top | item 38412540

(no title)

sebiol | 2 years ago

Seems like an advert for their Product SPR: Secure Programmable Routers. I don't know their system, so don't see the rest of my comment as a critique.

If your systems supports VLAN tagging per SSID there is an option to make the single Router setup more secure. This will most likely only apply to companies and home labs. For example at my company we have Zyxel gear were we can tag WLAN connections with a VLAN based on the SSID.

Beware, simplified description ahead. We have a Guest SSID. All connections from this SSID get tagged with a dedicated VLAN on the Access Points. The traffic is then routed to our Firewall and from there to the internet. All switches in between use the VLAN to prevent Guest connections from reaching any other devices on the LAN.

discuss

transpute|2 years ago

> Seems like an advert

The decision diagram and conclusion below, applies to any pair of OSS or vendor routers in the "guest" and "secure" roles.

  Guest Router First, Secure Router Second

  Option #1 is the recommended and accepted best practice. The guest network connects directly to the internet, and the secure router plugs into the guest Router.

> we have Zyxel gear were we can tag WLAN connections with a VLAN based on the SSID

Open-source SPR can place each wireless client device in its own VLAN, with a unique WPA3 passphrase for every client.

This allows granular, per-device rules for routing and filtering, instead of dumping all devices into one-VLAN-per-SSID.

stonepresto|2 years ago

This also reads like an advert...

I still don't see a usecase for a unique PSK per guest, and even that can be achieved with most guest portal implementations.

What SPR seems to lack is backing and therefore trust. Pushing a product aggressively on HN is not the way to build that trust.