Help with network layout
To do this properly, you need to have something a little better than a TP-Link shitbox, in my opinion the easiest for you here would be pfSense, simply because (no disrespect intended) you are unlikely to have the expertise to configure a Cisco or command line based firewall.
PfSense - https://pfsense.org/
You can simply use an old PC with sufficient enough network interfaces to accomplish this task. For what you are doing it doesn't even need to be anything of high specification. I have attached an image to make this look a little easier on the eye, bare in mind this was done in paint and I'm not an MSPaint god.;
The ADSL modem should be able to provide a PPPoA or PPPoE bridge to allow the public address to be routed to a firewall/gateway appliance. This allows the firewall to take care of the NAT (Network Address Translation) and prevent a double NAT scenario that is just pain when it comes to networking environments.
ADSL Modem (Bridge Mode) >> pfSense WAN port (this provides the external WAN connection
pfSense LAN port (second network interface in the machine) >> Internal Switches >> Business Client Devices
pfSense OPT1 port (third network interface in the machine) >> Wireless AP >> Guest WiFi clients
You can create firewall rules between interfaces to prevent Guest WiFi users accessing the internal network of your business and visa versa. Some things to be aware of for security reasons when providing WiFi to 'Guest' users. Assume everyone is a bellend and wants to break in to your network or disrupt it. By doing what you currently have, you have left a wide open access route for Guest users to attack the internal business network. I could roll up outside your offices, get my laptop in range of your Guest wifi and cause havok, I won't do that but bare in mind that someone could.
So, we need to separate the Guest Wifi on its own interface, subnet and to give it traffic shaping to prevent the guest members from affecting normal business operations. You don't want someone on your guest network crippling the internet because they are downloading 40MB gif images of cats from imgur. You will also need to make sure the AP supports Isolation mode to prevent each Guest user from seeing another Guest users device on the WiFi network, this is pretty common these days and is found on 90% of access points from reputable vendors.
I would be happy to help give you some pointers on how to setup pfSense, what firewall rules you would likely need and an overview of how to navigate around the interface. It is a community project at the end of the day.
This would give you the feature set of an enterprise grade firewall, whether you use them features or not is up to you. Think for the future, you may need to traffic shape, add additional redundant adsl connections etc etc the list goes on. If you do this now, you can have a feature set on the firewall/edge device which is future proof.
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now