New Member
Posts: 38
Registered: ‎06-18-2013
Kudos: 1
Solutions: 1
Accepted Solution

How do I have a wireless guest on different subnet?

My networks:

Business Center: Corporate, LAN, LAN1, 10.0.0.1/29, VLAN 10

LAN Guest Network: Corporate, LAN, LAN1, 192.138.1.1/20, None

WAN: WAN, WAN1

 

Wireless:

SSID: Hotel: open, Guest Network Policies

SSID: BusCenter: wpapsk, VLAN 10

 

Guest Control:

Pre-Authorization Access: None

Post-Authorization Restrictions: 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8

 

Nothing is connected to WAN2 or LAN2.

The Business center was going to be used for 2 desktops sitting in the business center, but I ended up just connecting them to the Guest WiFi.

 

So I have 23 guests on right now, the IP ranges for 22 of them are 192.168.2.250 thru 192.168.15.235. But one android phone on the Hotel ssid is 10.38.4.28.

FWIW, the only thing showing on the "LAN Guest Network" is the cloud key. The only other hard wired devices are the USG and the switch.

 

How is this phone on this subnet?


Accepted Solutions
Regular Member
Posts: 465
Registered: ‎08-07-2016
Kudos: 275
Solutions: 38

Re: How do I have a wireless guest on different subnet?

That looks a little better.

But all “corporate” type networks have access to each other. Consider making the Business Center “guest” or erecting firewall rules to keep them out of VLAN1.

The bank analogy would be that the supply room in the restrooms (Business Center) opens into the Vault. Man Tongue

View solution in original post


All Replies
Regular Member
Posts: 465
Registered: ‎08-07-2016
Kudos: 275
Solutions: 38

Re: How do I have a wireless guest on different subnet?

Something doesn’t add up.

The LAN network (aka. VLAN1) is the default Management VLAN which is the “hacker’s paradise” / “Fort Knox Vault” because you can directly break into the UCK & Switches.

“SSID: Hotel open...” doesn’t specify a VLAN, so that put all the hotel guests on the management VLAN (confirmed by the 192.168 addresses).

If I were running a bank, I wouldn’t put the main lobby in the vault Man Tongue

The least of my worries is why a guest is wandering the staff kitchen (Android on 10.x subnet).
New Member
Posts: 38
Registered: ‎06-18-2013
Kudos: 1
Solutions: 1

Re: How do I have a wireless guest on different subnet?

So what about if I ran it like this:

 

My networks:

Business Center: Corporate, LAN, LAN1, 10.0.10.1/29, VLAN 10 <--- no change

LAN Admin Network: Corporate, LAN, LAN1, 192.168.1.1/24, None <---use the 192.168 for admin gear

LAN Guest Network: Guest, LAN, LAN1, 10.0.20.1/22, VLAN 20 <--creat a new guest type network and VLAN

WAN: WAN, WAN1

 

Wireless:

SSID: Hotel: open, Guest Network Policies, VLAN20 <--- no change

SSID: BusCenter: wpapsk, VLAN 10 <-- add vlan

 

 So then USG, APs and Switch will be 192.168.1.1, 2 and 3 respectively without VLAN, or should I put that on a VLAN, too?

 

Thanks for the insight. I thought with the Guest restrictions turned on, clients on that SSID could not access anything on the listed subnets.

Regular Member
Posts: 465
Registered: ‎08-07-2016
Kudos: 275
Solutions: 38

Re: How do I have a wireless guest on different subnet?

That looks a little better.

But all “corporate” type networks have access to each other. Consider making the Business Center “guest” or erecting firewall rules to keep them out of VLAN1.

The bank analogy would be that the supply room in the restrooms (Business Center) opens into the Vault. Man Tongue
Regular Member
Posts: 465
Registered: ‎08-07-2016
Kudos: 275
Solutions: 38

Re: How do I have a wireless guest on different subnet?

[ Edited ]

Oh yeah, consider adding firewall rules to LAN_LOCAL & GUEST_LOCAL blocking access to ports 22, 80 and 443 except from 192.168.1.1/24. But be careful setting them up so you don’t lock 192.168.1.1/24 out or you may lose management of the USG!

You can try it now, connect a computer or phone to your guest or business network and point the web browser at the default gateway. You will get the USG login screen.

You should have strong admin passwords but you still shouldn’t invite guests to guess them!

Bank Analogy: Placing the master keys in a glass case in the lobby. With sign: “I dare you to try!”

New Member
Posts: 38
Registered: ‎06-18-2013
Kudos: 1
Solutions: 1

Re: How do I have a wireless guest on different subnet?

I am not currently using the business center. But I may want those 2 desktops to have access to a network printer. I would not want anyone else to have access to it (no guests, no staff, just those 2 machines). That is why we created a different network for them. Currently, they are using USB printers so it isn't an issue. But we may make that change. So before we add anything to it, I will get it off the admin.

Member
Posts: 482
Registered: ‎09-23-2018
Kudos: 56
Solutions: 25

Re: How do I have a wireless guest on different subnet?

From the looks of it, you want to connect a small set of main devices, and the rest guest.

 

I'd set it up:

 

Business Center: Corporate, LAN, LAN1, IP address, VLAN 10 (I would also update the DHCP range to only include 3 addresses, thus only allowing those 3 devices to gain an IP address from DHCP)

LAN Guest: Guest, LAN, LAN1, IP address, VLAN 20

 

The default rules for guest networks (Settings -> Guest Control -> ACCESS CONTROL) are to block guest networks to all other standard IP ranges

image.png

 


@tangram wrote:

But one android phone on the Hotel ssid is 10.38.4.28.


If you look at your Business Center range, you have 10.0.0.1/29. This gives out IPs in the range of 10.0.0.2 - 10.0.0.6. The IP of that device must be statically set, as 10.38.X.X is not defined within your range.

 

In terms of having the business computers have access to the network printer, if it is on the Business Center network, then you'll be fine.

Highlighted
New Member
Posts: 7
Registered: ‎01-07-2018
Kudos: 1

Re: How do I have a wireless guest on different subnet?