplicate the ssid and password settings from their master for seamless roaming around the house.
Oh also a note on channels.
Some of our areas use 2.4ghz rooftop radios. So master routers are set to channel 6, and slave ones are set for channel 9 - a slight overlap. This frees up channel 1 and channel 13 for the rooftop radios to talk to the tower.
Master and slave are just advertising terms to make it easy for customers to understand the concept and order the right one so we dont have ip conflicts on their local network.
If they have a bridge between their garden shed and the house or other buildings, they are 10.1.1.6 to 10.1.1.19 - with custom port forwards to suit in the same format as above. A diagram is drawn on paper and scanned into their customer notes on the office computer for remote support reference. It is printed, re-drawn and scanned on subsequent visits for layout changes such as adding a new radio link to another building. We have some houses with just a simple bridge out to the garage where they have their rooftop radio mounted for line of sight reasons. Others have links from the garage to shepards quarters and other cabins around the property for farm staff use.