Guest Internet Access via FON Routers

A couple of weeks ago I was talking to Yusuf about setting up wireless internet access at my workplace for guests. In the past we had them plug into our wired network, but the downside of this is that unless you have very expensive DNAC equipment like InfoExpress, or have static NAC configured (very cumbersome), your guests are clients on your main office network and can wreak havoc if their computers have viruses or are otherwise exploited.

Network infection via guests is a real vector and one of which companies should be very afraid. Ideally guests would always be on a separate VLAN.

One way to acheive this is to use a FON router to sandbox guests into a separate VLAN. The FON routers have two SSIDs, a private one that is WPA2 protected that gives full access to the local network, and a public SSID that is (by default) completely separate from the main network and guests on this VLAN cannot talk to computers on the main network, only through to internet IP addresses.

Using the friends and family feature of FON, you can set up a custom username and password that your office guests can use to authenticate on the public SSID (multiple logins with a single credential is possible).

This kills two birds with one stone because you not only have secure access to your own network via WPA2 (which is generally considered to be unbreakable using today’s technology) and you offer guests wifi access to the internet without allowing them access to your internal network.

A couple of things are on my FON wishlist:

  • Seamless handover between FON access points on both public and private SSID
  • Proper resolution of NetBIOS names on the private SSID (even though its on a different subnet from the main network)
  • Better tolerance for old network drivers (this is a big one because in quite a few cases clients using older drivers could not connect to FON even though they could use other wifi networks – older Intel drivers in particular seem to be a problem)
  • More powerful customisation options for the FON portal
  • On the La Fonera+, allow the extra wired ethernet port to optionally connect to the public FON network instead of the private network

One other thing to bear in mind is that if you choose this solution, you allow anybody to use your bandwidth when authenticated through the FON network. Depending on your corporate policies, this may or may not be a problem for you. If bandwidth is the only issue, on the public SSID you can optionally limit this to as little as 512Kbps to make sure that guests don’t hog your pipeline.