Isolating clients and network traffic on a shared Wifi network

[kaliree]

Thanks for your time everyone. I am a networking neophyte, but I am an experienced computer technician. I can set up a basic network, but this is beyond me. :'(

Scenario: 5 apartments in the same building sharing WiFi provided by the landlord from a single router and a single connection to the ISP. The network uses WPA2 Personal AES encryption. There is a second router that could theoretically be connected to the first router wirelessly (though I've had no success doing so).

Goal: To allow each apartment to access the WiFi, but to keep all devices on the network and all network traffic private. In effect, to give each user a private internet connection, just as if they each had their own WAP and modem.

Options considered thus far: VLANs, a VPN for each apartment and "Wireless Isolation Mode".

The VPN option is too slow and too expensive for some of the tenets.

Will a VLAN keep the network traffic private from client to router and back again? I know the VPN keeps it private all the way to the destination server, but I need to keep the tenants from sniffing one another's network traffic. Can a VLAN do that?

Is "Wireless Isolation Mode" just marketing speak for a VLAN? If not, would this keep the network traffic private?

Are there any other suggestions on how to achieve this goal?

 

[lif_andi]

I believe you are looking for a setup similar to what this is talking about: http://www.dotkam.com/2008/10/02/configure-multiple-ssids-with-one-router/

Don't know how you'd configure it on your device, but this should be possible, although with varying difficulty, with many devices and firmware.

VLANs will keep traffic seperate yes. You can route between VLANs but if you don't they are essentially seperate networks. Place each on a different subnet and you're golden.

 

[Enigma102083]

Find yourself a used Cisco 851W, it can do up to 10 Wireless VLANs.

 

[John Connor]

If the router supports it install the third party firmware called DD-WRT and in the wireless options enable AP Isolation. You can even block NetBIOS. VLANS are also supported in DD-WRT you can even crank up the wattage.

 

[John Connor]

There is a second router that could theoretically be connected to the first router wirelessly (though I've had no success doing so).

That's because dissimilar hardware won't support WDS.

 

[kaliree]

Sorry it has taken me so long to reply. Life happened, but now I'm ready to get back to this project.

The arrangement of nodes has changed a bit. I will be running a cable modem to a wireless router over ethernet, and a second wireless router will be running off of the first by ethernet. Both routers will connect to their clients over WiFi, but I need each router to have a completely separate LAN and WiFi network. Does this mean I need to set up a VLAN and a VAP for each network?

I was considering DD-WRT. I have been looking into it and it seems that this firmware is no longer developed and may not be as secure as OpenWRT (because it has not been updated). Any thoughts?

I am currently running Tomato, but stock Tomato, nor any of it's forks allow for VLANs or VAPs from what I have found in my research.