Wifi suggestions in a small business


#1

I apologize I haven’t investigated this a great deal in advance, but I would appreciate some clarification and advice.

I work for a small business (~20 users and wired computers) in an old converted four story house. About a year ago, I replaced the router with a Peplink 20. The rest of the building is connected via a series of dumb gig switches. At the time, they had no desire to have wifi, so I didn’t push for anything more.

Now, of course, they have a need for wireless, for both employees and customers.

What I would like is two separate wifi networks. One allowed on the internal network, WPA2 encrypted, for employees. A separate open (or possibly password protected) network that is isolated that is isolated from the internal network.

Based on the layout of the building and where the router is located, there’s no way an integrated router and AP would provide sufficient coverage. So I need the ability to have multiple APs.

Peplink seems like the right solution. But I need to make sure I get the right stuff.

I was looking at the AP One In Wall and put it between the Balance 20 and a downlink switch, but it only has 100M network ports (is that right?)

The other option is the AP One AC mini. And just run a few new wires direct to the Balance 20 or more likely a single poe managed switch.

Or is the AP One 300M worth twice the price? I guess it saves the money having to run new wiring.

Next question, I know the Balance Routers can manage APs. Is the Balance 20 sufficient for this? And does it have the features to create the isolated wifi network? Or do I need something running the InControl software?

Thanks for any input on my configuration. I’d be happy to answer any questions.

  • Steve

#2

Hi Steve,

Yes.

This is depending whether 802.11ac and concurrent dual band support are needed based on your environment. If majority of your wireless clients support 802.11ac, then you should consider AP One AC Mini. Please refer here for comparison.

This is depending how many AP you want to implement. Balance 20 support maximum 10 APs. Please refer here for more details.
Guest can be isolate by our Layer 2 Isolation feature.
No specific requirement to run InControl2. InControl2 is our Cloud Based Device Management and Monitoring System. You need to register an account and your devices into InControl2. InControl2 can manages AP as well. Please take note Balance router will has higher priority if both enable AP management. Please refer here for better understanding of InControl2.


#3

Just so I’m clear, the Layer 2 isolation feature means that for a given SSID, those clients won’t be able to talk to anything else on the local network, even if a completely flat network with basic dumb switches? And I could setup a second SSID that does allow access to the local network? And control it all from the Balance 20? I’m thinking maximum four APs will be needed.


#4

Hello,

Correct, any clients connected to a SSID that has Layer 2 isolation enabled will only be able to talk to other users connected to that SSID and no one else.

Sounds like you will just need to create 2 SSID’s

  1. Guest SSID - Layer 2 Isolation enabled
  2. Staff SSID

This will allow Guest to go to the internet and not allow access to the internal network.

Also, recommended to have same SSID/Password if using multiple APs for wireless roaming purposes


#5

I realize this is an old post. I finally got approval to put in wifi. I ended up with 3 x AP One Minis. Again, this is a completely flat network. I’ve turned on layer 2 isolation on the guest network. I’m managing the APs with the Balance 20 (I can’t currently use InControl because the warranty is expired on the Balance 20). Unfortunately, I can still access everything on the internal network.

So reading on the feature, it just talks about limiting clients to the same vlan, which includes all of the wired clients.

I’m not sure how to proceed. I’m guessing I need to implement a separate vlan for the wireless network. Not seeing that capability in Balance 20 though. Is there something else I can do to make this work?


#6

Hi,

L2 Isolation is limiting the access between Wifi clients only. If you need to limit the access between Wifi and wired clients, you need to enable L2 isolation and Guess Protect. However, Guess Protect only support on Balance 305 and above.

I suggest to create separate Vlan for the wireless network and disable Inter-Vlan routing.

Create seperate Vlan on Balance 20

  • Network > Network Settings > “?” of IP Settings > here > Proceed > New LAN.

Disable Inter-Vlan routing

  • Network > Network Settings > New created Vlan > Network Settings > Uncheck Inter-VLAN routing

Hope this help.


#7

Alright, I’ll see what I can do. The business just has basic dumb switches and the APs are spread throughout the building. I guess maybe I could do WDS? One plugged into the router so it can be on a different VLAN?

Edit: I’ve looked at the VLAN settings on the Balance 20. This is what I think I’ll need to do:

  1. Create new VLAN, give it an ID and IP settings (dhcp, etc). I assume the “Inter-VLAN routing” would allow the second network to communicate with the first?
  2. Edit the original VLAN to give it an ID (is this necessary?)
  3. Set the port that feeds the internal network to ‘Access’ and the first VLAN
  4. Set another port as a trunk with both networks to connect the first AP to

This is where I’m lost. I’m not sure how to set the vlan on the AP for it’s network port (I can set the vlan for the SSID). Or where to manage WDS. Maybe I can’t do it with AP management on the Balance 20? And have to use the Web InControl? Or do I have to manage the APs individually?


#8

Hi,

WDS is not recommended. Since APs are deployed in the building, line of sight may not be there. Even WDS can be established between the APs, I believe the throughput may not good. I suggest each AP has a wired connection back to Balance 20. If the distance too far, a managed layer 2 switch is needed.

1. Create new VLAN, give it an ID and IP settings (dhcp, etc). I assume the “Inter-VLAN routing” would allow the second network to communicate with the first?
Just disable inter-Vlan routing will do.

2. Edit the original VLAN to give it an ID (is this necessary?)
You can’t edit it and no Vlan ID for original Vlan. It is an Untagged Vlan.

3. Set the port that feeds the internal network to ‘Access’ and the first VLAN
Yes.

4. Set another port as a trunk with both networks to connect the first AP to
Trunk port with Any Vlan for the ports connect to APs.

This is where I’m lost. I’m not sure how to set the vlan on the AP for its network port (I can set the vlan for the SSID). Or where to manage WDS. Maybe I can’t do it with AP management on the Balance 20? And have to use the Web InControl? Or do I have to manage the APs individually?

Believe you will create 2 SSIDs on each AP (One for Untagged and another for new Vlan). You just need to set the correct Vlan ID on the SSIDs, the ethernet port for AP will act as trunk port automatically. Fyi, SSID has a default Vlan (Vlan 0). This is an Untagged Vlan which can communicate with the Untagged Vlan on Balance 20.
Managed APs with Balance 20 is a good idea!

Hope this help. Thanks.