Option for guest wifi at branch office

  • 1
  • Question
  • Updated 3 years ago

hello,

I have a lot of remote sites.

I would like to offer guest wifi that is tunneled back to a central location where the gateway to the Internet exists.

I think one solution for this is creating VPN session using CVG as VPN terminater and AP as VPN client.

I am in Japan and my reseller in Japan said that they don't sell CVG.

Here is my question.

1) using CVG is the typical and recommedned way for my scinario?

2) If not, what is other options?

Thanks in advance.

RK


Photo of RK

RK

  • 8 Posts
  • 0 Reply Likes

Posted 3 years ago

  • 1
Photo of Fraser Hess

Fraser Hess

  • 2 Posts
  • 1 Reply Like
If you have existing site-to-site connectivity you can use a GRE tunnel to an access point at the central location. This is what I do.
Photo of Kushar Perera

Kushar Perera

  • 13 Posts
  • 2 Reply Likes
Just wondering if the reseller was confused due to the term CVG. The new product part code is AH-VG-VA. 
BTW What are the type/s of WAN connectivity you use? Might have a way around.
Photo of RK

RK

  • 8 Posts
  • 0 Reply Likes

Fraser, Kushar,

Thank you very much for your comments.

As we have existing site-to-site connectivity, I think GRE tunnel is the answer for my environment.

I have a couple of more questions, but I will play around with AP first.


Photo of Dan Mellem

Dan Mellem

  • 52 Posts
  • 1 Reply Like
If you don't care about the tunneling or giving them an outside IP address, you could drop them off on a VLAN and set up firewall rules in the User Profile and your routers to prohibit access to your LAN. Their traffic would be on the WAN but it'd keep you from having to create to create a tunnel. It can also help save some of your outside addresses if you normally do a NAT and didn't want to dump your guests on the outside.
Photo of Roberto Casula

Roberto Casula, Champ

  • 231 Posts
  • 111 Reply Likes
Due to various "behaviours" with regards to GRE tunnelling which I believe are currently the topic of much debate within Aerohive, you need to be very careful when implementing a large GRE deployment across a WAN. Specifically, you need to be aware of the way that broadcast, multicast and unknown unicast traffic will traverse the GRE tunnels. The current implementation can result in a VERY large amount of traffic traversing your WAN - if you have sites with low-capacity WAN links and more than a couple of APs at each site, this behaviour CAN cause significant issues (like saturating the WAN link at the remote site).

Wherever possible, I would strongly recommend using alternatives to GRE tunnels, especially in large deployments, so that you are not spanning a broadcast domain across the WAN.

By far the best solution, if your network can accommodate it, is to use VRFs or some other layer-3 virtualisation mechanism to provide a separate routing domain across the WAN for guest users. This provides you with traffic isolation and ensures broadcast domains do not span the wide area network.

If you cannot do this, and your security policy allows it, an alternative is to allow guest traffic to traverse the corporate network and to use Aerohive firewall rules and ACLs if necessary on the LAN to firewall off the guest traffic from your corporate network.
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
I have tended to trust the ability to modern switches to maintain broadcast domain separation with VLANs when configured correctly. (Be warned, older silicon did have various security issues with its handling of 802.1Q.)

In conjunction with User Profiles / ACLs at the edge in the AP and any that are felt are necessary on the LAN, you get sufficient isolation in my opinion.

Tunneling isn't strictly necessary when that's available, it's just a belt and braces means to isolate guest traffic. It is most useful when isolated broadcast domains via VLANs aren't available or an overlay approach is more pragmatic for political or operational reasons.

Then, yes, you'll want to ensure a separate routing domain too as Roberto mentions.
Photo of RK

RK

  • 8 Posts
  • 0 Reply Likes

Thank you for many replies.

Originally i was going to isolate the guest traffic using Aerohive Firewall, DHCP and NAT.


IP address of AP at remote branch is 10.10.10.11/24

The AP acts as DHCP server and hands out IP address 192.168.11.x/24 to guest devices.

Traffic from guest devices is NATed to 10.10.10.11 and goes to the Edge Firewall at the central location.

On Edge Firewall, 10.10.10.11 is NATed to a public IP address and goes out to the Internet.

Deny guest device traffic to reach any private IP address but the Internet by Aerohive firewall.


Is this what you guys saying as a alternate of tunneling?

Thanks in advance.


Photo of Dan Mellem

Dan Mellem

  • 52 Posts
  • 1 Reply Like
Bill and I are essentially saying the same thing. But, you need to be cautious since your guests will be on the same network as your clients, so you need to filter layer 2 traffic as well so they only see the ARP for the router IP address and anything else needed by the guest. You'll also need an allow to and from the router IP address before your deny. Finally, you'll want to defend against ARP flooding through (possibly forged) probes since that can overwhelm your switch. You really should have more isolation if possible.
Photo of RK

RK

  • 8 Posts
  • 0 Reply Likes

Thank you for all replies.

I did not explain my environment well.

At the branch office, there is one router and one L2 switch.

The outside I/F of the router is facing WAN.

The inside I/F of the router is 10.10.10.254/24 which is the default gateway for any device in the branch office.


WAN-----router-----L2 switch-----AP------guest


As my carrier manage the router, I cannot log in and change the config.

Thus even if I create an another VLAN (192.168.11.x) on the L2 switch,

the VLAN is isolated from other networks.




Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Can you not replace the switch with one that can perform routing?
Photo of RK

RK

  • 8 Posts
  • 0 Reply Likes

Thank you very much, Nick.

it is not impossible, but that is one of the last things i want to do.

I have about 50 branch offices which are designed same way.



Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Sure, makes sense, it sounds like tunnelling to provide an overlay network would be your best option then.