Results 1 to 5 of 5
  1. #1

    michelangelo's Avatar
    Member Since
    Apr 24, 2008
    Location
    West of Paris
    Posts
    222
    Specs:
    MacBookPro, iMac, OS 10.12.6, iPhone 5c iOS 10.3.2, iPad mini, iOS 9.3.5
    Replacing an Airport Extreme router creating a guest network by a new router
    Hello. My ISP will soon increase the allowable data rate in my home, from 2 Mb/s to about 10 to 20 Mb/s, via ADSL. To benefit from that, and among other reasons to get TV via a new Apple TV on the ground floor, I have restructured my home cabling and moved the ADSL modem from the attic, where it was, to the basement, where the ADSL copper pair entry point is located. I used an Airport Extreme wifi router in the attic, at the LAN port of my ADSL modem-router, configured as a second router (double NATting) to create a normal network and a guest network and provide wifi signal for all to the attic. Together with the modem-router, I moved it, unchanged, to the basement. I then set a couple of CPL in the basement and the attic to carry ethernet signal and installed on the attic my Time Capsule, configured as a bridge to deliver by Wifi to all in the attic the main network and the guest network.

    I know double Natting (two routers one behind the other) is a "NO-NO" for some, with no obvious reasons. I could have avoided it by configuring my modem-router (which I own and is off-limit to my ISP) as a bridge. I did not do it. I wanted easy access from my iPad to the modem-route's ADSL stats and use the modem-router's firewall to stealth all incoming ports, which I believe would not have been feasible if my modem was in bridge mode.

    As it is, this works fine with my 2 Mb/s data rate, including the CPL couple which passes over 300 Mb/s if required.

    Indeed, the TV can benefit from a 15 Mb/s data rate. At 2 Mb/s, it is not worth any effort. At 15 mb/s, a better coverage of my ground floor could be of use. Also, the Airport Extreme wifi signal, coming from the basement, is unusable anywhere in the house and the wifi signal on the ground floor, where the TV is located, is weak. To do that, I would like to install another CPL at the ground floor to receive ethernet signal from the basement CPL, move this Airport Extreme from the basement to the ground floor, where the TV is located and configure it as a bridge wifi access point. A new Apple TV feeding the TV set would be connected to it by ethernet or short range wifi.

    This would leave me one router short, so I believe I need one additional router, able to deliver a guest network, without any need for wifi capability.

    Once I have done that, I would add to it a third separate network, comparable to the Airport Extreme guest network (internet access, and no more) for Internet of Things (IoT) devices.

    I believe this network separation can be done by VLAN tagging on routers having such capabilities, such as the Airport Extreme. The main network would remain untagged, while both the guest network and the IoT network would be tagged and carefully stripped of any permission to share resources of the main network.

    I do not do Linux and do not use terminal commands. I do not do Windows either and do not have at home any old or new Windows box. Any router I use would need to be sold as a device, configurable through its web interface.

    After much exploration on the internet, I came out with two options:

    1 - Buy a Ubiquity EdgeRouter X with no training (https://www.amazon.fr/Ubiquiti-Netwo...61APMR7YPKJ9XT) and attempt to configure it the way I want (a $50 solution); or

    2 - Enter the pfSense router tribe and buy the Netgate SG-1000 microFirewall with a EU plug from Netgate (https://store.netgate.com/SG-1000.aspx) with 1 year of pfSense router training (a $150 solution).

    I am not sure I am actually capable to do that and, for that reason, favor the training provided by the pfSense tribe.

    Does that make sense ?

    Any suggestions (even wild) ?

    Alternatives ?

    TIA.
    Last edited by michelangelo; 07-17-2017 at 08:14 AM. Reason: added info on CPL
    -- Michelangelo
    https://www.abeille-cyclotourisme.fr/
    MacBookPro, iMac, iPhone 5c, iPad mini, AirPort Time Capsule (1st Generation), AirPort extreme (3rd generation), Apple TV (1st generation)

  2. #2

    halo200's Avatar
    Member Since
    Sep 08, 2007
    Location
    Netherlands
    Posts
    550
    Specs:
    13" MBP 2.6Ghz i5 8GB 256GB | iPhone 6S
    As far as I know, Apples Airport devices don't support VLAN tagging and they don't allow the configuration of static/dynamic routes so if you wanted anything on that device accessible from another network it might get a little frustrating. You'll find that most consumer grade kit won't support VLAN tagging and its more leaning into enterprise level hardware.

  3. #3

    michelangelo's Avatar
    Member Since
    Apr 24, 2008
    Location
    West of Paris
    Posts
    222
    Specs:
    MacBookPro, iMac, OS 10.12.6, iPhone 5c iOS 10.3.2, iPad mini, iOS 9.3.5
    Thanks halo200 for also replying to this older post, dating back to prior to my purchase of the SG-1000 from Netgate (pfSense tribe). This whole project is to me a learning experiment and I mostly enjoy it for that. Except in the rare circumstances where my ADSL line is down, my wife does not give a damm for the results of what I am trying to achieve. I do it for fun. Positive results are just a plus, and negative results are a new learning experience. My objective as stated above is now modified.

    Instead of : "I believe this network separation can be done by VLAN tagging on routers having such capabilities, such as the Airport Extreme. The main network would remain untagged, while both the guest network and the IoT network would be tagged and carefully stripped of any permission to share resources of the main network.";

    I now hope the Apple Extreme is only capable of 1 extra VLAN (called "Guest Network") if tagged properly by another Apple Extreme, because it seems to be hard-coded with a VLAN tag 1003. I want to tag this virtual LAN "1003" with the SG-1000.

    My reference is a post I found a while ago on the internet, by Darko Krisik:

    <http://tech.krizic.net/2013/09/apple...mode-with.html>

    Now,

    I still hope this network separation can be done by VLAN tagging on routers having such capabilities, such as the Airport Extreme (only two networks). The main network would remain untagged, while the guest network would be tagged 1003 and carefully stripped of any permission to share resources of the main network.

    Then I would implement a crude form of Traffic Shaping on the SG-1000 (like "equally share bandwidth among active LAN IPs"). This is because I realised recently that what I was really lacking on my 2Mb/s ADSL line was some form of traffic shaping preventing, for example, multiple automatic downloads of iPhone updates on iTunes to swallow all bandwidth and render internet lousy or render Mail unable to access iCloud mailboxes. Mainly, the pfSense tribe told me that traffic shaping on a 2Mb/s line is as difficult (horribly difficult) as implementing traffic shaping on a 100 or 1000 Mb/s line (hence not worth the effort); yet I also heard (no so loudly) that the results are as useful on a tiny line than on a biggish line. So I want to try it on my tiny 2Mb/s line, and keep it on my future 10 to 20 Mb/s line.

    I will move on to attempting VLAN tagging on the SG-1000 when I have my safety net in place: backups (done) and ability to connect to it via console (still under way). I am not a risk-taker.

    BTW: I have no real use of a guest network (guests use my main network) and have no use of a IoT network (having no connected objects so far). This is purely experimental.

    I thank you very much for your kind assistance.
    -- Michelangelo
    https://www.abeille-cyclotourisme.fr/
    MacBookPro, iMac, iPhone 5c, iPad mini, AirPort Time Capsule (1st Generation), AirPort extreme (3rd generation), Apple TV (1st generation)

  4. #4

    halo200's Avatar
    Member Since
    Sep 08, 2007
    Location
    Netherlands
    Posts
    550
    Specs:
    13" MBP 2.6Ghz i5 8GB 256GB | iPhone 6S
    Interesting, I know there is that Guest Network side of the Extreme. Will be interesting to see the results if you manage to get the tagging working for that 1003 and you can pass it throughout the network although tricky for me to visualize in my head and im not sure if you can allow access to the VLAN since I don't remember seeing trunking options in there. I've always done things using vlans with a physical layout something like this:

    Internet
    -> Router
    ->-> Switch with VLAN
    ->->->Clients

    But if I was in your position,I'd be trying to exact same thing just to see if it works why not eh?... at the same time as cutting everyone else off in the house and I only just checked the date of your original post My Bad!

  5. #5

    michelangelo's Avatar
    Member Since
    Apr 24, 2008
    Location
    West of Paris
    Posts
    222
    Specs:
    MacBookPro, iMac, OS 10.12.6, iPhone 5c iOS 10.3.2, iPad mini, iOS 9.3.5
    Well, thanks for reviving my (otherwise) dead post. It made me feel better.

    Now, with the physical layout like you mention:

    Internet
    -> Router
    ->-> Switch with VLAN
    ->->->Clients

    I believe the above is more or less (practically) equivalent to the "three dumb routers" option of Steve Gibson.

    <https://www.grc.com/securitynow.htm> Episode #545 | 02 Feb 2016

    Internet
    -> One dumb Router
    ->-> two dumb Routers
    ->->->Clients

    But it requires separate wiring (and/or separate wifi access points), which I do not have. Here, I expect to use one single set of wiring (power line communication, more precisely) to access from the SG-1000 (in the basement) to the Airport Extreme to be located in the living room, ground floor and expect that this Airport Extreme will distribute, together with the main network, the guest (or IoT) network via wifi from the living room (which should be enough for that not-very-useful-so-far network). I hope this can work. It does not work (of that I am sure) from my Time Capsule located in the attic. The Time Capsule, even when it was connected to the Airport Extreme (then configured as the router creating the guest network) only relays the main network, and ignores the existence of the guest network (the packets of which it receives nevertheless, I believe).

    Now that my belt and suspenders seem to be on (with my possibility to reset by console the SG-1000 to factory default), I will start attempting to create a VLAN tagged 1003 guest network on the SG-1000. Just a question of time. Then I will be able to report here if the Airport Extreme sees the guest network (as Darko Krisik's does) or not.

    Thanks for your contributions. Sorry for believing spanish was your language.
    -- Michelangelo
    https://www.abeille-cyclotourisme.fr/
    MacBookPro, iMac, iPhone 5c, iPad mini, AirPort Time Capsule (1st Generation), AirPort extreme (3rd generation), Apple TV (1st generation)

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Router, Airport Extreme & Network Attached Storage
    By jonsm in forum Internet, Networking, and Wireless
    Replies: 2
    Last Post: 03-21-2013, 12:33 PM
  2. Unable to connect to Airport Extreme after replacing router
    By Spartan07 in forum Internet, Networking, and Wireless
    Replies: 2
    Last Post: 11-01-2012, 08:47 PM
  3. Old Airport Extreme Router (g) on new WIFI network
    By Paul W in forum Internet, Networking, and Wireless
    Replies: 0
    Last Post: 08-19-2009, 02:35 AM
  4. FiOS DHCP Router + AE + Guest Network
    By Beau1k in forum Internet, Networking, and Wireless
    Replies: 3
    Last Post: 05-25-2009, 04:59 PM
  5. router on an airport extreme will not connect to network
    By JeffBookPro in forum Internet, Networking, and Wireless
    Replies: 2
    Last Post: 11-02-2007, 11:27 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •