Re: Creare rete guest senza supporto vlan

esselle · ‎2018-02-06

Firmware V 3.1.0.12

Salve.
Come posso settare il WAC510 per configurare una rete guest, che ovviamente abbia il solo accesso ad internet senza assegnare una vlan diversa ?

Purtroppo devo necessariamente utilizzare un modem/router fornito dall'operatore telefonico (TELECOM ora TIM fisso) che non ha il supporto per le vlan.

Per la rete guest potrei anche utilizzare una sola SSID delle 8 possibili con il WAC510.

Per la rete corporate non ho problemi, se poi fosse possibile settare entrambe sul WAC510, meglio ancora.

Grazie.

Retired_Member · ‎2018-02-06

Hello there, Thanks for reaching Netgear community.
Without VLAN support in your infrastructure, It is difficult to setup a guest network with v3.1.0.12 firmware.

Please wait for next release with some new exiting features. With new firmware release you should be able to create a network to isolate it from your local network.

Stay tuned!

Thanks.
-Sharan

Visualizza soluzione nel messaggio originale

Retired_Member · ‎2018-02-06

Hello there, Thanks for reaching Netgear community.
Without VLAN support in your infrastructure, It is difficult to setup a guest network with v3.1.0.12 firmware.

Please wait for next release with some new exiting features. With new firmware release you should be able to create a network to isolate it from your local network.

Stay tuned!

Thanks.
-Sharan

esselle · ‎2018-02-06

Thank you for your quick answer.
When should the new firmware be available?
Thank you.

Retired_Member · ‎2018-02-06

Should be available in 2-4 weeks of timeframe(tentative).

Thanks.

esselle · ‎2018-02-07

Thanks.

ElisabettaL · ‎2018-02-07

Gentile @esselle,

grazie per la domanda.

Riporto la risposta in italiano in modo che tutti gli utenti possano comprenderla:

"Senza supporto VLAN nella sua infrastruttura è difficile impostare una rete guest con il fw 3.1.0.12

Le chiederei di aspettare la prossima release con nuove feature. Con la nuova release dovrebbe essere in grado di creare un network e isolarla dal network locale"

Saluti

Elisabetta

Team NETGEAR

Retired_Member · ‎2018-02-14

Hi @esselle,
The new firmware is released client isolation feature. Please upgrade to v4.0.7.3 for your guest profile requirements.
https://kb.netgear.com/000054790/WAC505-WAC510-Firmware-Version-4-0-7-3
To enable/disable client isolation: Go to Configuration->Wireless->Basic->WLAN Settings->SSID1
Please let us know for any further assistance.

Thanks for choosing Netgear.

-Sharan

Ciao @esselle,
Il nuovo firmware è rilasciato funzionalità di isolamento client. Esegui l'upgrade alla v4.0.7.3 per i requisiti del tuo profilo ospite.
https://kb.netgear.com/000054790/WAC505-WAC510-Firmware-Version-4-0-7-3
Per abilitare / disabilitare l'isolamento del client: andare su Configurazione-> Wireless-> Base-> Impostazioni WLAN-> SSID1
Per favore fateci sapere per ulteriore assistenza.
Grazie per aver scelto Netgear.

-Sharan

schumaku · ‎2018-02-15

@Retired_Member, is this "client isolation" a different feature from the "client separation" documented in the WAC505 User Manual (for example) on p.36 ff.?

"By default, client separation is disabled for a WiFi network (SSID or VAP), allowing communication between WiFi clients that are associated with different WiFi networks on the access point. For additional security, you can enable client separation."

In the industry common terms, this documented "client separation" feature is usually named "client isolation". The purpose is to suppress direct communication between Wi-Fi STA within the same AP STA (or uncommonly within the same access point).

Assuming these are two different features (what I doubt, can't check because my WAC are all in Insight cloud mode): Does the "client isolation" also deny communication to other systems on the same network - WLAN, switched LAN, other WAC, ... (read TCP/IP subnetwork) only permitting communication with the default gateway so only Internet access is possible? This is the way the Guest WiFi is implemented on the Nighthawk routers - however it's a constant source of complaints, as other (W)LAN IP can be pinged, Multicast traffic is still open, and much more denying the intended purpose of an isolated guest network on the same (W)LAN - without proper VLAN separation.

Edit: In Insight (App 4.0.11, Cloud 4.0.11.3), we only have a control for "client isolation" - which is obviously for what I understand being "client isolation". While one does commnly enable this on guest networks, this does not make a Guest WiFi capability on the same subnet.

esselle · ‎2018-02-15

Salve, proseguo la discussione in italiano.

Purtroppo l'aggiornamento firmware non risolve il mio problema.

Mi spiego meglio, ho attivato due SSID

la prima chiamiamola "wifi1" senza Client Isolation dove per sicurezza ho attivato la MAC ACL, VLAN ID 1. Mi collego a questa SSID con un tablet ed accedo ad internet e a tutte le risorse in rete (NAS, switch etc)

la seconda chiamiamola "wifi1 guest" con Client Isolation con Captive Portal, VLAN ID 1. Mi collego con il tablet ed accedo ad internet, ma continuo ad accedere alle risorse di ret (NAS, switch etc.)

Forse mi è sfuggito qualche importante settaggio?

Grazie.

schumaku · ‎2018-02-15

Mi dispiace, I'm not that fluent in writing Italian - reading and talking is easy 8-)

@essellewrote:

...
la seconda chiamiamola "wifi1 guest" con Client Isolation con Captive Portal, VLAN ID 1. Mi collego con il tablet ed accedo ad internet, ma continuo ad accedere alle risorse di ret (NAS, switch etc.)
Forse mi è sfuggito qualche importante settaggio?

Niente ... you miss nohting. Exactly the behaiviour I would expect from this configuration. As I said Client Isolation (or "Client Separation" as per the December 2017 User Manual) does not make a L2 Guest network isolation beyond of the pure STA wireless network.

esselle · ‎2018-02-15

OK
at this point if I configured the WAC510 as a router and associated the guest network to a different VLAN ID (for example 100) and the DHCP server of the VLAN 100 as a result of 192.168.100.xxx?
keeping VLAN 1 with its DHCPserver (192.168.1.xxx as a managment?
The guest clients would access the VLAN 100 and would have a 192.168.100.xxx address and would see the internet but not the network resources (NAS etc.)
Thank you.

schumaku · ‎2018-02-15

I don't think the router mode is intended for this use case, too. The WAC510 router mode is a dead simple NAT router to connect a single subnet to an Internet connection (modem/FTTH or the like) for a many2one NAT - about what any €9.95 router can do. So either check with your ISP on how to get multiple IP addresses (a small subnet with public addresses) on your Internet link, or deploy some L2 or L3 (the second one might inherit double NAT) router or security appliance where you can properly isolating the guest VLAN (or physical LAN for the sake of it).

Now let's wait for NTGR to reply (I've pushed this to the WAC5xx preoduct managers) - to me the situation with this VLAN-less guest network feature annoucement is still more than vague. And at least on the IM4 managed environment, I can't see something obvious.

ElisabettaL · ‎2018-02-19

Gentile @esselle,

le consiglierei di contattare direttamente il supporto tecnico al riguardo

Saluti

Elisabetta

Team NETGEAR

schumaku · ‎2018-02-19

Cara Elisabetta, cosa può aiutare Netgear Support in questo problema? Al momento una funzione di rete ospite senza una VLAN dedicata non è disponibile...

ElisabettaL · ‎2018-02-20

Gentile @schumaku,

Il supporto tecnico è sempre a disposizione per eventuali chiarimenti e suggerimenti.

Saluti

Elisabetta

Team NETGEAR

esselle · ‎2018-02-26

aggiornamento situazione:
in attesa del nuovo firmware, che dovrebbe agevolare la separazione della rete guest dalla rete corporate, ho risolto inserendo tra il modem/router del fornitore dei servizi e la mia rete cablata un router FVS318Gv2 e creando una VLAN separata sulla porta 7 per il WAC510 con DHCP 192.168.10.x

modem (TIM fisso) 192.168.0.1 subnetmask 255.255.255.248
router FVS318Gv2 192.168.1.1 subnetmask 255.255.255.240
ap WAC510 192.168.10.2 subnetmask 255.255.255.240

sul WAC510 ho creato due SSID

RETE A corporate con MAC ACL
RETE B guest con captive portal (social login)

si presenta un nuovo problema:

sulla rete B guest, i dispositivi iOS bypassato il captive portal anche se lasciano traccia nel syslog.

Grazie per eventuali suggerimenti.

esselle

ElisabettaL · ‎2018-02-27

Gentile @esselle,

grazie per l'aggiornamento.

Purtroppo devo rimandarla nuovamente al supporto tecnico, dotato di syslog per ulteriore analisi.

Saluti

Elisabetta

Team NETGEAR