Eu-bloody-reka! http://www.chriscolotti.us/technology/apple-airports-dirty-little-secret/
Recent firmware that supports extending guest networks to extender AirPort base stations do so using VLAN 1003. Awesome. So I can do the whole Internet-only guest networks thing even without a primary AirPort, after all. Heck, I can even do the whole captive portal thing, charge money, etc, etc, if I want. Learn something new every day, and really, it’s very cool. Now, do I really want to? That’s the question. :) Client isolation for guest networks is missing in action for a while, but VLANs do at least assure separation of the traffic inside and outside the tagged broadcast domains. So, your guest clients can talk to each other and the ‘net, but not to your stuff. I think, now that guest networks can extend over the wire, it’s fair to say that client isolation loses much of its effectiveness, because you have to capture broadcast traffic too and for this to work the DHCP server (which uses broadcast) needs to be reachable over the wire. I wouldn’t use this for separating stuff on your own network, but I’d be more than happy to let promiscuous (i.e. unknown and untrusted) clients use this to share the same broadcast domain and the Internet. Now, if only Apple would let you specify the VLAN IDs directly … I’ve heard great things about Ubiquiti in recent times, indeed most recently because of their more attractive pricing, but one of the not-so-great things I’ve heard is that they use a Java desktop app for configuration. My geek heart might be lusting after more configuration flexibility, but not, I think, to that extent. :) Maybe, if I ever have a real need to leave Apple, but right now I really don’t. AirPort works, really, it’s easy, fast and reliable, and in the context of my needs on my own trusted network, it’s nothing that can’t be made up for with a good firewall upstream. I think that’s the way to go if you want to take control. Kawal has the AirPort Extreme doing PPPoE, yes. The Draytek v130 is acting as a pure PTM (i.e. Ethernet) bridge with VDSL2. BT OpenReach provides a “Generic ethernet” service; tag your packets with VLAN 101, and it’s tunnelled direct to your ISP RAS infrastructure. Sadly BT (which I believe is short for “British Tossers”) insist that your equipment support baby jumbo frames (MTU 1508 including PPPoE) so the tunnel fits in their gigantic MPLS infrastructure at the expense of those pesky standards, but fortunately Apple makes up for the loss of large packets by silently MSS clamping to 1400 bytes, so it all works itself out in the end for most applications that people care about. Well, except IPv6 is broken, of course. Gosh. That was an unnecessarily technical post all round, wasn’t it? Sorry about that. :) -- The following information is important for all members of the Mac Visionaries list. If you have any questions or concerns about the running of this list, or if you feel that a member's post is inappropriate, please contact the owners or moderators directly rather than posting on the list itself. Your Mac Visionaries list moderator is Mark Taylor and your owner is Cara Quinn - you can reach Cara at caraqu...@caraquinn.com The archives for this list can be searched at: http://www.mail-archive.com/macvisionaries@googlegroups.com/ --- You received this message because you are subscribed to the Google Groups "MacVisionaries" group. To unsubscribe from this group and stop receiving emails from it, send an email to macvisionaries+unsubscr...@googlegroups.com. To post to this group, send email to macvisionaries@googlegroups.com. Visit this group at https://groups.google.com/group/macvisionaries. For more options, visit https://groups.google.com/d/optout.
