I was going to take my time about this but have been bounced into it as my wife has told here mother we can provide internet access in the holiday let where I had put an AP for her sister to use. I’m not so happy to have random strangers and their kids on my network so I’d like to get this right in a hurry! I’d really appreciate some help here as I’m not sure I have time for trial and error.
My current setup has a Netgear Router with a RB750GL as a second home AP and a hAP Lite in the house next door that will have the guests. I have a RB951G-2HnD which has been sitting about to replace the Netgear router and I will use this now.
I have fibre broadband which will connect to the RB951 and I would like one port of that on an isolated guest network so even if a guest unplugged the hAP Lite and plugged in the cable they would not be able to access my home network. I might add guest AP to the exiting ones in the hose at some point but that is not urgent.
Could you point me at the simplest config for the RB951 and hAP lite and I will try and get this up tomorrow before I have random strangers on my fileserver!
Add a VAP interface to your wireless (virtual AP) and set the guest SSID there. Add a “guests” security profile - just copy the main one and change the password to your guest password.
Make sure the new VAP is not connected to your LAN bridge.
Add a new IP network to the new guest VAP interface - e.g. 192.168.99.1/24
Add a new IP pool “Guests” with IP ranges 192.168.99.32-192.168.99.254
Add a new DHCP server - name it guest DHCP - and set it on the guest interface - configure it to use the Guests pool for addresses
Add a new network in the DHCP server networks tab - network=192.168.99.0/24 gateway=192.168.99.1
At this point, you should be able to connect to the guests network and surf - depending on whether your firewall rules are the default rule set or if you’ve made modifications.
With the default set, you should be able to add a filter rule in the chain=forward that drops packets in-interface=GuestVAP out-interface=!wan
Place this rule in the list so that it comes before any rules that would explpicitly permit guest → LAN traffic.
ZeroByte nicely explained how it can be done on single RB (which would be your currently spare 951G).
If you’re going to use two devices, then you need to split configuration. On the hAP lite you need to do the VAP part, but add VAP interface to the bridge, which spans ether ports (and wireless). Or, to make things simpler, create single AP (the “real” one) with guest profile.
On 951G you should do the rest (DHCP, routing, …) with slight difference: let’s suppose you’ll use ether5 to connect hAP lite … then remove ether5 from bridge and apply needed settings to ether5 port (start DHCP server on it, do firewalling, …).
In this way it doesn’t matter if guests connect their gear to guest WiFi, to ethernet ports of hAP or in place of hAP.
If you want to have both home and guest SSIDs on all of your APs, then you’ll probably have to dig into VLAN stuff. Things get slightly complicated, but when properly done it’s just awesome.