Replacing an Airport Extreme router creating a guest network by a new router

Joined
Apr 24, 2008
Messages
271
Reaction score
6
Points
18
Location
West of Paris
Your Mac's Specs
MacBookPro, iMac, OS 10.13.6, iPhone 6s iOS 15.1, iPad mini, iOS 9.3.5
Hello. My ISP will soon increase the allowable data rate in my home, from 2 Mb/s to about 10 to 20 Mb/s, via ADSL. To benefit from that, and among other reasons to get TV via a new Apple TV on the ground floor, I have restructured my home cabling and moved the ADSL modem from the attic, where it was, to the basement, where the ADSL copper pair entry point is located. I used an Airport Extreme wifi router in the attic, at the LAN port of my ADSL modem-router, configured as a second router (double NATting) to create a normal network and a guest network and provide wifi signal for all to the attic. Together with the modem-router, I moved it, unchanged, to the basement. I then set a couple of CPL in the basement and the attic to carry ethernet signal and installed on the attic my Time Capsule, configured as a bridge to deliver by Wifi to all in the attic the main network and the guest network.

I know double Natting (two routers one behind the other) is a "NO-NO" for some, with no obvious reasons. I could have avoided it by configuring my modem-router (which I own and is off-limit to my ISP) as a bridge. I did not do it. I wanted easy access from my iPad to the modem-route's ADSL stats and use the modem-router's firewall to stealth all incoming ports, which I believe would not have been feasible if my modem was in bridge mode.

As it is, this works fine with my 2 Mb/s data rate, including the CPL couple which passes over 300 Mb/s if required.

Indeed, the TV can benefit from a 15 Mb/s data rate. At 2 Mb/s, it is not worth any effort. At 15 mb/s, a better coverage of my ground floor could be of use. Also, the Airport Extreme wifi signal, coming from the basement, is unusable anywhere in the house and the wifi signal on the ground floor, where the TV is located, is weak. To do that, I would like to install another CPL at the ground floor to receive ethernet signal from the basement CPL, move this Airport Extreme from the basement to the ground floor, where the TV is located and configure it as a bridge wifi access point. A new Apple TV feeding the TV set would be connected to it by ethernet or short range wifi.

This would leave me one router short, so I believe I need one additional router, able to deliver a guest network, without any need for wifi capability.

Once I have done that, I would add to it a third separate network, comparable to the Airport Extreme guest network (internet access, and no more) for Internet of Things (IoT) devices.

I believe this network separation can be done by VLAN tagging on routers having such capabilities, such as the Airport Extreme. The main network would remain untagged, while both the guest network and the IoT network would be tagged and carefully stripped of any permission to share resources of the main network.

I do not do Linux and do not use terminal commands. I do not do Windows either and do not have at home any old or new Windows box. Any router I use would need to be sold as a device, configurable through its web interface.

After much exploration on the internet, I came out with two options:

1 - Buy a Ubiquity EdgeRouter X with no training (https://www.amazon.fr/Ubiquiti-Networks-ER-X-Ethernet-connecté/dp/B011N1IT2A/ref=pd_sim_107_5?_encoding=UTF8&psc=1&refRID=33NATN61APMR7YPKJ9XT) and attempt to configure it the way I want (a $50 solution); or

2 - Enter the pfSense router tribe and buy the Netgate SG-1000 microFirewall with a EU plug from Netgate (https://store.netgate.com/SG-1000.aspx) with 1 year of pfSense router training (a $150 solution).

I am not sure I am actually capable to do that and, for that reason, favor the training provided by the pfSense tribe.

Does that make sense ?

Any suggestions (even wild) ?

Alternatives ?

TIA.
 
Last edited:
Joined
Sep 8, 2007
Messages
552
Reaction score
4
Points
18
Location
United Kingdom
Your Mac's Specs
13" MBP 2.3Ghz i7 32GB 1TB | iPhone XR
As far as I know, Apples Airport devices don't support VLAN tagging and they don't allow the configuration of static/dynamic routes so if you wanted anything on that device accessible from another network it might get a little frustrating. You'll find that most consumer grade kit won't support VLAN tagging and its more leaning into enterprise level hardware.
 
OP
michelangelo
Joined
Apr 24, 2008
Messages
271
Reaction score
6
Points
18
Location
West of Paris
Your Mac's Specs
MacBookPro, iMac, OS 10.13.6, iPhone 6s iOS 15.1, iPad mini, iOS 9.3.5
Thanks halo200 for also replying to this older post, dating back to prior to my purchase of the SG-1000 from Netgate (pfSense tribe). This whole project is to me a learning experiment and I mostly enjoy it for that. Except in the rare circumstances where my ADSL line is down, my wife does not give a damm for the results of what I am trying to achieve. I do it for fun. Positive results are just a plus, and negative results are a new learning experience. My objective as stated above is now modified.

Instead of : "I believe this network separation can be done by VLAN tagging on routers having such capabilities, such as the Airport Extreme. The main network would remain untagged, while both the guest network and the IoT network would be tagged and carefully stripped of any permission to share resources of the main network.";

I now hope the Apple Extreme is only capable of 1 extra VLAN (called "Guest Network") if tagged properly by another Apple Extreme, because it seems to be hard-coded with a VLAN tag 1003. I want to tag this virtual LAN "1003" with the SG-1000.

My reference is a post I found a while ago on the internet, by Darko Krisik:

<http://tech.krizic.net/2013/09/apple-airport-extreme-guest-mode-with.html>

Now,

I still hope this network separation can be done by VLAN tagging on routers having such capabilities, such as the Airport Extreme (only two networks). The main network would remain untagged, while the guest network would be tagged 1003 and carefully stripped of any permission to share resources of the main network.

Then I would implement a crude form of Traffic Shaping on the SG-1000 (like "equally share bandwidth among active LAN IPs"). This is because I realised recently that what I was really lacking on my 2Mb/s ADSL line was some form of traffic shaping preventing, for example, multiple automatic downloads of iPhone updates on iTunes to swallow all bandwidth and render internet lousy or render Mail unable to access iCloud mailboxes. Mainly, the pfSense tribe told me that traffic shaping on a 2Mb/s line is as difficult (horribly difficult) as implementing traffic shaping on a 100 or 1000 Mb/s line (hence not worth the effort); yet I also heard (no so loudly) that the results are as useful on a tiny line than on a biggish line. So I want to try it on my tiny 2Mb/s line, and keep it on my future 10 to 20 Mb/s line.

I will move on to attempting VLAN tagging on the SG-1000 when I have my safety net in place: backups (done) and ability to connect to it via console (still under way). I am not a risk-taker.

BTW: I have no real use of a guest network (guests use my main network) and have no use of a IoT network (having no connected objects so far). This is purely experimental.

I thank you very much for your kind assistance.
 
Joined
Sep 8, 2007
Messages
552
Reaction score
4
Points
18
Location
United Kingdom
Your Mac's Specs
13" MBP 2.3Ghz i7 32GB 1TB | iPhone XR
Interesting, I know there is that Guest Network side of the Extreme. Will be interesting to see the results if you manage to get the tagging working for that 1003 and you can pass it throughout the network :) although tricky for me to visualize in my head and im not sure if you can allow access to the VLAN since I don't remember seeing trunking options in there. I've always done things using vlans with a physical layout something like this:

Internet
-> Router
->-> Switch with VLAN
->->->Clients

But if I was in your position,I'd be trying to exact same thing just to see if it works why not eh?... at the same time as cutting everyone else off in the house and I only just checked the date of your original post :D My Bad!
 
OP
michelangelo
Joined
Apr 24, 2008
Messages
271
Reaction score
6
Points
18
Location
West of Paris
Your Mac's Specs
MacBookPro, iMac, OS 10.13.6, iPhone 6s iOS 15.1, iPad mini, iOS 9.3.5
Well, thanks for reviving my (otherwise) dead post. It made me feel better.

Now, with the physical layout like you mention:

Internet
-> Router
->-> Switch with VLAN
->->->Clients

I believe the above is more or less (practically) equivalent to the "three dumb routers" option of Steve Gibson.

<https://www.grc.com/securitynow.htm> Episode #545 | 02 Feb 2016

Internet
-> One dumb Router
->-> two dumb Routers
->->->Clients

But it requires separate wiring (and/or separate wifi access points), which I do not have. Here, I expect to use one single set of wiring (power line communication, more precisely) to access from the SG-1000 (in the basement) to the Airport Extreme to be located in the living room, ground floor and expect that this Airport Extreme will distribute, together with the main network, the guest (or IoT) network via wifi from the living room (which should be enough for that not-very-useful-so-far network). I hope this can work. It does not work (of that I am sure) from my Time Capsule located in the attic. The Time Capsule, even when it was connected to the Airport Extreme (then configured as the router creating the guest network) only relays the main network, and ignores the existence of the guest network (the packets of which it receives nevertheless, I believe).

Now that my belt and suspenders seem to be on (with my possibility to reset by console the SG-1000 to factory default), I will start attempting to create a VLAN tagged 1003 guest network on the SG-1000. Just a question of time. Then I will be able to report here if the Airport Extreme sees the guest network (as Darko Krisik's does) or not.

Thanks for your contributions. Sorry for believing spanish was your language.
 
OP
michelangelo
Joined
Apr 24, 2008
Messages
271
Reaction score
6
Points
18
Location
West of Paris
Your Mac's Specs
MacBookPro, iMac, OS 10.13.6, iPhone 6s iOS 15.1, iPad mini, iOS 9.3.5
I forgot to summarise this thread. My bad. Here it goes. On thread <http://www.mac-forums.com/security-awareness/344390-guest-network-risk.html?highlight=>, I state that my implementation at my home of Darko Krisik's suggestion works. The Apple Extreme was (and now the new Time Capsule and Airport Express are also) great devices able to tag (when acting as a router) and handle (when acting as a wifi access point) a VLAN tagged with a Vlan tag 1003. All of that on a single backbone ethernet wiring.
 

Shop Amazon


Shop for your Apple, Mac, iPhone and other computer products on Amazon.
We are a participant in the Amazon Services LLC Associates Program, an affiliate program designed to provide a means for us to earn fees by linking to Amazon and affiliated sites.
Top