Setting up multi-network (gold) with Mesh Router
OK, before my Gold arrives, I wanted to understand my options for setting up isolated networks. For example for IoT devices and for guests. I plan to run my Gold as my router, and I will be using Eero as my mesh AP (I've read the wiring docs, so I get how to do that part of it).
Since the Eero is going to be my wifi AP, is there anyway for me to even establish these other networks? The Eero does have a guest wifi mode on it, but I don't have any idea how that plays here if at all. And I don't see how I would create a separate network for wifi IoT devices without having to setup a completely separate wifi network (with completely separate hardware).
-
OK, doing a little more reading on Eeros, it appears they have no VLAN support what so ever, they actually do MAC address isolation to support their guest network.
I presume I can actually do something similar with the Gold? That might at least be able to give me the moral equivalent of a separate IoT network (setting up device specific rules).
Is there any concept of device profiles that would help me here?
-
Here is my understanding.
1. When the eero is in bridge mode, you can create a guest network, that will have a new SSID say "guest"
2. All the "SSID guest" traffic will have the source IP as the eero unit.
3. To apply policy to SSID guest, you just need to apply policy to the Eero IP. (tap on devices->[find eero device]->[turn on porn block for example] will be applied to all guest traffic.
-
Hmmm... Interesting. I assume that would also work if I wanted to set up an isolated IoT network instead.
I'm actually considering swapping my eero pro 6 for a tp-link deco x60 mesh network (less than half the price) since I really only need AP...
DO you happen to know anything about how the TP-Link devices work in this scenario?
-
We did a posting on the X60 and eero pro 6 before; We like both. The X60 (costco version) is decent and the price point is perfect (around $200). And it works nicely with Firewalla Gold in AP mode. We did not test this unit's guest access in AP mode, so not sure if it will work the same way as the eero.
The Eero wifi 6 is definitely faster, and with our unofficial test, it is likely to have a better range. Plus we know the eero support is really good.
If you need best value for the $, TPLink is good. But if you have a few extra $, eero is not bad either.
-
Yea, I've read the TP-Link is pretty slow in wifi backhaul
As far as wiring goes, I was planning on adopting the recommended wiring for Eero; essentially ONT -> FWG -> Eero (with everything downstream from that).
Will the above suggestion on Guest network still work with that wiring? Seems like all devices will look like they are coming from the Eero?
-
Curious if this end up working. My setup is firewalla purple as main router. wired to main Eero. then "inside" of network goes from 2nd port of that main eero to gigabit switch and rest of house, which has 3 more eeros (so backhaul is ethernet) and 2 wireless eeros, backhaul is wifi. Eeros in bridge mode.
firewalla: quarantine is on, if someone joins main network and happens to know my weak password, they're isolated.
turn on guest network ON EERO, it makes MyNetGuest, does dhcp / nat on the eero for me in 192.168.11.x subnet when my main network is 172.x.x.x The eero as I say does the NAT and then puts package on the network with it's own source IP, so to the firewalla it looks like the eero is doing the traffic which is then allowed by the quarantine.
However, I only do this for large gatherings, temporarily because it's definitely double-nat to the Net and I dont like the traffic having to be isolated by mac address which guests can and do change and then it falls outside any groupings so I just turn on, dont care about that traffic for a few days when folks around or visiting and turn off guest network. I also am concerned about doing any restrictions on the IPs of the eeros, that could screw up their inter-communication or their own needs to the Net... by mac address wouldn't affect them but then clients easily can fall out of that pool.
For longer running IoT subnets or anything else I do entirely with the firewalla, create a new subnet in the app, have an iot device join the main ssid and then place that mac address into that subnet on firewalla. (I dont know how to have TWO SSID's broadcast from same eeros if that's even possible). If the device ever changes it's mac address it will be quarantined, so it wont work but at least I'll know. Mostly only phones automatically change virtual mac addresses.
The end result is:
main network - you need to know password, but many do. If they havent been here ina. while or I removed them from firewalla and they join, they're quarantined, reliably.
guest network - short lived. just turn on in eero app, done. phones/guests automatically join password-less MainNetGuest network, traffic allowed by firewalla but as eeros are doing the Nat they dont allow anything destined for local subnet (like file servers, TVs, audio players). After a gathering, I turn off. You could leave on, it's not insecure, I just dont like.
iot or other networks - long lived. create in firewalla, device joins, firewalla manually place in new network. works forever, if device changes mac addr gets quarantined. Friends who's devices I allow to main network past quarantine still work as the default is the Main network, so a friend who wants to stream to my appletv say.
-
I see, interesting. So basically everything in your house is connected directly (wifi or wired) to your Eero network, then Eero -> FWG -> WAN?
I was kind of hoping I could do VLAN tagging or something similar with the wifi so that the FWG could identify the traffic on the IoT SSID and quarantined?
Please sign in to leave a comment.
Comments
16 comments