Topic: Guest network with Ubiquiti Wifi access point

[DanB35]

My question seems similar to the one at https://forums.contribs.org/index.php/topic,52451.0.html, but different enough that I thought it'd warrant its own thread.  As in that thread, I'd like to set up an isolated WiFi network for guest use.  I don't want users on that network to see other users on that network, users on my "primary" WiFi network, or resources wired into my LAN.  I do want them to have Internet access, and I'm not really interested in limiting that access (i.e., port blocking, user authentication, bandwidth limiting, etc.).

The consideration that I think makes my situation different from the other thread is that I'm not intending or wanting to use a third NIC for this.  I have a Ubiquiti UniFi access point, which supports up to four SSIDs.  It's currently serving as my home access point on a single SSID, and my plan was to create a second SSID for the guest network.  Any or all of the SSIDs can be marked as guest networks, which will result in clients on that network being isolated from each other, but (as far as I can tell--and I haven't found very clear documentation of what else the guest network designation accomplishes) doesn't do anything to isolate clients from hardwired devices on the LAN.  The access point configuration also allows assigning a VLAN tag to any or all of the SSIDs, which sounds like it could be relevant, but that's an aspect of networking that I really don't understand much about yet.

Any suggestions on this?

[Stefano]

well, since we're not talking about a SME feature/contrib, the first thing I can do/say is to move this topic elsewhere

moving to General Discussion

[DanB35]

Since an SME server is the server/router in this configuration, how is it not an SME feature/contrib?

[janet]

DanB35

Since an SME server is the server/router in this configuration, how is it not an SME feature/contrib?

Please clearly & explicitly identify what existing feature of SME server or what existing contrib that you think your request relates to.
I, like Stefano, see none.

[TerryF]

WifiDog http://dev.wifidog.org/wiki/About looks promising and is active

I use CoovaAp, unfortunately it is no longer available and looks to have been rolled into a commercial product: http://www.mywifiservice.com/en/installation/CoovaAP_configuration

If you can find the original open source package this describes installing to a wrt54g router: http://www.linksysinfo.org/index.php?threads/walkthrough-how-to-setup-a-public-hotspot-with-coovaap.69495/
 

[janet]

DanB35 & others

See this bug for updated info re CoovaChilli contrib
https://bugs.contribs.org/show_bug.cgi?id=9514

Perhaps with testing it may work, or if not then bug(s) can be reported against the SME9 CoovaChilli contrib.
See Comment 4
https://bugs.contribs.org/show_bug.cgi?id=9514#c4

[DanB35]

Please clearly & explicitly identify what existing feature of SME server or what existing contrib that you think your request relates to.

I have an SME9 server, in server/gateway mode, acting as router for my home network.  I want it to route traffic from one SSID on my WiFi differently from traffic on the other SSID.  One SSID should be treated as part of the LAN, with full access to all LAN resources and the ability to see other WiFi clients.  The other SSID would be a guest network, where clients can't see other WiFi clients or resources on the LAN.  Since routing network traffic is a feature of the SME server, you've frequently expressed the position that anything you can't do by a checkbox or pushbutton in the server-manager (even if it's a supported, templated, and documented configuration for packages installed in the base system, as with DKIM) belongs in the contribs forum, and I don't know of any checkbox or pushbutton in the server-manager that would accomplish this kind of routing, that's where I put the topic.

CoovaChilli looks like it could probably be made to do what I want, though it seems far more heavyweight than I need (I don't have any interest in user authentication for the guest network, nor in restricting which ports or services they can use to connect to the Internet), and I'm not sure if or how it would deal with the VLAN, which I'm assuming is the only way the SME server would know which clients are on the guest network and which on the regular one.  If I wanted bandwidth limiting, or a captive portal, or time limitations, or any such thing, I could configure it using the UniFi manager software without involving the SME server.  The UniFi manager will also let me configure an SSID to be a "guest network", which apparently (though I haven't found clear documentation of what it does) prevents clients of that SSID from seeing each other.  The part that I think requires the cooperation of the SME server is for clients on that guest network to not see or have access to other machines on the wired LAN, like my FreeNAS box.

Now to my question: which part of this was unclear from my original post?  I'll admit that I didn't explicitly say that I was using SME as the router, but I think that could have been reasonably inferred from the facts that (1) I posted in the SME9 contribs forum, and (2) I linked to another (very recent) thread where another user was trying to do something similar using SME9 as his router.  At a minimum, it should have given rise to a question like "you are using SME to route the traffic, right?", rather than the assumption that someone who's been using SME since before it was SME, and has been active on the forum for several years, has no idea where to post his question.

[DanB35]

WifiDog http://dev.wifidog.org/wiki/About looks promising and is active

Thanks for the pointer, I'll have to check that out.

[janet]

DanB35

I cannot help you further technically.
The CoovaChilli contrib would be a suitable way to go as it does provide the functionality you want, but you said you did not want to use a third NIC, so your choice there.

There was nothing unclear about your original post.

Regarding your statement:  ".....rather than the assumption that someone who's been using SME since before it was SME, and has been active on the forum for several years, has no idea where to post his question."

I am well aware that you were around in the very early days (v3) of SME server so know full well of your long time & significant involvement with SME server.
Your comment is quite incorrect at least as far as I am concerned, no such assumption or conclusion or deregatory inference was made or implied.

Both Stefano & I could not see what default feature or contrib of SME you were specifically referring to, & your last repsonse in no way adds to that.
Code that is in the base & has a default function is quite a different scenario to adding new & different code to perform a totally different function eg adding a guest network, which AFAIK is not currently supported in SME server.
It could possibly & probably be done by writing suitable code, so that then becomes a New Feature (&/or a NFR - New Feature Request) relating to the base code, or otherwise a add on Contrib.
To take this to an extreme example, you seem to be saying that Linux can be coded to do anything so therefore anything is a supported feature, I think that is a bit of an exaggeration.

I do not see any particular productive technical value in discussing the fine meanings of Forum categorisation, & apparently becoming defensive or proactive about ones opinion in that regard, so I suggest we just stop this.

[Jean-Philippe Pialasse]

using vlan, it is still possible to set a virtual ethernet adapter on the SME.

After the creation of the virtual adapter, then the problem is again the same regular question of having a third or fourth network supported, which is really the technical problem here, event if it is disguised under a new guizmo toy

it is really frequent we miss the simple solution, when we only focus on the mean we want to use.

[Stefano]

Dan, first of all I apologize.. no intention to be rude or unpolite.

when I read your first post I understood (but my english may be faulty) that what you're trying to do is not supported out of the box on SME and that you don't want to change your hw/install any contrib..

in this perspective I tought that this is a topic that should not be in SME9.X forum.

thank you for your patience and attention