iggyzappa
Level 1 (0 points)

Q: Operation of and controlling large Airport networks

Hi All,

 

I have a house that needs multiple WiFi access points to cover it - so I now have 4 x Airport Express and 2 x Airport Extreme, all V2 or later, all connected over Ethernet. I also have multiple PCs, servers and other IP devices connected over Ethernet and I run a Windows Domain and Exchange server.

 

My setup is a Draytek ADSL router connected to PlusNet, configured to support a range of 16 static IPs from the ISP. I use various mappings to be able to access some of my servers on some of the static IPs provided.

 

'General purpose' IP access around the house is provided using NAT on the Draytek, with DHCP from the Domain Controller.

Up to now I have operated *all* of the Apple APs in bridge mode so as to not introduce double-NAT issues and have configured them all to the same SSID and password so that WiFi clients can connect anywhere in the house.

 

However, some have suggested that I will get better 'roaming' WiFi operation if I run one of the Extremes as a primary AP in NAT/DHCP mode, with all of the other Apple APs connected in bridge mode back to that primary Extreme as detailed in kb/HT4260: Wi-Fi base stations: Setting up and configuring a roaming network (802.11 a/b/g/n) (This is easy to do as all the cables end up in the same places in my office).

 

The problem is that when I *do* configure the network in this way I get double-NAT warnings - and the issues that a double NAT can create.

 

So, my questions are:

 

1. Does using a configuration as suggested in kb/HT4260 improve the roaming capabilities of a multiple AP network?

     a. does the Primary Extreme manage roaming IP leases across multiple APs such that handover is more efficient than using the NAT on the Draytek?

     b. if so, is there a document or whitepaper available to describe the functionality?

2. if there *is* an advantage to that configuration, is the advantage lost if the primary Extreme is configured to use bridge mode, with the other APs connected to it by Ethernet (also in bridge mode)

 

Also, I would like to be able to control (my children's) access to the internet, either by time of day or by site. I see there is a way to do this (for WiFi only?), but it appears to need to be set up on each AP separately. It can just about be done on the Draytek, but it's pretty clumsy.

 

3. Is there a control function to be able to control *all* APs with the same access control profiles without having to do them all individually?

4. Is there a control function to be able to access control the wired connections of the APs? (I need to turn off internet to those darned Xboxes!)

5. is there any way to show a summary of all of the connected clients across the Aiport network without having to go into each and every AP, and match numbers?

 

Finally,

5. Are there any command line control functions that are not offered in the Aiport utility that could be used to achieve a greater level of control?

 

(In other words, can an Airport network be made to offer the level of functionality and control of commercial systems??!)

 

Cheers, IZ

Posted on Sep 22, 2014 5:06 AM

Close
iggyzappa

Q: Operation of and controlling large Airport networks

  • All replies
  • Helpful answers

  • by Bob Timmons,

    Bob Timmons Bob Timmons Sep 22, 2014 7:58 AM in response to iggyzappa
    Level 10 (105,388 points)
    Wireless
    Sep 22, 2014 7:58 AM in response to iggyzappa
    Up to now I have operated *all* of the Apple APs in bridge mode so as to not introduce double-NAT issues and have configured them all to the same SSID and password so that WiFi clients can connect anywhere in the house.

    That is the correct set up for your network.

     

    However, some have suggested that I will get better 'roaming' WiFi operation if I run one of the Extremes as a primary AP in NAT/DHCP mode, with all of the other Apple APs connected in bridge mode back to that primary Extreme as detailed in kb/HT4260: Wi-Fi base stations: Setting up and configuring a roaming network (802.11 a/b/g/n) (This is easy to do as all the cables end up in the same places in my office).

    Unfortunately, Apple simply assumes (incorrectly, in many cases) that the primary access point will be connected to a simple bridge mode modem.


    The problem is that when I *do* configure the network in this way I get double-NAT warnings - and the issues that a double NAT can create.

    Apple provides no instructions for situations where there may be a router "upstream" from the Apple router on the network. As mentioned above, it is simply assumed that the user will have a simple bridge mode modem. If the AirPort is configured to provide DHCP and NAT when there is another router "upstream" on the network, AirPort Utility will warn of a Double NAT and advise that the AirPort should be configured in Bridge Mode.


    Does using a configuration as suggested in kb/HT4260 improve the roaming capabilities of a multiple AP network?

    No

     

    a. does the Primary Extreme manage roaming IP leases across multiple APs such that handover is more efficient than using the NAT on the Draytek?

    No

     

    b. if so, is there a document or whitepaper available to describe the functionality?

    No

     

    2. if there *is* an advantage to that configuration, is the advantage lost if the primary Extreme is configured to use bridge mode, with the other APs connected to it by Ethernet (also in bridge mode)

    No

     

    I see there is a way to do this (for WiFi only?), but it appears to need to be set up on each AP separately.

    Correct, when all of the AirPorts are in Bridge Mode

     

    3. Is there a control function to be able to control *all* APs with the same access control profiles without having to do them all individually?

    No

     

    4. Is there a control function to be able to access control the wired connections of the APs? (I need to turn off internet to those darned Xboxes!)

    No

     

    5. is there any way to show a summary of all of the connected clients across the Aiport network without having to go into each and every AP, and match numbers?

    No

     

    5. Are there any command line control functions that are not offered in the Aiport utility that could be used to achieve a greater level of control?

    Apple makes no mention of this. If other users know how to do this, then hopefully they will respond.

     

    (In other words, can an Airport network be made to offer the level of functionality and control of commercial systems??!)

    No. As you may have guessed, the Apple routers are designed for very simple home networks.

     

     

     

     

     

     



  • by iggyzappa,

    iggyzappa iggyzappa Sep 22, 2014 5:32 PM in response to Bob Timmons
    Level 1 (0 points)
    Sep 22, 2014 5:32 PM in response to Bob Timmons

    Hi Bob,

     

    Thanks very much for the clarifications and answers.

    I was possibly hoping I had missed some little gem in the Airport implementation - sadly you confirm that it's not the case!

  • by LaPastenague,

    LaPastenague LaPastenague Sep 23, 2014 4:03 AM in response to iggyzappa
    Level 9 (52,984 points)
    Wireless
    Sep 23, 2014 4:03 AM in response to iggyzappa

    Finally,

    5. Are there any command line control functions that are not offered in the Aiport utility that could be used to achieve a greater level of control?

     

    (In other words, can an Airport network be made to offer the level of functionality and control of commercial systems??!)

     

    I suspect Bob knew I couldn't help myself.

     

    The airport could be great.. but it never will be.. apple has designed it for home, domestic market. They have therefore hidden all controls.

     

    I discovered almost by accident that there is a command line tool.

     

    I even opened a thread about it..

     

    Terminal command to check Apple router status. natutil

     

    You can see the thrilled response by the Apple community to my efforts..

     

    It is very limited in what it can do but shows what should have been...

     

    We have also discovered some of what is behind that..

     

    See https://sites.google.com/site/lapastenague/a-deconstruction-of-routers-and-modem s/apple-time-capsule-repair/new-issue-with-a1355-gen-3-tc

     

    Right at  the bottom is some output from serial console. Download and read it for yourself.

     

    Others have done the same thing.

     

    http://embeddedideation.com/2014/03/dissecting-the-airport-express/

     

    Sadly it is not a lot of use.. Once you get into the depths of netbsd.. well I am for one lost.. although it is nice to be able to get details like routing tables.

     

    This is not what a commercial router looks like.. a hacked home router.. hmmm no thanks..not in any business I was doing IT support for.

     

    Commercial routers do what they do because they have excellent controls.. and excellent stability. Neither of which is true of the Apple router.