this post was submitted on 04 Mar 2024
72 points (100.0% liked)

Selfhosted

46677 readers
639 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
72
Benefits of running 2 Wi-Fi networks from the same router? What are the downsides? (I don't know if there is a better community for this question) (discuss.tchncs.de)
submitted 1 year ago by [email protected] to c/[email protected]
61 comments fedilink hide all child comments
 

I am worried that there is not really a benefit of doing that, just more noise and energy consumption.

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 10 points 1 year ago (2 children)

Why would you want to do this, anyway? Or, as I as a developer regularly have to ask our sales people: what do you actually want to achieve that led you to this question?

[–] [email protected] 13 points 1 year ago* (last edited 1 year ago) (1 children)

Here's my use-case, I'm pretty sure the first 2 are pretty common (common enough to be supported by most OEM firmware):

  • main LAN
  • guest LAN (isolated from "main" but can access internet)
  • IoT LAN (isolated from internet, can be accessed from "main"; prevents devices from phoning home)
[–] [email protected] 4 points 1 year ago (1 children)

But you don't need several LANs for this. This can easily done with proper routing. A can access internet and internal network addresses. B can only access internet, and C can only reach internal addresses.

[–] [email protected] 8 points 1 year ago (2 children)

I'm curious. How would you identify who's guest and who's not in this case?

With multiple networks it's pretty easy as they are on a different network.

[–] [email protected] 1 points 1 year ago

MAC whitelist.

[–] [email protected] 1 points 1 year ago (2 children)

That's what MAC whitelists are for. Your DHCP server should be able to handle this.

Identify your friendly devices and give them one setting with everything (full subnet and correct default GW). Identfy your IoT devices, and give them another (full, or specially limited subnet mask, and fake default GW, maybe a different nameserver, too). Anything else is guest and gets a very limited subnet mask and a working default GW.

[–] [email protected] 12 points 1 year ago (1 children)

This is not the way to do it. The correct way would be multiple SSID's with each tagged to their own VLAN.

Each VLAN has its own subnet. You can then use a zone based firewall, to allow the zones(subnets) to access each other.

You can also then apply QOS, to limit guest network speeds, prioritize LAN traffic etc.

And zone based firewalls are stateful, you can do rules such as LAN can reach IOT, but not the other way. Or IOT can only reach the IOT server, on specific ports.

[–] [email protected] 1 points 1 year ago (2 children)

I know that this would be the most secure way. But I seriously doubt that this level is necessary in a normal home network.

[–] [email protected] 4 points 1 year ago (1 children)

"Necessary" is a little ambiguous. You could argue that wifi is unnecessary for a normal home network.

[–] [email protected] 1 points 1 year ago (1 children)

Well, I think it is necessary if you have mobile devices. Anything nailed down should be connected by wire, but if it is mobile, it should get the connection. Especially if the cell phone link is not that good inside the house.

[–] [email protected] 1 points 1 year ago

None of my mobile devices are "necessary," though. Honestly, I could live just fine without an internet connection. Not that I'd enjoy it, but that's not necessary.

[–] [email protected] 2 points 1 year ago

My solution is the correct way and easier way. You don't need MAC address white-list. You just have a guest SSID with DHCP on, they get the IP from the subnet in that zone. No crazy subnet hacks etc.

Can I join your guest network, sure. Let me just grab your mac address, login to the DHCP server, create a reservation with a limited subnet mask that can still see the default gateway.

Or can I connect to you guest network, sure here is the code or scan that QR code. That's it, they're in the guest VLAN and subnet, zoned off on the firewall and have QOS applied to not saturate the network.

[–] [email protected] 8 points 1 year ago

For anyone reading this, please don't follow this advice. It's terrible and basically security through obscurity

[–] [email protected] 5 points 1 year ago (1 children)

It's more like: I know people do this, but I don't, so I wanted to see what was the reasoning behind these things.

[–] [email protected] 2 points 1 year ago (1 children)

Then why don't you ask the people who do this?

[–] [email protected] 4 points 1 year ago (1 children)

Emm... I did, it's this post 😅

[–] [email protected] 1 points 1 year ago (2 children)

I'm pretty sure I don't do this ;-) I know how routing works.

[–] [email protected] 7 points 1 year ago

You know just enough to do it the wrong way apparently

[–] [email protected] 2 points 1 year ago

You know how routing works, but not wireless networks apparently.