ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    ubnt guest wireless or separate VLAN?

    IT Discussion
    vlan security networking ubnt ubiquiti
    7
    23
    3.0k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Mike DavisM
      Mike Davis
      last edited by

      Right. Currently there are two SSIDs. I'll be keeping those because one of them only works with RADIUS, etc. The guest wifi currently uses VLANs to keep them off the LAN. Unnecessary complexity?

      DustinB3403D 1 Reply Last reply Reply Quote 0
      • DustinB3403D
        DustinB3403 @Mike Davis
        last edited by

        @Mike-Davis said in ubnt guest wireless or separate VLAN?:

        Right. Currently there are two SSIDs. I'll be keeping those because one of them only works with RADIUS, etc. The guest wifi currently uses VLANs to keep them off the LAN. Unnecessary complexity?

        I wouldn't say unnecessary at all. This is how we have our network setup as well.

        Guest network is VLAN'd off so that "guest" devices are unable to get to our network. The corporate network is radius controlled.

        It really makes life simple.

        1 Reply Last reply Reply Quote 0
        • scottalanmillerS
          scottalanmiller
          last edited by

          Guest mode works a lot like a VLAN. In most cases, I would just use that.

          1 Reply Last reply Reply Quote 2
          • Deleted74295D
            Deleted74295 Banned
            last edited by

            The biggest benefit to guest mode is it stops other devices talking to each other, so even on an internal wifi if you have lax security and just need users to get their ipads to the internet it works a treat.

            In 1 setup, The VLAN 100 goes directly to the firewall, which then runs DHCP/DNS for anyone on the guest network.

            The internal VLAN then is Microsoft world on a different IP range.

            1 Reply Last reply Reply Quote 0
            • dafyreD
              dafyre
              last edited by

              I'd keep the VLANs for 2 reasons... 1) is it's already set up. Yes, it may be more confusing, but it's nothing some clear documentation can't fix.

              and 2) It's more secure. the Guest mode on the UBNT would still have to pass across the MetroE connection, and your systems at the other end would still need to know how to deal with it.

              scottalanmillerS 1 Reply Last reply Reply Quote 1
              • JaredBuschJ
                JaredBusch
                last edited by

                I really need to figure out how to set this mode up. I keep meaning to do this in order to flatten out networks as much as possible.

                I've started to like twice and never completed it.

                Deleted74295D 1 Reply Last reply Reply Quote 0
                • Deleted74295D
                  Deleted74295 Banned @JaredBusch
                  last edited by

                  @JaredBusch said in ubnt guest wireless or separate VLAN?:

                  I really need to figure out how to set this mode up. I keep meaning to do this in order to flatten out networks as much as possible.

                  I've started to like twice and never completed it.

                  It's a tick box in the controller per SSID.

                  Go to settings, wireless networks, edit, then check the box for guest mode.

                  JaredBuschJ 1 Reply Last reply Reply Quote 0
                  • JaredBuschJ
                    JaredBusch @Deleted74295
                    last edited by

                    @Breffni-Potter said in ubnt guest wireless or separate VLAN?:

                    @JaredBusch said in ubnt guest wireless or separate VLAN?:

                    I really need to figure out how to set this mode up. I keep meaning to do this in order to flatten out networks as much as possible.

                    I've started to like twice and never completed it.

                    It's a tick box in the controller per SSID.

                    Go to settings, wireless networks, edit, then check the box for guest mode.

                    It is not as easy as that to make it a secure guest network.
                    0_1468857731209_upload-088a06ff-efe4-49f0-8dd9-67f4bd297228

                    Deleted74295D 1 Reply Last reply Reply Quote 0
                    • scottalanmillerS
                      scottalanmiller @dafyre
                      last edited by

                      @dafyre said in ubnt guest wireless or separate VLAN?:

                      and 2) It's more secure. the Guest mode on the UBNT would still have to pass across the MetroE connection, and your systems at the other end would still need to know how to deal with it.

                      So.... exactly like a VLAN? You just described a VLAN, in fact.

                      JaredBuschJ 1 Reply Last reply Reply Quote 0
                      • JaredBuschJ
                        JaredBusch @scottalanmiller
                        last edited by

                        @scottalanmiller said in ubnt guest wireless or separate VLAN?:

                        @dafyre said in ubnt guest wireless or separate VLAN?:

                        and 2) It's more secure. the Guest mode on the UBNT would still have to pass across the MetroE connection, and your systems at the other end would still need to know how to deal with it.

                        So.... exactly like a VLAN? You just described a VLAN, in fact.

                        No. Completely not like a VLAN. Even if @dafyre doesn't know how to phrase it correctly.

                        scottalanmillerS 1 Reply Last reply Reply Quote 0
                        • scottalanmillerS
                          scottalanmiller @JaredBusch
                          last edited by

                          @JaredBusch said in ubnt guest wireless or separate VLAN?:

                          @scottalanmiller said in ubnt guest wireless or separate VLAN?:

                          @dafyre said in ubnt guest wireless or separate VLAN?:

                          and 2) It's more secure. the Guest mode on the UBNT would still have to pass across the MetroE connection, and your systems at the other end would still need to know how to deal with it.

                          So.... exactly like a VLAN? You just described a VLAN, in fact.

                          No. Completely not like a VLAN. Even if @dafyre doesn't know how to phrase it correctly.

                          I meant the description was exactly the same... that it has to transit the metroE and if the equipment on the other end doesn't honour it the security evaporates.

                          dafyreD 1 Reply Last reply Reply Quote 1
                          • dafyreD
                            dafyre @scottalanmiller
                            last edited by

                            @scottalanmiller said in ubnt guest wireless or separate VLAN?:

                            @JaredBusch said in ubnt guest wireless or separate VLAN?:

                            @scottalanmiller said in ubnt guest wireless or separate VLAN?:

                            @dafyre said in ubnt guest wireless or separate VLAN?:

                            and 2) It's more secure. the Guest mode on the UBNT would still have to pass across the MetroE connection, and your systems at the other end would still need to know how to deal with it.

                            So.... exactly like a VLAN? You just described a VLAN, in fact.

                            No. Completely not like a VLAN. Even if @dafyre doesn't know how to phrase it correctly.

                            I meant the description was exactly the same... that it has to transit the metroE and if the equipment on the other end doesn't honour it the security evaporates.

                            That was my point.

                            scottalanmillerS 1 Reply Last reply Reply Quote 0
                            • scottalanmillerS
                              scottalanmiller @dafyre
                              last edited by

                              @dafyre said in ubnt guest wireless or separate VLAN?:

                              @scottalanmiller said in ubnt guest wireless or separate VLAN?:

                              @JaredBusch said in ubnt guest wireless or separate VLAN?:

                              @scottalanmiller said in ubnt guest wireless or separate VLAN?:

                              @dafyre said in ubnt guest wireless or separate VLAN?:

                              and 2) It's more secure. the Guest mode on the UBNT would still have to pass across the MetroE connection, and your systems at the other end would still need to know how to deal with it.

                              So.... exactly like a VLAN? You just described a VLAN, in fact.

                              No. Completely not like a VLAN. Even if @dafyre doesn't know how to phrase it correctly.

                              I meant the description was exactly the same... that it has to transit the metroE and if the equipment on the other end doesn't honour it the security evaporates.

                              That was my point.

                              But you said that you would keep VLANs because .... and it seemed like you were saying that VLANs were more secure in this case.

                              dafyreD 1 Reply Last reply Reply Quote 0
                              • dafyreD
                                dafyre @scottalanmiller
                                last edited by

                                @scottalanmiller said in ubnt guest wireless or separate VLAN?:

                                @dafyre said in ubnt guest wireless or separate VLAN?:

                                @scottalanmiller said in ubnt guest wireless or separate VLAN?:

                                @JaredBusch said in ubnt guest wireless or separate VLAN?:

                                @scottalanmiller said in ubnt guest wireless or separate VLAN?:

                                @dafyre said in ubnt guest wireless or separate VLAN?:

                                and 2) It's more secure. the Guest mode on the UBNT would still have to pass across the MetroE connection, and your systems at the other end would still need to know how to deal with it.

                                So.... exactly like a VLAN? You just described a VLAN, in fact.

                                No. Completely not like a VLAN. Even if @dafyre doesn't know how to phrase it correctly.

                                I meant the description was exactly the same... that it has to transit the metroE and if the equipment on the other end doesn't honour it the security evaporates.

                                That was my point.

                                But you said that you would keep VLANs because .... and it seemed like you were saying that VLANs were more secure in this case.

                                I would. What happens when the Guest traffic gets to the other end of the Metro E connection? Does it drop it? Does it send it on to the internet? Or what?

                                With VLANs (and good documentation), you know exactly what it does.

                                scottalanmillerS 1 Reply Last reply Reply Quote 0
                                • scottalanmillerS
                                  scottalanmiller @dafyre
                                  last edited by

                                  @dafyre said in ubnt guest wireless or separate VLAN?:

                                  @scottalanmiller said in ubnt guest wireless or separate VLAN?:

                                  @dafyre said in ubnt guest wireless or separate VLAN?:

                                  @scottalanmiller said in ubnt guest wireless or separate VLAN?:

                                  @JaredBusch said in ubnt guest wireless or separate VLAN?:

                                  @scottalanmiller said in ubnt guest wireless or separate VLAN?:

                                  @dafyre said in ubnt guest wireless or separate VLAN?:

                                  and 2) It's more secure. the Guest mode on the UBNT would still have to pass across the MetroE connection, and your systems at the other end would still need to know how to deal with it.

                                  So.... exactly like a VLAN? You just described a VLAN, in fact.

                                  No. Completely not like a VLAN. Even if @dafyre doesn't know how to phrase it correctly.

                                  I meant the description was exactly the same... that it has to transit the metroE and if the equipment on the other end doesn't honour it the security evaporates.

                                  That was my point.

                                  But you said that you would keep VLANs because .... and it seemed like you were saying that VLANs were more secure in this case.

                                  I would. What happens when the Guest traffic gets to the other end of the Metro E connection? Does it drop it? Does it send it on to the internet? Or what?

                                  With VLANs (and good documentation), you know exactly what it does.

                                  My point was that that's the same in both cases. Both of your posts describe the same situation for both approaches. VLAN only works because you handle it on both ends. Guest works too in the same situation.

                                  1 Reply Last reply Reply Quote 0
                                  • scottalanmillerS
                                    scottalanmiller
                                    last edited by

                                    The VLAN concept depends on end to end network support and planning. Identical to how the UBNT guest system works.

                                    1 Reply Last reply Reply Quote 0
                                    • dafyreD
                                      dafyre
                                      last edited by

                                      Or does it... That'd be a good question for a UBNT person...

                                      There's a number of ways they could achieve this without relying on the "other end" of the connection supporting their guest mode stuff.

                                      scottalanmillerS 1 Reply Last reply Reply Quote 0
                                      • scottalanmillerS
                                        scottalanmiller @dafyre
                                        last edited by

                                        @dafyre said in ubnt guest wireless or separate VLAN?:

                                        Or does it... That'd be a good question for a UBNT person...

                                        There's a number of ways they could achieve this without relying on the "other end" of the connection supporting their guest mode stuff.

                                        That would make it better than VLAN then 🙂

                                        1 Reply Last reply Reply Quote 1
                                        • Deleted74295D
                                          Deleted74295 Banned @JaredBusch
                                          last edited by

                                          @JaredBusch said

                                          It is not as easy as that to make it a secure guest network.

                                          Yes but it depends what you mean by "secure"

                                          Not having the ability for the client machines to talk to each other without layer-3 switches needed is a big boon.

                                          1 Reply Last reply Reply Quote 0
                                          • Mike DavisM
                                            Mike Davis
                                            last edited by

                                            My understanding of how Ubiquiti handles guest mode is that it drops packets destined for internal networks. What I don't know is like I think some others were getting at - what if the user tries to go to another local subnet outside the subnet their on. I guess I'll just keep the VLAN thing.

                                            scottalanmillerS 1 Reply Last reply Reply Quote 0
                                            • 1
                                            • 2
                                            • 2 / 2
                                            • First post
                                              Last post