4

I'm trying to upgrade my home network, which involves upgrading to gigabit and 802.11n and adding several APs. But I'd also like to update the security. Currently I have WPA(1) personal with a password because I have a few devices that can't handle WPA2 or even AES. I'd like to split the network between a WPA2-Enterprise (with RADIUS) segment and an unsecure segment that is rate-limited and restricted and requires a "secure" user to generate a code. The legacy devices would be whitelisted and moved to that network where they'd be allowed to make their device-specific requests (so MAC spoofing wouldn't work)

I'm not worried about that stuff. What I am worried about is both presenting both SSIDs from the same device and segregating the broadcast domains. I know I need a VLAN to do this, but managed switches are... not in the budget.

So here's the question - I want to keep the two WLANs separate. I can set up the APs to tag each SSID with a different VLAN, but without switches that explicitly handle VLANs, can I segregate the broadcast domains? If not, what would happen - would the network work as if both SSIDs connected to the same segment, or would it not work at all? If this wouldn't work, is there any way to "tunnel" one of the SSIDs' traffic to my Linux server/router to achieve the same effect?

More information -

I have yet to buy the APs, but I was planning on getting one that could run DD-WRT or OpenWrt or similar (Linux-based). They would be connected via unmanaged gigabit switches; unfortunately I don't have home runs to a wiring closet (which would make this easy!) as this was a "retrofit" installation in an old house. My server can handle VLANs, and the switches should pass tagged packets but won't do any discrimination based on their content (right?)

Robert
  • 143
  • 4
  • 1
    moreinfo. What is the AP (is it running Linux ?) ? How is it connected to your Linux server/router ? Does your Linux server/router has a network card capable of handling VLANs ? – BatchyX Mar 04 '13 at 20:22
  • Is it not feasible to simply put your broadcast domains on separate subnets? Like 192.168.1.0/24 is your 'internal' traffic, and 192.168.2.0/24 is the 'unsecured' portion? Then allow your server to route between the two as you see fit? This is assuming your APs allow for multiple SSIDs(which I assume they do). – Lee Harrison Mar 04 '13 at 21:23
  • @LeeHarrison Thanks, that's a great idea and would certainly work with my equipment. Good thing I'm not a professional network admin because that hadn't occurred to me! However is there any way to prevent a user from getting "out" of this subnet? Couldn't a user just give himself a 192.168.1.0/24 address and be in the "protected" subnet, or would the AP be able to prevent this? – Robert Mar 04 '13 at 21:30
  • I'm not entirely sure, I've never tried a setup like this. I would think that if the user was connected to the 'unsecured' network and changed their IP, their traffic wouldn't route since their default gateway wouldn't be correct(since they didn't pull it from DHCP). So possibly picking a 'random' IP address for your AP gateway might be enough to frustrate most users into guessing it. If they correctly log into the AP, DHCP will fill the gateway in for them. This is an inhierently unsecure way to do this, but if its for home use(and cheap!) it is probably sufficent. – Lee Harrison Mar 04 '13 at 21:40

2 Answers2

1

There are quite a few routers that will do what you want.

They are able to create VLANs and multiple SSID's. AFAIK, the Billion 7800N router that I use can do this quite happily.

You might be able to do it with one of the better Wi-Fi repeater/extender's such as those from Edimax. The EW-7416APN Edimax repeater that I use can certainly do it although it can only assign each SSID to a VLAN ID, it can't actually create/configure the VLAN itself, it only has a single ethernet port.

Julian Knight
  • 14,313
  • 3
  • 27
  • 41
0

It looks like the best way to do this is to set up a VPN (OpenVPN or PPTP should work) and a bridge between the Virtual AP and the router. That both isolates the "unsecured" traffic and makes it show up on a new interface on the router/server, where I can route it as I wish and set firewall rules accordingly.

It seems like a VLAN won't work here without a managed switch. My switches are "VLAN-aware" in that they will pass tagged frames unmodified, but they don't do any tagging or partitioning themselves. As I understand it, this is required for the ability to properly segregate the two LANs on one physical link.

This is the tutorial I'm using: http://www.dd-wrt.com/wiki/index.php/OpenVPN_on_Dedicated_Wireless_Access_Point_%28VAP%29

I'm testing this now with my one existing AP. If it works, I'll buy new ones and try it with a multi-AP setup. I'm not 100% sure how the VPN will work from multiple APs, but I think they'll all come up under the same iface on the server. Worst-case, I can just bridge the virtual interfaces on the server. This will allow me to do RADIUS by MAC address on the "unsecured" interface and I'll script up a little webapp for a secure-net user to temporarily "authenticate" a guest. It's going to be really slick.

Robert
  • 143
  • 4