How do hotels isolate wifi clients? - want to create "rooms" in a hospital



  • hey folks - bit of a networking 201 question here (slightly above novice, but as you can tell, I don't exactly know how to ask the question).

    We want to create a situation where we can have 1 tablet, 1 chromecast and 1 Sonos per room (incidentally in a hospital). The goal is for each room to be isolated. We don't want someone in Room A to play music on the Sonos in room B.

    One idea was to use DHCP and tell every client the netmask is /29 and use MAC reservations to ensure the right tablet, chromcast, Sonos pairing gets in the right /29 subnet.

    Is there a more elegant way?

    What's even the right terminology for this?

    cheers!


  • Rebel Alliance Global Moderator

    Are these the hospital devices, or are they guest/patient devices?

    Is each room going to have their own AP, or are you going to have multiple rooms all on the same AP?

    How many rooms are you talking about? 10, 100, 1000?  Your /29 is part of it - each room is going to need to be its own L2.  This can be done with dynamic vlans.  So depending either via the mac address or the auth used you can dynamically place these devices into their own vlan that isolates them from the other networks.  Your issue will be how many you need ;)

    your issue is not just turning on client isolation in the AP where wireless devices can not talk to each other.. Since I assume your going to want these devices to all be able to talk to each other, and use discovery protocols so they need to all be on the same L2 or vlan.. 10 different rooms not all that much work to setup - 1000 and its another story ;)



  • instead of a full blown vlan setup, you could also consider private_vlans (port isolation)


  • Rebel Alliance Developer Netgate

    Without using a separate VLAN and subnet for each room, there wouldn't be a way to easily pull off that kind of isolation.

    If there is an AP in each room, then maybe a private VLAN setup on a switch might help, but even that is cutting it.

    Another choice may be 802.1x logins with a login for everything in the same room, and then have the AP drop the user(s) for each room in their own VLAN.

    So you'd have a user, say r304 in RADIUS. AP set for WPA2 Enterprise (802.11x). RADIUS server replies could be configured to put that user in, say, VLAN 304. Then on the firewall, VLAN 304 might correspond with 10.103.4.0/24, and so on, and so on.



  • thanks friends!

    This is helpful and good education for me. I have some answers and some next questions :)

    Initially, for a prototype pilot we're talking about 3-5 rooms. I can, for that use case, put an AP in each room but would rather not.

    Right now we have hospital-owned tablets in all patient rooms. Those tablets, through an MDM (which is, for the sake of this discussion, mostly out of our control), get assigned to a dedicated SSID and VLAN. All tablets are on the same VLAN (which is a 255.255.0.0).

    Things in my control:

    • the wifi setup  (my team runs a separate, air-gapped network from the main hospital clinical network for projects like this)
    • The underlying network for that wifi setup (see bullet above) which is anchored by a Netgate PF box as the main router

    Things kinda in my control:

    • Relationship with the partner who made the custom software for the tablets and runs the MDM

    Things we don't have and could, but add a lot of complexity:

    • Radius, Open Directory, LDAP, etc - …. our team doesn't use SSO (we use G-suite for most of our work, and a shared WPA2 key for our team's wifi)  [we don't deal with clinical data in this setup, in case anyone is concerned ;) ]

    Things we don't have at all:

    • 802.1x for Sonos or Chromecast … unless anyone knows something I dont know, I dont think that's an option for either device/platform.

    So it seems to me, at least for a pilot, we could use MAC addresses and static DHCP assignments and put each device in a /29 network, right?

    Since we're not dealing with clinical data, we don't care if traffic from a tablet can get to another. In other words, this isn't about perfect security, but more about usability.

    Would it work, for instance, to have a network like this:

    10.1.1.0/24
    gateway 10.1.1.1

    Room A
    Tablet A: 10.1.1.20/29
    Sonos A: 10.1.1.21/29
    ChromeCast A: 10.1.1.22/29
    Gateway 10.1.1.1

    Room B
    Tablet B: 10.1.1.30/29
    Sonos B: 10.1.1.31/29
    ChromeCast B: 10.1.1.32/29
    Gateway 10.1.1.1

    I other words, can I 'lie' to each device about the size of the network? I understand assigning a gateway outside the range might be problematic, right?
    (Although I have that problem with all my remote boxes hosted on OVH where my static IPs are in a range different from the gateway and I have to manually add a route for the gateway and it works fine)

    Where would VLANS come into play? Is that simply a different way to tackle this? Or do I still need a different VLAN even if I use subnets to constrain the rooms?

    Thanks for all the help and support (and education!)


  • Galactic Empire

    IMO your over thinking this, re all the subnets.

    No need for subnets per room, especially when your dealing with Wi-Fi as it will bleed from one room to another.

    802.1x for any type of medical device if required.

    Guest Internet access for any patient, If they BYOD and I’m sure they will, they’ll need to go on the same subnet as the Sonos / Chromecast which will need internet access.

    I’m not sure how the Sonos / Chromecast devices work but Apple TVs have a thing called “Conference Room Display” that pop up a 4 digit code that has to match on the users device and Apple TV, this stops person A displaying output in person B’s room.

    Ubiquity do an inwall ap that may suit :-

    https://inwall.ubnt.com


  • Rebel Alliance Global Moderator

    "802.1x for Sonos or Chromecast … unless anyone knows something I dont know, I dont think that's an option for either device/platform"

    You do not need this for mac based assigned vlans..

    The proper solution here is dynamic assigned vlans for isolation both at layer 2.  Setting the IP on the device to you try and isolate at L3 but letting everything run on the same L2 is not the correct solution.. I do not help with borked configs - sorry..

    "we don't care if traffic from a tablet can get to another"

    If your not worried that device in room A can talk to B, then just put them all on the same network and pair the devices to what they should talk too.  Sonos is a bit excessive, why not just get a simple bluetooth speaker for the tablet?  Now your just pairing bluetooth to the speaker and your chromecast will be paired to the tablet in the room.



  • Thanks friends!
    Sounds like, for our pilot, MAC assigned VLANs is the way to go.
    I'll investigate that route.

    I appreciate the other suggestions as well. For now we're committted to android, Sonos and chromecast - the later two not supporting 802.1x. So seems MAC-based assignment is the way to go.

    Thanks!


  • Rebel Alliance Global Moderator

    Here is dead simple solution.

    What AP are you going to use? The unifi stuff, very reasonable priced has recently gone from 4 ssid to 8 ssid if you do not use wireless uplinks.

    So you could have 8 different rooms on each AP.  Just create the SSIDs for these 8 rooms, 4 if your AP have that limit - more if they can do more, etc.

    So you have say ssid room101, room102, room103, etc..

    Put each of those ssid on their own vlan.. Done!  Simple straight forward easy to setup.. And you don't even need fancy or expensive AP or switches to do such a setup.


  • Galactic Empire

    @johnpoz:

    What AP are you going to use? The unifi stuff, very reasonable priced has recently gone from 4 ssid to 8 ssid if you do not use wireless uplinks.

    Is that 5.5.x John, I'm on 5.4.19 and it's still showing 4 max ?


  • Rebel Alliance Global Moderator

    you need to make sure your not running link monitor it seems - might of miss spoke on the wireless uplink but that is also a issue with it I think.  I am running 5.6.10, without the link monitor you can not switch over to wireless uplink, etc.  But you don't really need the link monitor if your wired and don't want them to go to wireless uplink on wire fail, etc.  That is my take on it - have not tested all the scenarios, etc.

    But depending on his layout and where they plan on placing the AP, 4 rooms per AP wouldn't be all that bad either?  So even if 4 ssid limit such a setup would work.  So this would work with any AP and switch that supports vlans.  The more ssid's your AP support would just give you more clients you could have connected to each AP via ssid vlans.  This doesn't require any sort of other eap support either, works with just your typical psk auth.  You could come up with some formula for the psk you use so if you know the formula you would know what the psk is per room, etc.  But would still be hard to guess for random people (unless they figure out the formula)  You could also just use random psk for each ssid.  You could give this to the people in the room if they wanted to connect their own devices, etc.

    While dynamic vlans would be a more elegant solution and allow you to use a common ssid, it does require hardware that supports mac based auth and be able to do that with non 802.1x clients, etc.  The unifi switches can do it that way I do believe… I recall someone doing it on the forums.

    See attached screenshot



  • Galactic Empire

    Ah thanks, thats why I'm not seeing it then.


  • Rebel Alliance Global Moderator

    I have not tried it out as of yet.  I do want to create a few more ssids though to further isolate different types of iot devices which now I currently have lumped into the psk ssid (vlan 200).. I thought I have read that they were going to add a built in radius server to the controller, which would then allow for mac based auth for clients that don't support enterprise mode of wpa, etc.

    What I would love to do is the mac based vlans so could just run 1 vlan for all my different iot devices and put them in their own vlans based upon mac.  But as mentioned this can be difficult based upon your hardware and the clients wifi eap support.  Most of these shitty consumer devices do not support any sort of enterprise auth.  So your stuck with psk..

    To the number of rooms, you could prob even get 16 rooms this way - since the 8 is limited to wifi group.  So you assign group 1 to your 2.4 band, for the rooms farther away from the AP and then another to your 5ghz band for the closer rooms..  So 16 rooms per AP would be quite a bit - but also depends on actual layout, etc.

    What would be sweet is these devices would just support wpa-enterprise.. You would think as more an more iot devices come on the market and more and more people want/should be isolating them to their own networks that they would allow for enterprise level auth so you could use dynamic vlans..  But then you see these major players coming out with mesh networks (about time) for home users like google wifi, and netgears orbi, without even vlan support - wtf? ;)



  • @johnpoz:

    Here is dead simple solution.

    The unifi stuff, very reasonable priced has recently gone from 4 ssid to 8 ssid if you do not use wireless uplinks.

    So you could have 8 different rooms on each AP.  Just create the SSIDs for these 8 rooms, 4 if your AP have that limit - more if they can do more, etc.

    done! That's a great fix! We are in fact using the Unifi stuff and I was thinking about the 4 SSID limitation. this is great news! Will try it out today.

    Thanks everyone! Much appreciated!


  • Rebel Alliance Global Moderator

    even with the 4 ssid limit, you could prob still get 8 rooms on 1 AP via using different ssid per band - putting the farther rooms on 2.4 and closer rooms to the AP on the 5ghz band and use different ssid/vlans.. The only drawback to this would be your actual layout of rooms and types of walls, etc.

    Lets us know how it turns out!

    If you end up doing this and it works out good - be a perfect thing to post on unifi as case study ;)

    Keep in mind I do not believe they have back ported the 8ssid thing to the older previous to 5.6.x line yet.. And there might be restrictions on which AP support it as well.

    Do you have a drawing, or could you sketch up real quick a basic layout to look to see placement of the AP?  Worse case is you need to use more AP and have less rooms per AP.  But with the ability to create different wifi groups and different ssids and vlans you should be able to do it all under 1 site on the controller.