Ubiquiti access points on different subnet / separate from 192.168.1.x

[92saturnsl2]

I work for a small business (~20 employees) that needs Wi-Fi coverage across two large shop buildings and the adjoining offices, as well as the loading areas outside the buildings. I installed 6 Ubiquiti access points (3 unify 6 Pro's, 2 unify 6+, one unify 6 mesh) which checked all those boxes. All have been wired for ethernet backhaul / POE and I get decent signal strength and throughput in all the areas we require.

My question pertains to how I can separate the APs from the company LAN/domain to keep Wi-Fi clients separate from the main 192.168.1.x subnet.

The backstory: we had an IT guy (friend of a friend type) that installed a Netgear Orbi Wifi-6 system. He started with a router and two satellites, the latter in a mesh configuration (no ethernet). Signal was poor / non-existent in many areas and his solution was to keep adding satellites. He finally decided to wire some with ethernet but it never worked right. Anytime the ethernet cable was plugged into one, the whole Wi-Fi system went down. He spent literally months trying to troubleshoot with Netgear, threw in the towel, and just installed various Wi-Fi routers in different locations with the same SSID and gave up on the Orbi satellites. The challenge with this is the clients didn't transition well-- they'd hold onto a low signal far too long where the device was essentially dead to Wi-Fi and not move onto the closer one, rendering nearly our entire loading area void of Wi-Fi.

Management engaged me to set up an Ubiquiti system, which I recommended and used plenty in the past. But I need to get security ironed out. The Wi-Fi clients (tablets) need to access internet, but also some server resources (databases) on the LAN. I'd like to keep them separate from the 192.168.1.x subnet, however. I noticed the previous IT fella had his Orbi equipment assigning clients a 192.168.20.x IP address, yet it still played nice with the server and fetched stuff off the web.

Obviously the Ubiquti access points I've installed are just that, so they find the DHCP server and get assigned a 192.168.1.x address, as do all the clients. Right now I'm just using the Windows-based controller which lets me monitor and configure the APs. I'm assuming I need to have some additional hardware to get this right. I've plenty of experience with home networking, less so in a business environment where security isn't just a consideration. I don't think I'm over my head or anything, but realize I need some help setting this up properly. Any pointers / advise / suggestions on how to get this system setup right? If there's anything I left out, just ask and I'll reply promptly.

 

[wwillson]

less so in a business environment where security isn't just a consideration.

I hope you mean "in a business environment where security is a primary consideration".

I don't think I'm over my head or anything

I could come up with something snarky to say, but I won't. I'll just say that you are in over your head.

Securing corporate networks a such an obtuse topic, that anyone involved in securing corporate networks and data is always in over their heads. There is a reason corporate security professionals all slowly become paranoid. Security professionals have to get everything right every time, while the bad guys only have to find one hole and holes aren't hard to find.

My question pertains to how I can separate the APs from the company LAN/domain to keep Wi-Fi clients separate from the main 192.168.1.x subnet.

This is a big question with complex answers.

Is there an existing security policy/posture and security equipment?

Who owns the devices using the WiFi? What security software is running on the devices? What resources are they allowed to access (like the internet)?

Will there by guest WiFi and if so will it be on a separate VLAN?

What is the firewall between the WiFi clients and the corporate LAN/Servers?

The questions could go on and on.

 

[Rand]

I have lots of questions about this setup..(too)

My main question would be concerning why these devices(tablets?)need to be off the company subnet.. yet connect to it.. and also the internet.
and what exactly are the devices?

This is more a networking question than unifi

@OVERKILL

 

[92saturnsl2]

I hope you mean "in a business environment where security is a primary consideration".

Same meaning, different wording.

I could come up with something snarky to say, but I won't. I'll just say that you are in over your head.

Fair enough, I hope to fix that.

Securing corporate networks a such an obtuse topic, that anyone involved in securing corporate networks and data is always in over their heads. There is a reason corporate security professionals all slowly become paranoid. Security professionals have to get everything right every time, while the bad guys only have to find one hole and holes aren't hard to find.

This is a very small business that does subcontracting in our trade for general contractors. Small potatoes. I'm not using that as an excuse, and if I were, I wouldn't be posting. That said, if one were to exploit a security vulnerability, they wouldn't gather much. I hope to work with our IT guy (who botched Wi-Fi terribly) to close whatever loops we can with this Ubiquity system.

Is there an existing security policy/posture and security equipment?

Yes, but largely unknown to me. Our IT guy handles network administration managing firewalls, internal domain, Windows server, basically all the nuts and bolts. He's 70+ years old and wants to do everything remotely which is not working for us, especially as it pertains to Wi-Fi. We've implemented electronic tracking systems in our production process (barcodes for material, production, shipping, etc.) The Wi-Fi he implemented has never worked right from day one despite him charging a boatload of hours (in addition to the Orbi hardware which he's largely abandoned) to troubleshoot it, then just slopping something together with various Wi-Fi routers that gets 1-3 bars on a tablet and calls it good.

There is a Cisco smart switch in each building. I'm fairly certain this is the exact model: (https://www.amazon.com/Cisco-26-Port-Gigabit-Switch-SG200-26P/dp/B004GHMU5Q). Appears to be using Windows server for DHCP and LAN related duties on the main 192.168.1.x network as I see no other hardware.

Who owns the devices using the WiFi? What security software is running on the devices? What resources are they allowed to access (like the internet)?

Company owns all devices using WiFi. They are generic Samsung tablets with no security software. One service is accessed through the web (Tekla EPM Go), the other points directly to the server. I have to assume he's only opened ports related to said service that accesses the server directly.

Will there by guest WiFi and if so will it be on a separate VLAN?

Guest WiFi is managed by the Orbi router. I don't know the exact configuration. I do know we have a VLAN for our VOIP phone system; our phones get a class A IP [10.xxx] assigned to them.

What is the firewall between the WiFi clients and the corporate LAN/Servers?

It has been the firewall offered through the Orbi router (Wi-Fi). I intend to use the Ubiquiti equipment in place of the Orbi setup, but still maintain firewall/separation between the company LAN and server. I should note that I've set the physical equipment up (Ubiquiti), but am not deploying it until I get this sorted out, which will likely have to be done in cooperation with our IT guy. Which might be a struggle, because he will not give up on fixing his cobbled together Wi-Fi system that has already cost us thousands and doesn't work.

The questions could go on and on.

Please ask.

 

[Pew]

Do you know what router your work is using? Enterprise class routers will allow admins to set a vlan to a virtual interface, then set an access file to allow traffic between the WAN and the vlan interface.

Unifi also allows a vlan settings in their windows controller but I haven't looked at ours at work in a while so I'll have to double check. Probably a good time for me to check now anyways.

 

[92saturnsl2]

Do you know what router your work is using? Enterprise class routers will allow admins to set a vlan to a virtual interface, then set an access file to allow traffic between the WAN and the vlan interface.

Unifi also allows a vlan settings in their windows controller but I haven't looked at ours at work in a while so I'll have to double check. Probably a good time for me to check now anyways.

IT guy had been using a Wi-Fi router from a defunct company that he could no longer get support for. He ditched it when we needed site-wide Wi-Fi. I'm fairly certain he's using the Netgear Orbi as a router/firewall. I've gotten bits and pieces of info from talking with him, but I don't have a ton of time to spend on IT as my normal job responsibilities are a job and a half by itself. The guys I supervise can't get their job done without working Wi-Fi given the new systems we have implemented. Which is why I inserted myself into setting up the Ubiquiti system. I think it would be wise to ditch the Orbi router and install something from Ubiquiti.

 

[Pew]

I was able to read your posts more in depth. It sounds like you guys have an interesting setup but not too different in what I've seen with small clients in regards to very varied equipment.

I'm wondering if your IT guy just expanded your subnet from the common /24 to a /23. Then he'll just need to add in a new reserved IP range in the DHCP and had the Netgear wifi pointed to that

What I'd do is buy some small business class router and find a new IT company more comfortable with this stuff. There shouldn't be any reason why your current IT guy would run different equipment routers as an AP when there's perfectly good mesh systems out there for years. My only experience with this is with Sonicwalls so I'd recommend a TZ370, which can be complex to setup so others can probably recommend one that's easier to manage.

Unifi also has their own router called the Unifi Security Gateway (USG) and "unlocks" extra features in Unifi's desktop controller. The USG should work fine for your needs as a small business.

 

[OVERKILL]

We need some clarification on what network resources you want the Wi-Fi clients to be able to access. This is all very doable, with the right equipment, as this is a pretty simple setup.

You can setup multiple SSID's on different VLAN's if you need certain wireless clients not to have access to anything on the LAN, and you can use client isolation so they can't talk to each other (this is typical for guest Wi-Fi stuff).

But, before we get down to any of that, I'll say that I tend to agree with @wwillson, in that, if you don't know what you need to set this up, you are indeed a bit over your head. That doesn't mean we can't help you through this, but I think you need to be aware of that fact. As I said, this setup isn't super complicated, but you've clearly not set it up before. That's OK, but it would be better if you had a home lab to run this through to learn what you need to do and perform some testing, rather than doing it all in a live environment.

So, that out of the way, let's get down to what you need:
- Firewall that can do 802.1Q
- Switching infrastructure (managed) with the ability handle 802.1Q
- Your topology requirements with respect to what needs to get where, what shouldn't be getting where...etc.