Hmmm? I always thought the OP had the ability to edit his/her thread title.
Just to muddy the waters, here's something fantastic that I haven't yet had a chance to try myself: One SSID, multiple VLANs - #2 by qunvureze
One outward SSID, but clients are apparently connected to a different networks depending on the password/secret used when connecting. There are more perhaps complex/capable ways of doing something like this (e.g. Individual per-passphrase/per-MAC Wifi VLANs using wpa_psk_file (no RADIUS required) ), but that first link makes it look very easy.
In my case, I was thinking of one advertised SSID, with 'normal', 'guest' and 'iot device' roles all being sub networks.
For you, ovi, get everything working how you like it first using normal/old-fashioned multiple SSIDs first. This might be a refinement afterwards once the networking/bridge/routing is sorted out. Don't try to debug too many new things in one step!
Very clever idea. It's amazing the tweaks and permutations that OpenWRT allows.
Down the road it might be useful to allow me reduce the SSID count. But I'd still want a couple of separate ones (to allow me switch them on/off)
Thanks.
You are correct, the management frame issue is per physical radio. However, since you have different band coverage with each radio you are going to then limit the clients of one particular SSID to a single frequency.
This is beneficial if you have an IOT VLAN with devices that are only capable of talking 2.4 GHz like smart bulbs/outlets. You would not be utilizing airtime from the 5 GHz radio to broadcast these management frames on the 2.4 GHz radio, And then the SSIDs on the 5 GHz radio for your primary LAN and internet access devices like laptops or cell phones or tablets would get more airtime not used by the IOT VLAN SSID.
It really depends what devices you want to have access to what frequencies as to where the SSIDs for them go.
Management frames for SSIDs without a connection still have to broadcast usually once every 100 milliseconds or so, so if you put the IOT SSID on 5 GHz and no devices actually can connect to 5 GHz it will still be utilizing airtime every 100 milliseconds to broadcast the network SSID.
I've been meaning to revisit this discussion for a while and it looks like lots of good ideas have been expressed.
I want to come back to the core question:
- What are the actual requirements regarding the guest network access controls?
I know that there are three primary goals:
- provide guests with an internet (wan) connection
- isolate the guest network from the main trusted lan
- isolate guests from each other.
Broadly speaking, the above can be achieved very easily using a single SSID/subnet using wifi client isolation. The only downside is that the isolation feature is all-or-nothing (on a given network).
But, are there other requirements? Specifically:
- Do guest devices (that belong to the same person) need to be able to talk to each other? If yes, this means that client isolation isn't appropriate and thus won't provide the guest-to-guest isolation that has been requested.
- And, in that case, will multiple guests be present at the same time such that a multiple-SSID/subnet will be necessary?
- Do you need the ability to revoke access to a given user and/or to disable a given network? Or is the idea of turning off an SSID simply used when the guest is no longer present?
- Are there other requirements/goals not discussed here?
As discussed in this whole thread, there are many ways to approach the goals:
- 1 SSID/1 subnet, client isolation enabled
- multiple SSIDs each with its own subnet
- 1 SSID, multiple subnets, the password used defines the subnet to which the client is attached.
- 1 SSID + RADIUS (this is usually seriously overkill)
There's a small nit involved here, as soon as multiple bands or multiple APs join the picture, the wifi isolation mostly goes out of the window (without quite special setups), as traffic traverses over a common bridge, which then allows communication of (some/ most) devices connected to the same guest network.
Very good point. I was thinking about this fact as well. A single-band setup will ensure isolation, but is not the most ideal setup.
That said, it's not clear if the client isolation angle is even desirable here since it is all-or-none (thus is not a good strategy if an individual user's devices need to connect to each other).
There is another requirement, or we can call it desirable feature, that once the setup is ready it should be easy to the admin to enable/disable access controls to the network.