WISP - security

Hi all,

I have a following network:

Maint Router - ePMP central AP - ePMP customer - 3rd party home router

ePMP Central AP has multiple remote ePMPs connected to it for different home users.

3rd party home router has voice port as well

I'm interested how did you setup your network,what would be the best way to secure it so that users wouldn't be aware of the "backbone devices" in the network?

I'm thinking in the way of using the PPPoE tunnels from 3rd party home router to the Main router. This way the backbone network would be transparent to the users.

What do you think about that?

One other question, in the future there is a possibility to offer IPTV. I'm not sure is that achivable with ePMPs and this setup with PPPoE.

1 Like

We place all of our backbone/infrastructure devices on a dedicated management VLAN, place the customers' gear on a separate data VLAN and use 802.1x/RADIUS for AAA.  In your example the ePMP_AP and ePMP_SMs would be on the management VLAN and the customer 3rd party routers would be on the data VLAN.

I know a lot of people use PPPOE, but we don't so I can't comment on it.

1 Like

lot of ways to do this. 

PPPoE is common, but wasn't our choice, 

we went full routed with VLAN and isolation. 

from the core router, to the switch, have the switch isolate all of the AP ports from each other.   use a management VLAN to manage the APs and CPEs.   use a firewall rule to prevent your delivery LAN from reaching your management LAN(s).     use subscriber isolation to prevent your CPEs from reaching other CPEs.     this will cause the customers router to think its the only router, connected to your core router.      the switch, APs and CPEs will be firewalled away from your deliverly LAN preventing them from getting to the devices, and other CPEs on the network. 

1 Like