Setup for network isolation in B&B (3 rooms, wired and wireless)

I'm looking for some advice about what to get and what to set up for this scenario.

There is a B&B with 3 rooms, each having 2 CAT 6A cables wired to them, and a TV with Chromecast hooked up. The goal of the setup is to provide all guests with a wired and wireless network, where devices within the room can communicate with each other, but not with the devices in the other rooms. Importantly, it should not be possible to access the Chromecast of the TVs in the other rooms. In addition, the owners also live in the house, and therefore another isolation needs to be established.

From what I've found, it seems VLAN could be used to isolate the wired connections, and that this needs support on both router and switch level. I was thinking that having 4 distinct VLANs that cannot communicate with each other at all (3 for the rooms, 1 for the residence), should be sufficient.

For wired, this is what I had in mind:

Modem ----- Primary router ----- Switch  ---- Room C x 2
                                / |   \
                               /  |    \
              Secondary router    |     \
                (residential)     |      \
                                  |       \
                           Room A x 2    Room B x 2

As for wireless, as far as I understand, it's not easily possible to have one SSID and differentiate based on a password, so it'd have to be a different SSID per room, and depending on which one you're connected to, you would be part of that room's VLAN.

I'm currently considering using a secondary (the currently in-use TP-Link Archer C9) router for the residential area of the house, so that it can be configured separately. However, I think this might cause issues, so if the VLAN is enough security, maybe that'd work too.

My question is if this is a good setup, or if you'd recommend a different approach. I only know the basics of the hardware level of networking, so I'm open for any suggestions.

Additionally, what kind of hardware would you recommend for building such a setup? The amount of bandwidth is mostly just things like Netflix/YouTube streams, on the order of at most 200mbps, so nothing spectacularly high end should be necessary, though the amount of clients in the room can easily be 10 for the rooms, and about 16 for the residential area.

I don't see any obvious mistakes in this design.

With the small number of SSIDs, I think your choice is reasonable.
For completeness, this is the documentation about the other solution: dynamic VLANs.

I would tend to leave out the secondary router and rely on VLAN isolation in the switch and firewalling in the primary router. But this decision depends on various factors which were not discussed yet.

200 Mbit/s - is that the downstream capacity of the ISP line? How much is the upstream?

To ensure the network serves all clients equally well and with low latencies, I suggest to look at Smart Queue Management (SQM) for the primary router, and Air Time Fairness for the access point(s).

However, SQM increases the demand on the router CPU, which should be considered in the hardware selection. Some benchmarks have been posted, and there are threads with hardware recommendations in this forum.

How many access points will there be?
Are you planning to run them with vendor firmware or OpenWrt?
Will (some of) the SSIDs be available on more than one AP, and a smooth client handover between APs be desired?

Given the topology... rate limiting at the switch level is going to be faster, easier... although per client fairness on top of that is likely a good idea...

Most entry level quasi managed switches will allow you to set per port max up and down rates...

Thank you so much for the responses so far!

200 Mbit/s - is that the downstream capacity of the ISP line? How much is the upstream?

I should've clarified, 250 Mbit/s is the actual downstream, with 25 Mbit/s being the upstream. However, the LAN bandwidth should be higher, to account for a few IP cameras to be set up and streaming internally (this was initially intended to be behind the secondary router, but perhaps that's not necessary). The 200 number is more of an estimate of expected peak usage.

How many access points will there be?

Ideally for the B&B itself, we'd run everything off of a single router & AP combo, with a switch to have enough ports to serve all the rooms. There'll be another switch and AP (what'd previously be another router) for the residence itself.

All heavier traffic for the B&B is expected to go over the wired connections (the smart TVs being wired). So I think it shouldn't be a problem to run all rooms off of a single radio.

Will (some of) the SSIDs be available on more than one AP, and a smooth client handover between APs be desired?

The residence's WiFi could be made available in the B&B area too, when using only the one router. While automatic handover might be nice, it's not a dealbreaker if it isn't possible.

Are you planning to run them with vendor firmware or OpenWrt?

As far as I understand, most consumer-level vendor firmware wouldn't support these features (VLAN & 4 SSIDs). At the same time, I don't have a reason to specifically choose OpenWrt. Ideally once I set it up for them, it "Just Works", and won't require frequent maintenance. I would like to occasinally update it for security reasons though.

Given the topology... rate limiting at the switch level is going to be faster, easier... although per client fairness on top of that is likely a good idea...

Would SQM alone be sufficient? Since it's a small establishment, I don't see the need for rate-limiting if the default distribution of bandwidth is fair, and everyone can watch their Netflix .

This will depend on how many cpu cycles you have on your router... put another way... if you purchase a new switch... or sqm is a burden... per port rate limits are a turn key efficient option.

Devices based on an IPQ806x SoC look suitable to me, but I have no first-hand experience with them.

I suggest measuring the wireless throughput in each room to be sure.

Yes, I would prefer SQM with cake over rate-limiting at the switch, and buy a router which is powerful enough to handle the load.

The ZyXEL Armor Z2 AC2600 looks like a good choice, although a bit pricey (210 euro local currency). However, it seems well supported by OpenWrt (with installation through the stock firmware, and debricking).

Of course, but the rooms are located across two floors, and the floors are made of wood, where mediocre routers had no issues spanning 3 floors on 5GHz, and this one will be mounted centrally. So I expect no issues in that regard.

The only thing that remains then is finding a switch, a managed switch for VLAN, with gigabit, and 8 ports. Is there anything specific I should look out for? Or will any switch that meets those criteria work?

Switches have been discussed before, please search the forum. An example:

TPlink sg108e is very inexpensive and perfectly fine

Anyone used Ubiquiti ES-10XP? And how it stacks up in comparison to the above switches?

( note: for the OP i'd advise purchasing more ports 16 minimum, but yes... additional switches at a later date will also do the job if needed... and possibly allow for comparison / feature munging / IDF ... point being with switches in small environments... generally plan for double the ports you think you need )

Having read the full thread at this point, I agree. I'd get an RPI4 for the router, plenty of CPU power, and a TP-Link T2600G-28TS which is a 24 port commercial switch. Why so many ports? Because you're talking 2 CAT6A to each of 3 rooms, so that's 6 ports there. You're talking the owners want at least a couple ports, or may at some point, so let's say 4 ports there. You'll need to connect the AP, another port, eventually you'll want another AP I promise you... another port. Then there's the WAN port... And the router itself... I think you see where this is going. The 24 port managed switch is what you want. It's $149

You could also look at the ZyXEL GS1900-24E which is a 24 port switch for $100 isn't quite as good spec-wise but it's very good. I have one.

Thanks everyone for the replies. I should have clarified that the switch will be solely for the B&B rooms. The residential area is already in-place and connected via a switch that'll plug into the router directly. The gear is purchased, and set the setup in OpenWrt (on the Zyxel Armor Z2) was a breeze, the managed switch (Zyxel GS1900-8) gave quite a bit of trouble though, with the management interface bugging out constantly.

SQM on the Zyxel Armor Z2 works fine with 250Mbps (when limited to 225), provided you use the older fq_codel, since cake limits download to 100Mbps (which I think might be down to CPU limitations).

Overall I'm very thankful for the information here, both in this thread and on the forums and wiki in general, it's helped a ton, and made my experience setting the whole thing up relatively smooth and painless.

You should upgrade the firmware to the latest. There may have been many improvements since the unit you have was flashed. I remember when I first got mine a couple years back, it would show white-on-white text in compliant browsers... I could only read the pages if I selected the text... I haven't had that kind of problem for a while, but you might still have buggy firmware from a couple years ago.

With 2 cores at 1.7GHz, I would expect the Armor Z2 to do well over 100Mbps. There might be some configurations needed.

I checked the firmware and there didn't seem to be any updates to it

I tried all the options, but none would push it over 110 with cake, whereas fq_codel always seemed to provide at least 150, and with the simpler settings it pushed up to 225.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.