As you can see I have multiple Apple Airport Express devices spread over my house. All three Airport Extreme are configured the same except different names and IP addresses. They are connected via my Gigabit Ethernet backbone. They offer wireless network called "AirPort" with the same password, so all devices automatically roam between the devices. My router is a an Alix 2d13 board in a 19" case from Varia (with a second Alix board) running pfSense.
The Airport Extreme offers the possibility to activate a secondary Wifi offering a guest network.
The traffic is routed strictly to the internet, so guests can have fast access to the internet without the possibility to infiltrate your network. So far so great. The documentation states that this feature only works if the Airport Extreme is either a router or there is another Airport Extreme in the same network. Neither is the case in my configuration. I still turned on the guest network and the behavior is: Nothing happens, no DHCP, no routing, nothing. Not surpring, because the DHCP service is run on pfSense where I never configured anything for a guest network.
The question is: Can I use this feature in my environment? The answer is: Yes! And here is how.
The real question is: How do the Airport Extremes share a single ethernet wiring for the main and the guest network. The solution is simple: VLAN tagging. Whereas the main Wifi uses untagged IP packets, the guest network uses a VLAN tag 1003. Not all routers are able to do VLAN tagging, this is the reason I use pfSense, because it surely can do this and much much more. In the main menu go to Interfaces, select (assign) and then VLAN.
Choose the ethernet network for your normal LAN and Wifi, in my case this interface is called vr0. Give it a descriptive name. Now click on Interfaces assignments and click +, to add a new interface. It is called OPTx by default, I changed the name to GST (for guest). Now there is one more interface is the main list:
Configure this interface:
In my case I use 10.10.0/24 for LAN and 10.10.1/24 for GST. Now we have
- LAN on the Ethernet with untagged IP packets
- GST on the same Ethernet with IP packets tagged with 1003
The two interfaces share the same ethernet, but can and will be configured separately. First we need a DHCP server. This is the existing DHCP server for LAN:
and now additionally for GST:
Clients connecting to the guest Wifi should get a DHCP address in the range 10.10.1.100 to 10.10.1.199 and appear in the lease list visible under Status and DHCP Leases.
Add a rule that allows access to the internet:
The second rule routes all traffic to external via the interface GW_WAN which is Internet connection. With this rule active, all clients in the Guest Wifi should be able to fully access the internet. In the traffic graph you can see the activity on all networks:
It is up on you if you want to allow yours guests the access to your internal infrastructure. You can still allow this, but add more rules to forbid access to a specific device. You always have the advantage that your guests do not have to know your primary Wifi password. I hope this blog posts help you setup a similar environment. Feel free to add a comment or a question.