Everything Instant On

 View Only

  • 1.  Aruba InstantOn APs – Guest WiFi Network Setup & VLAN Query

    Posted 03-24-2025 03:27 AM

    Hi All,

    We have two Aruba InstantOn AP22 units in our office, connected to an Aruba InstantOn switch. I'm setting up a Guest WiFi network (172.16.x.x) for visitors, ensuring it remains separate from our employee network (192.168.x.x).

    I created the guest network using the "Specific to this network (default)" option and assigned static DNS servers. However, this option does not provide a VLAN selection.

    Devices can successfully connect to the guest WiFi and receive an IP from the 172.16.1.0/24 range. My question is:

    • Is DHCP for the guest network handled by the AP itself, or is it coming from our firewall, which manages DHCP for our office network? I don't see any of the Guest wifi network connected devices under assets list in our firewall
    • Devices on the guest network cannot directly ping or connect to the employee network, is this level of isolation sufficient?
    • Would it be better to create a separate VLAN, set up an employee network in the Aruba InstantOn portal, and assign it to that VLAN for better segmentation?

    Looking forward to hear your thoughts! 
    Thanks,
    Kirubakaran



    ------------------------------
    Kirubakaran Vethamoorthi
    ------------------------------


  • 2.  RE: Aruba InstantOn APs – Guest WiFi Network Setup & VLAN Query

    Posted 13 days ago

    if you tag the ssid it would drop you into sale vlan and whatever the IP helper or DHCP would take over from there for that vlan. You can let the AP handle it yes  as well. 



    ------------------------------
    Jer Sam
    ------------------------------

    Original Message


  • 3.  RE: Aruba InstantOn APs – Guest WiFi Network Setup & VLAN Query

    Posted 12 days ago

    The InstanOn hotspot is kind of "Hotspot Light".  I believe it creates its own wireless network does DHCP and DNS redirection onboard and enforces isolation via NAT and access rules. The reason your firewall does not see the clients is because the traffic is NATed through the AP IP,  so all you firewall sees are the AP MAC  & IP address for all the hotspot clients.

     

    As far as sufficient security that is a reasonable question.  Even with the access rules client traffic is technically traversing your main LAN to get to the gateway. I am not 100% comfortable with that myself; all it takes is a firmware bug or unknown security issue to accidently expose the production LAN; and Instant On is not bug free.  For my small businesses it's risk vs reward issue. With light hotspot traffic for small numbers of guests most of which are known I have used the hotspot this way.  It's not like a potential venerability is exposed to the entire internet it is just exposed to the range of the WiFi radio.  For larger venues that might be a more attractive target that actively advertise the hotspot having many completely anonymous users I have decided that it is not sufficient security and have created an isolated Wireless Network and VLANed it directly to a dedicate firewall port and then using a firewall hotspot landing page. If you needs extend beyond that there are 3rd party dedicated hotspot gateway/controllers you can look into rather than using a generic firewall.

     

    Jim G

     

     




    Original Message


Related Content