Unfortunately its not possible to set up a real Guest Network with my FritzBox AP anymore…
When the Fritzbox gets the DHCP Addresses from the IP-Fire and not from its own service anymore there is no possibility anymore to set up a Guest Wireless Network anymore where the Clients are not allowed to talk to each other…
So my guests are directly in my Wireless Network…
But: the guests should just use Internet and should not be allowed to connect to any other device in the WLAN…
The devices in the internal WIFI must be able to communicate with each other instead…
Now: is the following configuration possible?
Is it possible to change the orange DMZ somehow that it can be used as an additional Guest WIFI?
For example with hostapd…
Should be also with Firewall etc.
I think you mean that your AP is one IP from the DHCP Server in the Green network.
Why not using the BLUE network for your AP? The BLUE network is designed to separate the LAN from the Wireless LAN (or “WLAN”).
Okay… I guess I have to explain the present configuration and then what I want more in detail.
I have:
RED - connected to a FritzBox router that is just used as a Modem. Connection to the Internet is set up through PPPOE by the IP-Fire.
Green - internal network - NAS, Some PCs and a Raspberry for Home Automation
Blue - a WIFI for my Mobile Phones; Notebooks that are connected through WIFI and some ESP32 Homeautomation; Raspberrys for Gaming or 3D Printing…
Blue is connected to a second FritzBox that creates the WIFI.
At Blue the devices should be able to communicate with each other. Else this WIFI would make nearly no sense
And: Blue is able communicate with Green (everything already done by a general “Deny”-rule and then only allowed connections in some cases)…
So far - so good - works very well…
And now the thing I want additionally to this 3 networks is a WIFI for Guests:
It should have
a different SSID
a different password
no connection to Blue or Green
and there should only be a connection to the Internet through a firewall.
Effective I want to seperate these 4 Networks:
Internet (red)
Internal (green)
Wireless (blue)
Guests
I tried to set this additional Guest Network up at the Fritzbox Router thats connected to BLUE…
When the Fritzbox is the one that dials to the Internet and sets DHCP-Addresses that is no problem at all…
But in my case these 2 jobs are done by the IP-Fire and so I don’t have the option to create a Guest Network anymore…
It seems I recall folks using orange as you desire. It requires adding something to do dns and dhcp for your orange net. Some use a Raspberry Pi running DNSMasq for those services. I have not done this myself.
So why did you not take your “blue” WLAN Network in your green network, because you have no restrictions between blue und green, and then using the blue network for the guests?
Wouldn’t it then be easier to transfer the blue network to the green network and add the devices that are now in green to a firewall group and generate exceptions via this than to configure a DMZ network from scratch with iptables to a normal 3rd network?
For example, I have fixed IP addresses in the green network that are not in the dynamic range of the DHCP and then the WLAN devices that are connected via AP in the dynamic range. The blue network is for the loT devices.
Of course it would be easier to put the Fritzbox into the green Network…
But when I always would go the easy way: I would have used FORWARD ALLOWED as default
And: at WIFI there are also some devices I don’t trust completely.
My girlfriend for example is always not the first person who does security updates on her mobilephone for example…
Its good when this phone is not directly in the green Network and only has access through the firewall to some of the devices with only a hand full of ports…
And: the mobile phones of my guests would also still either be in my Green or in my Blue Network…
And I don’t like the idea of both of them!
At the moment I’m thinking about the possibility that I run a additional Fritzbox (still have one here) in the orange Network as guest WIFI device…
Theres no need for Portforwarding or anything like that…
The Fritzbox has a DHCP server, the option that nobody is allowed to talk to each other and a built in Firewall (that always allows connections from internal Network what I really dislike)- So I guess this could work.
And: I don’t have to give “Blue Access” and Internet Access to everybody who is in this network…
