This document outlines the procedure for establishing a private Wi-Fi network in a residential multi- dwelling unit property, such as an apartment building or assisted living facility.
Application Requirements
For purposes of illustration, the following networks are required.
Network #1: Staff Wi-Fi network (no client isolation, dedicated VLAN, facility-wide)
Network #2: Visitor Wi-Fi network (client isolation, dedicated VLAN, facility-wide)
Network #3: Resident Private Wi-Fi network (no client isolation between devices of the same resident, client isolation between residents, each Private Wi-Fi network only required within one residential unit)
The requirements for the staff and visitor networks (as well as any other facility-wide networks such as for surveillance, VoWiFi, etc.) are quite straightforward. These networks should be configured in the normal manner, by setting up a regular SSID with VLAN isolation enabled and client isolation / layer 2 isolation enabled or disabled, as appropriate.
Private Wi-Fi
For the resident network, a “Private Wi-Fi” service needs to be configured, where each resident can interconnect their own devices in their unit, but cannot access the networks of other resident units. The recommended approach is to install a wall-plate AP (e.g. EWS510AP) in every resident unit requiring Private Wi-Fi, and then enable the “Guest Network” feature on each AP and configure individual SSIDs and passphrases for each residential unit. The AP will act as a Layer 3 router for the “Guest Network”, so no additional VLANs or main router configurations are required, but there will be double-NAT so residents cannot do activities such as hosting their own servers, and certain types of gaming applications may have difficulty because of the double-NAT. Note also that this requires Ethernet cabling to a central location in each residential unit, so that APs can be mounted within residential units.
In a typical in-unit deployment (i.e. not requiring Private Wi-Fi), a wall-plate AP is generally only required every 2-3 units, depending on the layout of the facility and the building materials. For Private Wi-Fi, however, each unit requires its own access point so as to provide a dedicated wireless network within each unit.1 Note that the LAN ports on the wall-plate AP cannot be used as part of the Private Wi-Fi network. The LAN ports on the APs should therefore be disabled, unless specific ports are being used for
1 Note, if the service is being offered as an optional upsell, one could still place APs every 2-3 units, and then mount additional APs in particular units as necessary. This may prove overly labor-intensive, however, and difficult to maintain vs. architecting the network for each unit to have its own access point.
other facility-wide wired network appliances, such as VoIP phones, IPTV, wired patient monitoring appliances, etc.
When placing a wall-plate AP in every unit, the transmit power levels should generally be set to minimum levels (11 dBm on both 2.4 GHz and 5 GHz), so as to minimize the coverage area of each AP to minimize overlap into neighboring units. Transmit power levels can be increased as needed if the residential units are large enough (e.g. >> 1000 sq. ft. with multiple rooms and therefore multiple walls) and/or depending upon room layout and building materials.
Configuring Private Wi-Fi on the EnGenius® Neutron™ APs
The configuration procedure is slightly different than the conventional recommended approach. The AP Group mechanism is still used, but only as a template for the APs to establish the standard network configuration parameters. Once the APs are configured in an AP Group, the APs must be removed from the AP Group so that all of the settings (including the Guest Network) can be modified on each individual AP.
The overall configuration process is as follows:
Create an AP Group for the Room APs with the following critical settings:
LAN Port Settings for wall-plate APs:
Disable all unused LAN
Configure all used LAN ports to be access ports on the appropriate VLAN for the application (e.g. VoIP phones, IPTV, wired appliances, etc.). Note that LAN ports CANNOT be used as part of a Private Wi-Fi
Radio Settings:
Country: USA
Channel: Auto (both 4 GHz and 5 GHz bands)
Channel Size: 20 MHz (both 4 GHz and 5 GHz bands)
Tx Power: Lowest (both 4 GHz and 5 GHz bands)
SSID Settings (per band):
SSID #1: Staff SSID with appropriate VLAN and WPA2-PSK security settings, no client or L2 isolation
SSID #2 (per band): Visitor SSID with appropriate VLAN settings, no security (open network), client and L2 isolation enabled
Other facility-wide SSIDs as required
Advanced Settings
LEDs: Disable (since placing APs in resident units)
Band Steering: Enabled, Prefer 5 GHz, -80 dBm threshold
RSSI Threshold: Disable
Management VLAN: Enabled if a management VLAN is in use (recommended)
Guest Network: Enable with default settings for 4 GHz and 5 GHz SSIDs enabled with a default WPA2-PSK passphrase, including the default IP address scheme (e.g. 192.168.200.1/24) and DHCP range (e.g. 192.168.200.101 – 192.168.200.200) for each unit
Add all of your room wall-plate APs to the AP Group so they upload the default You are using this AP Group as a configuration template only.
If there are any common area APs (e.g. dining areas, community rooms, outdoor areas, ) that do not require a Guest Network, a separate AP Group should be defined for these APs, and these APs should remain a part of the common area AP Group. The SSID, security, radio, and advanced settings should be the same as above, except that the guest network should remain disabled.
REMOVE the residential unit wall-plate APs from the AP Group – they will retain the group settings from the AP Group, but the APs can now have all of their features, specifically the Guest Network, uniquely
For each residential unit wall-plate AP, make the following AP changes:
AP Name: Room # of AP
AP Channel:
Set alternating static channel of 1 / 6 / 11 scheme on 4 GHz band
Set alternating static channel of 36 / 44 / 149 / 157 / 165 / 40 / 48 / 153 / 161 on 5 GHz band
Guest Network
Set unique SSID for resident room (suggest room number to keep it sane, such as “Room 232”, but a random or custom name can also be assigned)
Set randomly generated WPA2-PSK password for each room
(recommend the use of a random password generator program or web site)
Make sure you document the SSIDs and Passphrases for each AP’s guest network so you can provide a card to the resident with the information