Guest Internet Access via FON Routers

A couple of weeks ago I was talking to Yusuf about setting up wireless internet access at my workplace for guests. In the past we had them plug into our wired network, but the downside of this is that unless you have very expensive DNAC equipment like InfoExpress, or have static NAC configured (very cumbersome), your guests are clients on your main office network and can wreak havoc if their computers have viruses or are otherwise exploited.

Network infection via guests is a real vector and one of which companies should be very afraid. Ideally guests would always be on a separate VLAN.

One way to acheive this is to use a FON router to sandbox guests into a separate VLAN. The FON routers have two SSIDs, a private one that is WPA2 protected that gives full access to the local network, and a public SSID that is (by default) completely separate from the main network and guests on this VLAN cannot talk to computers on the main network, only through to internet IP addresses.

Using the friends and family feature of FON, you can set up a custom username and password that your office guests can use to authenticate on the public SSID (multiple logins with a single credential is possible).

This kills two birds with one stone because you not only have secure access to your own network via WPA2 (which is generally considered to be unbreakable using today’s technology) and you offer guests wifi access to the internet without allowing them access to your internal network.

A couple of things are on my FON wishlist:

  • Seamless handover between FON access points on both public and private SSID
  • Proper resolution of NetBIOS names on the private SSID (even though its on a different subnet from the main network)
  • Better tolerance for old network drivers (this is a big one because in quite a few cases clients using older drivers could not connect to FON even though they could use other wifi networks – older Intel drivers in particular seem to be a problem)
  • More powerful customisation options for the FON portal
  • On the La Fonera+, allow the extra wired ethernet port to optionally connect to the public FON network instead of the private network

One other thing to bear in mind is that if you choose this solution, you allow anybody to use your bandwidth when authenticated through the FON network. Depending on your corporate policies, this may or may not be a problem for you. If bandwidth is the only issue, on the public SSID you can optionally limit this to as little as 512Kbps to make sure that guests don’t hog your pipeline.

Is Apple Wireless Friendly?

With the great success of the iPhone and iPod Touch, you’d think Apple would be sitting pretty as the king of wireless networking. Plus, Apple has a reputation for making relatively complicated tasks more user friendly by having more streamlined UI than the competition.

However, my experience with Apple’s networking products has been pretty disappointing. Not because they don’t work well (they do), but because they are the most confusing and user-unfriendly wifi products I have used, ever.

My first foray into Apple’s wifi products was the Time Capsule. The idea behind this is excellent, to have NAS built into the router so that backup for Mac users is painless by just having to flip a switch to turn Time Machine on. Whether the user is plugged in or not, this still works behind the scenes, eliminating the biggest barrier to having regular users back up.

The idea is great; the implementation, well, not so smooth. Out of the box, the Time Capsule seemed to work okay, until I tried connecting via wifi. This didn’t work at all, no matter what I did. It would connect, and then drop, and I’d then have to reset the router and then rinse, repeat, ad infinitum. I found others on forums had the same problems, with no solution. In the end, this magically started working a few weeks later with a firmware update to 7.3.1. That’s nice, but you’d think that basic wireless connectivity would have been better tested before release.

Today I picked up an Airport Express so that I could extend the range of the network to cover our entire apartment. This device also shipped with what I would consider broken firmware, and I had to upgrade to 7.3.1 before it would do anything useful. It’s now working okay (I think), but only after about an hour of tinkering.

My main beef with Apple is that the documentation is so simple. When it works, it works great. When it doesn’t work, you just have to scratch your head and go to Google, because God forbid Apple have any useful troubleshooting resources online to scare the non-tech saavy users away.

One point which I find thoroughly confusing is that the Airport Express has an option to either participate in a WDS or to “Extend wireless network”. Both of these options appear to be variations of the same thing, but I can’t figure out what the difference is between the two of them. A lot of people are asking the same question.

After a lot of searching, I still don’t know what the difference is, except that maybe the option to “Extend wireless network” is sort of like WDS on steroids. However, I have no idea and there’s no information on this that I can find. Apple doesn’t explain this anywhere either, even though both the options are obviously different.

The most important question I have which is as yet unanswered is whether either of the two options supports seamless handover of clients between different access points on the same network.

Long story short: Apple wifi products work great once they’re configured. Good luck trying to get them configured correctly.