Guest network with Purple and Linksys Velop

Comments

9 comments

  • Avatar
    Rich T.

    Creating the network in Firewalla shouldn't really do anything. It certainly won't change settings on your Velop. The only things I can think of that might cause big issues like you had, would be:

    • If you didn't select type VLAN (not sure if this is possible if you already had the LAN working)
    • If you selected WAN as the port for the Guest Network
    • If the DHCP settings conflicted with your existing network (not sure it'll let you do that either).

    I think what you'd want, is to set a name, select Type VLAN, give it a VLAN ID (say 3) and select the LAN port. The others you can leave or change if you have a preferred IP range. Then click save. It should not affect anything you currently have working.

    Now, the comment "I called it "Galaxy-guest" which is what Velop also uses as the guest network name " leads me to believe that you think giving it the same name as the WiFi guest network will isolate the guest network to this new VLAN. Unfortunately, that's probably not the case. The VLAN ID is the key here, and the Velop would need to allow you to say "tag everything on Galaxy-guest as VLAN ID 3" and then if the Purple VLAN you just set up received a DHCP request from a device with a VLANID of 3, it would put it on that new network.

    I don't believe Velop supports VLAN tagging through the UI but it may actually use VLANs to isolate the Guest network, in which case you may be able to get it to work if you can figure out what VLANID it uses. A quick search brough up this post: https://www.reddit.com/r/HomeNetworking/comments/a71049/vlan_help_for_wireless_iot_devices/ where the person says it may use a VLAN ID 3 , so you may want to try that and hope to get lucky. If not, there may be ways to find it (if it uses vlans at all), but I don't know enough to tell you how to for sure (you'd need to be able to SSH to the velop to start). 

    I'm far from an expert on this stuff, so don' take anything I have above as gospel, but I believe it's mostly accurate.

    0
    Comment actions Permalink
  • Avatar
    David Vaughan

    Hello Stephen, in the nature of a side comment rather than a response to your stated problem, I have a Velop within my network, in bridge mode supervised by a Purple. After reading various things including at linksys (item 6 here: https://www.linksys.com/cz/support-article?articleNum=140727 ) I decided not to use the Velop guest network for anything on [paranoid?] security grounds. It has no encryption, not even weak. The captive portal approach may mean it will not work with IoT devices anyway, and that could even have been part of your problem (I am just guessing there).

    Fortunately, IoT devices tend to be low value targets so it may not matter at all, and the separate VLAN (what a guest network is) should keep everything else safe. I do suggest that you omit the word "guest" from whatever name you give it though.

    My IoT runs on a separate physical AP in a VLAN under a Gold. I do not offer a guest network because visitors are either trusted family or can use their own cell data.

    0
    Comment actions Permalink
  • Avatar
    Stephen Ball
    Now, the comment "I called it "Galaxy-guest" which is what Velop also uses as the guest network name " leads me to believe that you think giving it the same name as the WiFi guest network will isolate the guest network to this new VLAN.

    That is certainly not what I think, I called it that simply to suffix my SSID with guest, the confusion is the fact that the Velop (or the app at least) then suddenly seemed to think its Guest network feature was enabled.

    I don't want to use the Velop guest network, that wasn't my issue, I assume it wouldn't make sense to use the Velop guest network anyway because the Firewalla presumably wouldn't be able to tell the 2 apart.

    What I was doing was "Create Network" select Guest network as the template, selected the Wifi interface and set the SSID and password that was all, I left all over other settings alone initially; and then no devices which were on the Velop Wifi network, connected to the LAN port on the Firewalla are able to get an IP. 

    I have done the same this morning with a completely unrelated SSID and again now in exactly the same position, I suspect you may be right that it is supposed to be a VLAN, but I am not entirely sure why setting up a guest LAN on the wifi interface of the Firewalla would screw up the LAN on the LAN interface of the Firewalla to the extend that no devices connected to the Velop are receiving an IP

    0
    Comment actions Permalink
  • Avatar
    Stephen Ball

    Yeah so if I try to use the "Guest Network" template, select the Wi-Fi interface but change the type from LAN to VLAN it tells me "An Ethernet port is required to create a VLAN" which is what I thought.

    I think I give up trying to set up a guest wifi network for now. Now to actually set up my IoT VLAN

    0
    Comment actions Permalink
  • Avatar
    David Vaughan

    Just to clarify, no, I did not consider your use of "guest" in your network naming to have anything whatsoever to do with your apparent problems. My suggestion to omit the word "guest" from the network name was based solely on the general security principle of not using or embedding default or otherwise obvious words when naming accessible things.

    Regarding the rest, if you do not need it then good idea not to use it. Linksys Velop guest networks are a low impact but easily exploited security hole, or so it appears from published information.

    Clarifying one more thing, the guest network is a VLAN. I am not presuming anything there. "Guest" is a marketing term, also used to forgive themselves for doing it badly.

    My wild guess on your problem was that, having set up a guest network with a captive portal login, your system(s) were stopping at the non-visible portal waiting for a user login action which could not be undertaken because it was not visible, had no interface to user actions. I do not regard this as simply solvable nor worth solving.

    0
    Comment actions Permalink
  • Avatar
    Stephen Ball

    I see what you mean about the name, I created it with a completely unique name this morning which doesn't contain the word guest. 

    I am not trying to use the Velop guest network, I am trying to use the Firewalla Purple's guest network. I know what a captive portal login is but I am not sure what that has to do in this case, does the Firewalla set up a captive portal login? If so why would that impact the Main Network?

    0
    Comment actions Permalink
  • Avatar
    David Vaughan

    My error then, Stephen. I took it you were trying to set up the Velop's guest system, hence all my comments in relation to (and against) that.

    I do not use my Purple's WiFi at all so have no comment on that.

    0
    Comment actions Permalink
  • Avatar
    Stephen Ball

    No worries.

    Nah the question about the Velop was because it seemed to think it's guest network had been turned on so I wondered if maybe there was a bug or strange behaviour on the velop where if it saw a network called <ssid>-guest it acted as if the guest network is on (obviously that would be daft but I wouldn't put anything past Linksys and it was the only explanation I could come up with at the time as to why the Velop app was saying it's guest network was on) 😂

     

    0
    Comment actions Permalink
  • Avatar
    Stephen Ball

    After back and forth with Firewalla support we tracked it down to a faulty power adapter. Turning on wifi obviously makes it draw more power, switched with another 5V/3A power adapter and it works perfectly.

    Not sure what the weird Velop behaviour was about, I must have already had its guest network on although I could have sworn I didn't.

    0
    Comment actions Permalink

Please sign in to leave a comment.