2 wireless access points

[Pauldf]

Hi
I am looking to setup two access points in a building (a theatre I am a charity trustee of), one at each end of the building.
I have two Netgear WNAP210 access points connected (hardwired) to a Netgear FVS336G v2 firewall.
I have set each access point on different channels, one at ch5 and one at ch12, both with the same SSID and WPA2 PSK.
Do they also need to be on the same subnet if I want devices to be able to flip between the two APs?

 

[Ichinisan]

If they're both fed from the same router and both are functioning as access points (not as a NAT router), then clients will get their IP/subnet from whichever router provides it via DHCP.

For 2.4GHz in USA region (where only channels 1-11 are available), 1, 6, and 11 are the only non-overlapping channels. You shouldn't use any in-between channels. It's actually more difficult for your router to filter interference from adjacent occupied channels than from another router sharing the same channel. They coordinate with some kind of ready-to-send/clear-to-send exchange.

To make sure it avoids interference from other networks as much as possible, channel width should be set to 20 MHz (otherwise, channels 1 and 11 will be the only ones that don't overlap).

I read somewhere that the FCC defined those 2.4GHz channels 50+ years ago, long before WiFi existed. That's why you have all these in-between channels you should basically never use.

 

[Pauldf]

Thanks,
I am in England, we have 13 channels to play with. I have checked with wifi scanner on my apple laptop and they are not overlapping, the APs are set to use 20mhz channels. The DHCP is being done by the firewall device using VLANs. I currently have the guest network (for the cast etc) set at 192.168.1.* for the first access point and 192.168.2.* for the second, there seems to be a bit of a problem switching between the two, Safari on my laptop just sits there and doesn't load. I was wondering if I set them to the same subnet, i.e. 192.168.1.* for both APs, if this will help matters?
I set them on different subnets to try to separate out wireless devices for virus protection etc, the APs have wireless isolation set on them.
Am I trying to separate them unnecessarily? Would I be better giving the two APs different SSIDs?

 

[ylin0811]

Both access points should be under the same subnet. You should not have different subnets for the same ssid, as that's just asking for trouble.

 

[Pauldf]

Thanks both,
I'll try them on the same subnet and see if this helps.
Is there a simple way of stopping wifi connected devices from connecting to each other when I do this, for virus protection?

 

[ylin0811]

you can see if there is an option to isolate clients locally on the same ap. if there is one available, enable it will simply block communications with clients associated to that ap. however, this won't block clients from communicating each other across two different access points.

the easy way to fix this would be to get a switch that has a "protected port" functionality and enable it on ports that connect to these two access points.

 

[JackMDS]

If your Isolation works it should Not be a problem.

https://www.howtogeek.com/179089/lo...-with-your-routers-wireless-isolation-option/

 

[Pauldf]

I don't think the firewall switch has protected ports, the manual for it is 600+ pages long but I can't see anything about it. As ylin0811 correctly says, I can enable wireless isolation on the access points but that still allows access to devices on the other access point. I thought by putting the two access points on different subnets and denying access between them that this would work. I'm thinking having them on different subnets is what causes safari to stop loading when I get out of range of the original AP which issued the IP address. Am I correct in thinking when I have them on different subnets that my laptop etc doesn't request a new IP address from the DHCP when switching between the two access points?
I'm thinking it may not be a big deal to just put them on the same subnet and not bother trying to get total wireless isolation, it is only so the cast can get on facebook etc. Either this or use different SSIDs for the two.
I have set openDNS as the DNS server for this and applied rules to not allow another DNS in the firewall so access to dodgy websites will hopefully be blocked.
The more important equipment is connected to another VLAN, the access points allow 8 different SSIDs assigned to VLANs

 

[JackMDS]

The isolation does not prevent Accessing APs it prevents Wireless clients that are on the same subnet from accessing one the other, that is isolating them from inner LAN communication, and thus prevents local "Spying" and spread of "Junk".

Read carefully the content of the whole link that I put above.



.

 

[Pauldf]

Hi, I have read the webpage above.
I don't have a simple router as in the webpage, the setup is broadband adsl modem > (WAN) firewall switch (LAN) > 2 x wireless access points.
I have set both APs to the same subnet and switching between the two now works fine.
I have enabled wireless isolation on both APs as in the webpage. This isolates me from seeing other devices connected to the same AP but I can still see devices connected to the other AP and can also see the IP of the firewall switch router.
I don't think the Netgear WNAP210 access points are able to connect just to the internet hiding the hard wired LAN.

 

[ylin0811]

Most simple managed switches that cost less than $100 have protected port features. Just buy one and install in between the router and access points if you are truly concerned about the security, otherwise I don't see a need for it.