Overview
Recently I’ve been spending a lot of time upgrading the network at the church I attend. Our existing network consists of a simple router and a few access points. Anyone who has access to the WiFi has access to our wired church computers, copier, etc. We want to separate guests/members from our private network. In the mean time, we are continuing to use our existing setup until the new system is ready. We are not a huge church, and don’t have unlimited funds.
I plan to have multiple VLANs and subnets. New WiFi access points will be powered with PoE, and capable of SSID-to-VLAN tagging.
Hardware
A few months ago, after quite a lot of research, we purchased a Netgear GS728TP and two EnGenius EAP600 access points. Originally I was going to use pfSense as a firewall and router, but after using a Ubiquiti EdgeRouter Lite at home and considering power consumption, I opted to purchase one for this application.
Network Configuration
The VLANs and subnets we plan to have are shown in the table.
| VLAN | Description | Subnet |
|---|---|---|
| 10 | Admin/Infrastructure/Management | 192.168.10.0/23 |
| 20 | Wired Computers | 192.168.20.0/23 |
| 30 | Guest WiFi | 192.168.30.0/23 |
| 40 | Separate, Internal Group | 192.168.40.0/23 |
| 50 | VPN | 192.168.50.0/24 |
Currently I have the ERLite configured with this configuration. It has a dhcp server for each subnet and is set to masquerade traffic from all VLANs to the WAN. (I don’t think this is how I should have it setup.) I want VLANs 30 and 40 to be configured the same, and to only have internet access, and do not want clients to be able to see each other. As you can see from the config, VLAN 10 has access to all the other VLANs, but none of the other VLANs can access any hosts outside of their VLAN. I also plan to configure it to block hosts on VLAN 30 and 40 from communicating with other hosts even within their VLAN.
Note: VLAN 40 is not a network that we plan to normally have active. The idea is that we can enable unencrypted access if we have a conference or election day at the church and will have many temporary users.
The GS728TP is connected to the ERLite on port 23, and passed traffic tagged with the four VLANs to the WiFi APs. The raw configuration for it is here.
Things that I am still trying to get figured out:
- Potentially improve the design of the existing firewall rules
- Block hosts from communicating with other hosts inside their VLAN/subnet
- Allow DNS resolving from Admin VLAN to other VLANs/subnets
- Port forwarding to specific hosts. I have been unable to successfully setup port forwarding to any hosts.
I will add more detail to this, but this is the basic overview. None of this is set in stone, and I welcome any suggestions/ideas/improvements you may have!
You may want to consider disabling IPv6 on the EAP-600 access points to prevent people on the guest network from being able to access the management web interface:
https://gist.github.com/darconeous/b24cdaa853a8f35162f2f8e3a3050149#disable-ipv6-
Robert, good catch, and thanks for the comment. I’ll definitely take a look at that.
Hans.
I am going through the same thing… sort of.
I am trying to setup a 5 port edge router to replace an overpriced Cisco beast. I am very familiar with Cisco but the Ubiquity Linux is a little baffling.
Can you email me your config so I can reverse engineer how they do routing?
Franl, I have a copy of my ERLite config posted on pastebin. http://pastebin.com/RdfzEKXM
Thanks Hans
I am doing this on my android phone… bumpy buses.
I will go over the configuration on my workstation.