Posted: Tue Dec 20, 2011 9:47 Post subject: How to? E4200 guestnet segmentation
I'm sure it's been discussed or written but can someone point me to how to segment the guestnet on a e4200?
Because of it's multiple radios it looks like it does interfaces differently. I'm not sure which interface (physical) that I create the virtual interface (2.4 or 2.4/5GHz)?
So the reason I said e4200 is that there are actually two radios. 1 2.4Ghz and 1 2.4/5Ghz. I'm looking for guidance as to which one to create the virtual interface on and I'm still seeing ambiguity on whether this can all be done via gui or whether other configuration (iptables) are needed.
There are also a bunch of other options that don't show up on the screen caps that I believe affect the configuration on this router.
What radio do you want your guest VAP to broadcast on 2.4ghz or 5ghz? (I would use 2.4ghz because 99% of people have adapters for the 2.4ghz b/g/n band. Allot of people with older computers won't be able to even see the 5ghz network)
Here are some more photos of my E4200 with a guest WLAN separated from my private network. Neither subnets can see each other, and the guest wifi has AP isolation turned on, so guests won't be able to see other guest users connected to the VAP either. Also the router will only be manageable from your private network (br0).
Here are the same iptable rule, just in TXT format so you can just copy and past.
Code:
#Restrict br0 (172.16.10.x) from br1 (192.168.1.x)
##
iptables -I FORWARD -i br0 -o br1 -m state --state NEW -j DROP
#Restrict br1 (192.168.1.x) from br0 (172.16.10.x)
##
iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j DROP
#Restrict br1 (192.168.1.x) access to router while allowing DCHP, and DNS
##
iptables -I INPUT -i br1 -m state --state NEW -j DROP
iptables -I INPUT -i br1 -p udp --dport 67 -j ACCEPT
iptables -I INPUT -i br1 -p udp --dport 53 -j ACCEPT
iptables -I INPUT -i br1 -p tcp --dport 53 -j ACCEPT
#Allow br1 (192.168.1.x) access to networked printer on br0 (172.16.4.x)
##
iptables -I FORWARD -i br1 -d 172.16.10.254 -j ACCEPT
My guest network is on subnet 192.168.1.x which might be confusing to some people. My main network subnet is 172.16.10.x (This helps when connecting with PPTP from a network you have no control over.)
Again, Good Luck.
Keep us posted on your progress.
PS. This is all running on my Cisco-Linksys E4200 v1 with BS-18007-Mega-nv60k
This was excellent. I haven't tested it out yet, but the configuration is there.
I'd be interested to see what other wireless tweaks you have made. I noticed that you changed the channel width (40mhz). I also noticed that you had a parameter called "extension channel" which is not available to me.
This was excellent. I haven't tested it out yet, but the configuration is there.
I'd be interested to see what other wireless tweaks you have made. I noticed that you changed the channel width (40mhz). I also noticed that you had a parameter called "extension channel" which is not available to me.
Thanks!
Extension channel Will appear once your settings are saved, applied, and router rebooted. The 40 MHz setting just allows your Wifi radio to transmit at a faster rate.
So few more questions on the wireless configuration:
1) I noticed this quote from the wiki:
"I've done many tests with NEWD and NEWD2 wireless drivers on various builds with a WRT150N v1.1 and WRT300N v1.1 and found the 40MHz channel (2.4GHz spectrum) throughput to be extremely lackluster. Most often it gave worse throughput than 20MHz width even though I have no nearby interference on any channels."
I noticed that you are still using the 40MHz channel. Have you tested with it to find the above to be no applicable with the E4200 or at least the E4200 to be better than using the 20MHz channel?
2) I've noticed conflicting info on wireless security with N. Can you provide what config you are using? I read this:
"You MUST use WPA2 authentication with AES encryption only, or use no security at all if you wish to achieve N rates. Anything else is against the N spec and typically results in the client falling back to G rates."
I thought I read that it was suggested to use WPA2 w/TKIP+AES but that doesn't look like what they are suggesting above.
So few more questions on the wireless configuration:
1) I noticed this quote from the wiki:
"I've done many tests with NEWD and NEWD2 wireless drivers on various builds with a WRT150N v1.1 and WRT300N v1.1 and found the 40MHz channel (2.4GHz spectrum) throughput to be extremely lackluster. Most often it gave worse throughput than 20MHz width even though I have no nearby interference on any channels."
I noticed that you are still using the 40MHz channel. Have you tested with it to find the above to be no applicable with the E4200 or at least the E4200 to be better than using the 20MHz channel?
2) I've noticed conflicting info on wireless security with N. Can you provide what config you are using? I read this:
"You MUST use WPA2 authentication with AES encryption only, or use no security at all if you wish to achieve N rates. Anything else is against the N spec and typically results in the client falling back to G rates."
I thought I read that it was suggested to use WPA2 w/TKIP+AES but that doesn't look like what they are suggesting above.
Thanks again for your help on this.
Wireless > Wireless Security
Make sure to use AES if you want to get N rates. I use the 40MHz channel width with great success on my E4200. Keep in mind you should only use 40mhz if you have little to none wifi interference. (ex Other wifi networks close by)
I can't tell you how to setup your wifi channels and widths because your location can make a huge difference. You will just have to test, test, test. and see what gives you the best results.
Good Luck.
Once you get a working guest network, backup your settings. Then you can fiddle around with other settings for faster rates, channel, or width. Find what works best for your setup. Save it, then leave it alone, except for maybe the occasional restart.
Looks good. So, are you just being brave having your guestnet unsecured or are you in a location that the only folks that would be on that network would be actual guests of yours?
Looks good. So, are you just being brave having your guestnet unsecured or are you in a location that the only folks that would be on that network would be actual guests of yours?
Anyone can join. Guests have no access to my privet network or router. Also I have QOS setup so that they don't steal all my bandwidth. =)
I've only had a handful of users connect to the guest network. If I notice any rouge guest's, I can always Block there MAC address, or worse case Secure the guest network with encryption.
I am wondering what your QoS settings were. I've tried to limit my "guest" network but my settings keep applying globally. Not sure if this has to do with the bridges or if there's a way to limit the bridge instead of an IP range.
I am wondering what your QoS settings were. I've tried to limit my "guest" network but my settings keep applying globally. Not sure if this has to do with the bridges or if there's a way to limit the bridge instead of an IP range.
I'll post a screen shot of QoS when I get to a desktop/labtop. I'm posting from my iPhone right now.
I am wondering what your QoS settings were. I've tried to limit my "guest" network but my settings keep applying globally. Not sure if this has to do with the bridges or if there's a way to limit the bridge instead of an IP range.
Quality of service will only limit bandwidth to your guest network when you're private subnet is using bandwith. For example say that no one is connected to your private network via Wi-Fi or wired but you have gusts connected to your Wi-Fi network, they will be able to access 100% of your broadband pipe whatever you want to call it. However, when you have clients connected to your private subnet wireless and wired and they are using bandwidth like Apple TV downloading torrents browsing the web and other activities that use high amounts of bandwith with your guest network will be limited and they will not interfere with your private network downloads or uploads.
I hope this makes a little bit more sense on how quality of service works with your guest network.