Recommendation: WIFI zones for therapy center

wenz · January 13, 2021, 6:33am

Hello,
the hardware currently used in a recently founded therapy center is a FRITZ!Box 7490 with 2 DECT phones and 1 printer (WIFI) used by 2 therapists computers (WIFI). The therapists work separately and only share the rooms, the printer and the internet connection.

I would like to improve the network security implementing WIFI zones (multi-SSID). So I need multiple WIFI networks (dual band) for each therapist, printers, private cell phones etc. which the Fritz!Box 7490 beside guest WIFI does not provide (but I need the DECT base station). Applications are more frequent video therapy for patients and training of two therapists. The cost could be less than or around 100 euros - there is no need for a ultra high performance device. In the end budget is not the problem. The design should be quite simple, as the device will hang in the corridor next to the Fritz!Box. No physical Ethernet ports are needed due to space and no possibility to install cables.

Currently, I tend to the following devices without any real reasons (just cost, design and relevance)

How many SSID (4 per band?) can I create with these devices? Am I reasonably correct with the devices? Is a device to be preferred for compatibility reasons? Which are good suitable alternatives from my descriptions? I appreticate your answers.

Openwrt is a great project.

dlakelan · January 12, 2021, 3:03pm

Is the idea that each therapist is independent and can't communicate to the others devices? This seems like a straightforward application of two VLANs and two ESSIDs. Either the C7 or the EAP will handle this.

Are you running OpenWrt on the Fritz? It should handle this by itself.

wenz · January 12, 2021, 3:33pm

Yes, the idea is that the computers are independant and e.g. just share the printer service. Also private mobile phones should not be connected to the computers. Since these therapies work independently, they do not need access to shared network files, for example. Inconclusion, the independant therapists computers should not trust each other because there is no need to.

I still run OEM firmware. Currently there is no support and/or I may would lose the DECT feature. If there is a comparable model with DECT feature supported I could think about a replacement...

Ok so there would be no feature preference comparing these devices?

dlakelan · January 12, 2021, 3:39pm

If I were going to set up a small business along these lines with two separate networks on a thin budget, I'd probably look at a C7 running OpenWrt as the main router, a grandstream DP752 with two DP730 dect phones... Put the phones inside the perimeter of the OpenWrt router. Use 3 VLANs... one for the printer, one for each therapists computer... and use 2 SSIDs one for each therapist, bridged to the associated VLAN.

under no circumstances would I put the therapists computer on wifi... they're doing online interactive sessions, get them on a wire... So then it's not even clear what the wifi is for?

As far as the C7 vs the EAP... as access points they'll both do the job, but the C7 is a full router with multi-port switch and so it can do many more things.

Also the C7 is pretty old, so I'd only use it if I had one already. If I were buying new I'd look at something newer. Not sure what

wenz · January 12, 2021, 3:57pm

Rented apartment and no reasonable possibility to install the necessary wires. I would also do without WIFI if it were easy to do so.

So is the only difference the multi-port switch? Or will I miss other features (beside ethernet for clients) compared to the full router? I know, maybe a naive question.

The D7 is still marked as "snapshot"..

dlakelan · January 12, 2021, 4:13pm

Consider some comtrend (or any other) g.hn powerline devices (or a HomePlug AV device but I hear the g.hn stuff is a little more robust) (unless the ISP is a DSL based ISP in which case likely to have interference)

Also consider some long flat flexible ethernet cords that get snaked around the perimeter of the rooms. The max length of an ethernet run is 100 meters!

As for router vs AP they play totally different roles. A typical router like a C7 is both a router and an AP in the same package, but an AP by itself is like a "plug" that plugs a computer into the "air"... it doesn't do anything to the IP traffic it just moves ethernet frames from wires to the air. so it's basically a "dumb" device.

The gl-inet B1300 comes with a version of OpenWrt pre-installed, but works great with current stable "real" OpenWrt as well (and I'd recommend to flash the real version). You might also do well with gl-ar750s-ext I assume this is a small apartment, distance is probably not the main issue here.

wenz · January 12, 2021, 4:26pm

I really made just bad experience with these powerline devices and want to avoid it. ISP uses VDSL.

Good idea, I'll think about that. I would have 3 doors to cross one per device to the other side of the rooms. I doubt to implement this kind of modification.

Ok, but for my use case handling different SSID and VLAN access in the WIFI domain and forward other to the FritzBox would work? So the Multi-SSID feature itself could be implemented? Or will it just move traffic per SSID to a VLAN tagged ethernet frame and forward it?

Correct.

They all "look kind of small". But do they really perform in this static use-case compared to my suggestions right? Flash, RAM and CPU looks better...

dlakelan · January 12, 2021, 4:38pm

yes then avoid powerline devices.

agreed that they don't have big antennas, but I have friends who I've recommended them to, and they're performing well, one lives in a 2 bedroom apt and uses the non-external antenna version of the 750 to cover that entire apt, one is using two of these devices for a long extended 3 bedroom house about 1800 sqft or something. The flash, ram and cpu is better which is why I recommended them.

If you're just looking to connect two different ESSIDs to two different VLANS on the wire, any of the devices will work. If you want proper security though, never run stock firmware, that's your biggest security flaw by far, and so replace the Fritz box with a proper constantly updated OpenWrt router.

slh · January 12, 2021, 9:05pm

Any Fritz!Box can be used quite nicely as a pure SIP pbx/ ATA and DECT base in IPoE mode behind another router (e.g. OpenWrt), you lose the modem functionality that way, but profile 17a vectoring enabled modems can be found for under 5-10 EUR on the second hand market, especially OpenWrt capable ones. Another potential complication would be potentially a need to access the Telematikinfrastruktur using a Gematik approved Konnektor, as often necessary in the health sector.

wenz · January 14, 2021, 8:38am

I agree with both of you. Fritz!Box may is not the most secure modem to use.

Any compatible, current and good tips about it? It can also be a new device.

Currently, the TI is still being omitted. This costs a fee of 2.5%, but you don't have the complexity and uncertainties until it is kind of operational. There are different installation scenarios. Thank you, I should not lose eyes on a future architecture.