Eircom f1000: Separate SSID, VLAN, & subnet?

runswithascript

IT admin at job of someone living here regularly remotely logins to work laptop. For security and peace of mind, I would like to have that work laptop and the wireless work printer on a separate SSID, separate VLAN, and separate subnet. If we could still access the wireless work printer with devices on the normal SSID that would be a bonus. The main aim here is to restrict the work laptop from accessing anything on the network other than the printer. I am not sure all of this is possible with the Eircom f1000, perhaps someone more familiar could help me out? I can connect to the second SSID, and receive an IP from the second subnet, but there is no Internet access.

Changes I have made so far:

In network setting >> home networking >> LAN setup >> I changed the subnet mask to 255.255.255.128 which should split the 192.168.1.0 network in two. I then changed the IP addressing values >> ending IP address >> to 192.168.1.126 which is the last host of the first subnet.



Then in network settings >> wirelesss > more AP >> I enable the first additional SSID, and rename it WLAN2. I have tried with guest WLAN disabled, enabled with access scenario set to home guest (it shows a diagram where clients on the new SSID can only communicate with other clients on the same new SSID and the Internet), and enabled with access scenario set to external guest (diagram shows clients on the new SSID can communicate with the Internet only).



Next I set the SSID subnet to enable, the DHCP start address to 192.168.1.129, the DHCP end address to 192.168.1.254, the SSID subnetmask to 255.255.255.128, and the LAN IP address to 192.168.1.128 (when troubleshooting later I tried setting this to 192.168.1.1, in case for some reason the DG was required instead of the subnet IP, but when I did this it gave an error about the subnet mask).



Connecting my phone to WLAN2 to test it does receive an IP in the second subnet, 192.168.1.129, but there is no Internet access.

Some other settings on the router that may be of use:

runswithascript

This does not seem to work very well on the f1000, which does not shock me as parental control to block domains also does not work.

In my efforts to create a separate SSID for security I bricked the modem several times, so beware, and do not attempt this without the means to fix it.

I think it was caused by (but am not sure this is the only reason) setting the separate SSID set to subnet clients into 192.168.2.0 and the interface group I created, consisting of the second SSID and VDSL (you have to select a WAN connection), also configured to assign clients into the same network.

Fortunately, as I had a USB to TTL serial cable, I was able to telnet to the bricked router, that was unresponsive to Ethernet and Wi-Fi, and kept restarting after a few minutes, ti fix it. The commands to enter are ATBR which resets the config to the default romfile, and then ATSR to reboot.

Below I have detailed what I tried to create the second SSID in a secure sandbox. I tried with both of these set and individually.

1. Second SSID, with and without subnetting to 192.168.2.0, with and without guest WLAN enabled, and set to guest home and guest external. Depending on the version of the firmware you are using devices connected to the SSID with guest WLAN enabled may or may not be able to access the Internet. This was fixed in firmware version 1.00(AAKL.7)C0. There is a AAKL.8 (dead links on kitz.co.uk but working links if you Google) available but I do not think it is officially released by Zyxel and as I kept bricking the router I flashed AAKL.7.

2. Interface group configured with VDSL and the second SSID, with and without configuring it in home networking to assign clients to 192.168.2.0

There is a VDSL option on the router, but it only applies to LAN ports.

Right now I am running with the second SSID enabled, set to assign clients to 192.168.2.0, guest WLAN home guest set, and the interface group not enabled. Intermittently/constantly (this may depend on firmware version but I have found none that work properly) I can ping from hosts on 192.168.2.0 SSID I can ping clients on the 192.168.1.0 network, even with guest WLAN guest external set which should make it so hosts on the second SSID cannot even communicate with hosts on the same SSID, nevermind clients on the original SSID. Using Wireshark I can also see traffic from the entire network when connected to the second SSID.

As I mentioned, blocking domains also does not work on the f1000/VMG8324-B10, which is already enough to prompt me to pick up a new router. That in addition to the issues I have just described took me over the line, and a few days ago I ordered a Netgear Nighthawk R7000 1900ac. There are newer versions of this router but there is a well supported and working version of DD-WRT firmware for the R7000.

Cuddlesworth

I'm not really surprised, your looking for enterprise level features on a low end device.

runswithascript

Cuddlesworth wrote: »

I'm not really surprised, your looking for enterprise level features on a low end device.

It must have escaped you, these are features the router configuration has options for, they just do not work and/or brick the device, as it is a PoS.

Cuddlesworth

dusf wrote: »

It must have escaped you, these are features the router configuration has options for, they just do not work and/or brick the device, as it is a PoS.

Your right, I glanced over it. I don't like networking products supplied in Ireland. They are low end pieces of crap for the most part. In this case, there is so much functionality added to what I consider a low end device that its always going to lead to problems.

"Next I set the SSID subnet to enable, the DHCP start address to 192.168.1.129, the DHCP end address to 192.168.1.254, the SSID subnetmask to 255.255.255.128, and the LAN IP address to 192.168.1.128 (when troubleshooting later I tried setting this to 192.168.1.1, in case for some reason the DG was required instead of the subnet IP, but when I did this it gave an error about the subnet mask). "

Lan IP address of 192.168.1.129. In theory 128 works, but its hit and miss. I hope your using 192.168.2.1 as the gateway on the current attempt.

"Right now I am running with the second SSID enabled, set to assign clients to 192.168.2.0, guest WLAN home guest set, and the interface group not enabled. Intermittently/constantly (this may depend on firmware version but I have found none that work properly) I can ping from hosts on 192.168.2.0 SSID I can ping clients on the 192.168.1.0 network, even with guest WLAN guest external set which should make it so hosts on the second SSID cannot even communicate with hosts on the same SSID, nevermind clients on the original SSID. Using Wireshark I can also see traffic from the entire network when connected to the second SSID."

Broadcast traffic? I would assume that guest wifi mode enables a vlan itself, adds a Static route(0.0.0.0 to VDLS gateway) and off you go. I don't suppose you enabled some sort of dynamic routing which would defeat the purpose of that. Your routing tables should really only consist of two static routes to the VDSL gateway, 1 for each subnet. Or added in some static entrys of your own. Does the F1000 show a routing table?

runswithascript

Sorry for late reply.

Cuddlesworth wrote: »

"Lan IP address of 192.168.1.129. In theory 128 works, but its hit and miss. I hope your using 192.168.2.1 as the gateway on the current attempt.

I was indeed.

Cuddlesworth wrote: »

Broadcast traffic? I would assume that guest wifi mode enables a vlan itself, adds a Static route(0.0.0.0 to VDLS gateway) and off you go. I don't suppose you enabled some sort of dynamic routing which would defeat the purpose of that. Your routing tables should really only consist of two static routes to the VDSL gateway, 1 for each subnet. Or added in some static entrys of your own. Does the F1000 show a routing table?

I did not make any manual changes to static routes or dynamic routing.

I have have now retired the f1000 to use purely for the backhaul. I love my Netgear R7000 flashed with DD-WRT, and I have only scratched the service of what it can do. The latest things about it that have impressed me:

- The guest Wi-Fi just works.

- The samba feature just works, all of the time, rather than going to sleep after a period as happened with the f1000.

- Using Privoxy you can block ads on all devices, without manually configuring ad-block on every browser, and I think it gets the ads on devices and programs you cannot install adblock on, like Samsung TV Tizen OS running ITV player or All 4 - I have not finished this yet.

- Set up a private SVN code repository in your home running from the router.

It seems with DD-WRT, when I wonder and start googling if a feature is something it can do, the answer is usually yes :rolleyes: