Thought I'd let the networking gurus take a stab at this one.
I recently picked up a Visio XWR-100 based on its good reviews, range, simultaneous dual band, and price - hard to beat > $60! Plus, it's nice to look at, and we all know WAF is critical. We frequently have guests, and having to give out the network key, allow access to the other computers etc. can be problematic, especially when some joker wants to move files around, or worse. Before ordering I breezed through the manual and thought it would work to setup an open "guest" network with the AP Isolation setting, which allows clients access only to the Internet and not to the rest of the network. This would work, except it would have to apply to ALL 2.4GHz traffic.
My plan was to use two 2.4GHz SSIDs, one highly secure with full access, and one less secure with Internet access only, but that isn't possible. Each band can use AP Isolation or not, but that's it. You can have two 2.4GHz SSIDs but the 2nd one just uses WEP only for older devices, which is useless to me since that just makes the network far less secure. Suppose I were to enable AP Isolation on 2.4GHz - inevitably someone will go out on the deck with a device that does not support 5GHz, and ask "why can't I print" or "why can't I access pictures on the WHS" etc.
I'm not sure about how secure AP Isolation or guest networking (i.e. HTTP authentication) is concerning local network access. Also debating whether the "guest" network should be secure at all, I won't use it and I think it highly unlikely someone would be close enough to snoop packets and I have guests at the same time. Plus I'd still have to deal with people who can't enter a damn password. Bandwidth/connection stealers, though I doubt this likely in my neighborhood, could be dealt with via excluding MAC addresses, though that's not bulletproof (is it?).
And here's a really hard question for you: any way to allow guests access to a printer, but not the rest of the network? I can foresee that being a problem.
Here's what I'm considering:
Option #1
Keep the Visio XWR-100, enable AP Isolation on 2.4GHz, use WPA2 on 5GHz & don't broadcast the SSID. 2.4GHz could use WEP so it works with whatever and lets guests feel more secure, or be open so I have less to deal with. Only difficulty will be those home devices which are 2.4GHz only and need network access, though Netflix streaming etc. would be unaffected.
Option #2
Get a 2nd XWR-100, disable the DCHP server and use it like an access point. Both 5GHz networks could be secure with local access, expanding range on that band (if I put one in another location), and one 2.4GHz network could be isolated, the other not. Not sure what kind of problems this might cause, including interference, multiple network confusion, etc.
Option #3
Exchange the XWR-100 for a Linksys/Cisco E4200 (or the like), with a true HTTP authenticated guest network alongside each band. Still have to give out a password (*sigh* - call me irritable, but you would think a password like "guest" would be easy ... do I just have idiots for friends?) and for your trouble, no encryption. I'd gain in wireless speed for sure, but that's not critical as nearly all major traffic is wired. Some devices might not play nice with the need to authenticate via a webpage, again causing headaches for me.
All thoughts & ideas appreciated!
I recently picked up a Visio XWR-100 based on its good reviews, range, simultaneous dual band, and price - hard to beat > $60! Plus, it's nice to look at, and we all know WAF is critical. We frequently have guests, and having to give out the network key, allow access to the other computers etc. can be problematic, especially when some joker wants to move files around, or worse. Before ordering I breezed through the manual and thought it would work to setup an open "guest" network with the AP Isolation setting, which allows clients access only to the Internet and not to the rest of the network. This would work, except it would have to apply to ALL 2.4GHz traffic.
My plan was to use two 2.4GHz SSIDs, one highly secure with full access, and one less secure with Internet access only, but that isn't possible. Each band can use AP Isolation or not, but that's it. You can have two 2.4GHz SSIDs but the 2nd one just uses WEP only for older devices, which is useless to me since that just makes the network far less secure. Suppose I were to enable AP Isolation on 2.4GHz - inevitably someone will go out on the deck with a device that does not support 5GHz, and ask "why can't I print" or "why can't I access pictures on the WHS" etc.
I'm not sure about how secure AP Isolation or guest networking (i.e. HTTP authentication) is concerning local network access. Also debating whether the "guest" network should be secure at all, I won't use it and I think it highly unlikely someone would be close enough to snoop packets and I have guests at the same time. Plus I'd still have to deal with people who can't enter a damn password. Bandwidth/connection stealers, though I doubt this likely in my neighborhood, could be dealt with via excluding MAC addresses, though that's not bulletproof (is it?).
And here's a really hard question for you: any way to allow guests access to a printer, but not the rest of the network? I can foresee that being a problem.
Here's what I'm considering:
Option #1
Keep the Visio XWR-100, enable AP Isolation on 2.4GHz, use WPA2 on 5GHz & don't broadcast the SSID. 2.4GHz could use WEP so it works with whatever and lets guests feel more secure, or be open so I have less to deal with. Only difficulty will be those home devices which are 2.4GHz only and need network access, though Netflix streaming etc. would be unaffected.
Option #2
Get a 2nd XWR-100, disable the DCHP server and use it like an access point. Both 5GHz networks could be secure with local access, expanding range on that band (if I put one in another location), and one 2.4GHz network could be isolated, the other not. Not sure what kind of problems this might cause, including interference, multiple network confusion, etc.
Option #3
Exchange the XWR-100 for a Linksys/Cisco E4200 (or the like), with a true HTTP authenticated guest network alongside each band. Still have to give out a password (*sigh* - call me irritable, but you would think a password like "guest" would be easy ... do I just have idiots for friends?) and for your trouble, no encryption. I'd gain in wireless speed for sure, but that's not critical as nearly all major traffic is wired. Some devices might not play nice with the need to authenticate via a webpage, again causing headaches for me.
All thoughts & ideas appreciated!