This document outlines the procedure for establishing a private Wi-Fi
network in a residential multi- dwelling unit property, such as an
apartment building or assisted living facility.

 

Application Requirements

For purposes of illustration, the following networks are required.

  • Network #1: Staff Wi-Fi network (no client isolation, dedicated VLAN,
    facility-wide)
  • Network #2: Visitor Wi-Fi network (client isolation, dedicated VLAN,
    facility-wide)
  • Network #3: Resident Private Wi-Fi network (no client isolation between
    devices of the same resident, client isolation between residents, each
    Private Wi-Fi network only required within one residential unit)

 

The requirements for the staff and visitor networks (as well as any other
facility-wide networks such as for surveillance, VoWiFi, etc.) are quite
straightforward. These networks should be configured in the normal manner,
by setting up a regular SSID with VLAN isolation enabled and client
isolation / layer 2 isolation enabled or disabled, as appropriate.

 

Private Wi-Fi

For the resident network, a “Private Wi-Fi” service needs to
be configured, where each resident can interconnect their own devices in
their unit, but cannot access the networks of other resident units. The
recommended approach is to install a wall-plate AP (e.g. EWS510AP) in
every resident unit requiring Private Wi-Fi, and then enable the
“Guest Network” feature on each AP and configure individual
SSIDs and passphrases for each residential unit. The AP will act as a
Layer 3 router for the “Guest Network”, so no additional
VLANs or main router configurations are required, but there will be
double-NAT so residents cannot do activities such as hosting their own
servers, and certain types of gaming applications may have difficulty
because of the double-NAT. Note also that this requires Ethernet cabling
to a central location in each residential unit, so that APs can be mounted
within residential units.

In a typical in-unit deployment (i.e. not requiring Private Wi-Fi), a
wall-plate AP is generally only required every 2-3 units, depending on the
layout of the facility and the building materials. For Private Wi-Fi,
however, each unit requires its own access point so as to provide a
dedicated wireless network within each unit.1 Note that the LAN ports
on the wall-plate AP cannot be used as part of the Private Wi-Fi network.
 The LAN ports on the APs should therefore be disabled, unless
specific ports are being used for

 

1  Note, if the service is being offered as an optional upsell, one
could still place APs every 2-3 units, and then  mount additional APs
in particular units as necessary. This may prove overly labor-intensive,
however, and difficult to maintain vs. architecting the network for each
unit to have its own access point.

 

other facility-wide wired network appliances, such as VoIP phones, IPTV,
wired patient monitoring appliances, etc.

When placing a wall-plate AP in every unit, the transmit power levels
should generally be set to minimum levels (11 dBm on both 2.4 GHz and 5
GHz), so as to minimize the coverage area of each AP to minimize overlap
into neighboring units. Transmit power levels can be increased as needed
if the residential units are large enough (e.g. >> 1000 sq. ft. with
multiple rooms and therefore multiple walls) and/or depending upon room
layout and building materials.

 

Configuring Private Wi-Fi on the EnGenius® Neutron™ APs

The configuration procedure is slightly different than the conventional
recommended approach. The AP Group mechanism is still used, but only as a
template for the APs to establish the standard network configuration
parameters. Once the APs are configured in an AP Group, the APs must be
removed from the AP Group so that all of the settings (including the Guest
Network) can be modified on each individual AP.

The overall configuration process is as follows:

  • Create an AP Group for the Room APs with the following critical
    settings:

    1. LAN Port Settings for wall-plate APs:

      1. Disable all unused LAN
      2. Configure all used LAN ports to be access ports on the
        appropriate VLAN for the application (e.g. VoIP phones, IPTV,
        wired appliances, etc.). Note that LAN ports CANNOT be used as
        part of a Private Wi-Fi
    2. Radio Settings:

      1. Country: USA
      2. Channel: Auto (both 4 GHz and 5 GHz bands)
  • Channel Size: 20 MHz (both 4 GHz and 5 GHz bands)
  1. Tx Power: Lowest (both 4 GHz and 5 GHz bands)
  1. SSID Settings (per band):

    1. SSID #1: Staff SSID with appropriate VLAN and WPA2-PSK security
      settings, no client or L2 isolation
    2. SSID #2 (per band): Visitor SSID with appropriate VLAN settings, no
      security (open network), client and L2 isolation enabled
  • Other facility-wide SSIDs as required
  1. Advanced Settings

    1. LEDs: Disable (since placing APs in resident units)
    2. Band Steering: Enabled, Prefer 5 GHz, -80 dBm threshold
  • RSSI Threshold: Disable
  1. Management VLAN: Enabled if a management VLAN is in use (recommended)
  2. Guest Network: Enable with default settings for 4 GHz and 5 GHz SSIDs
    enabled with a default WPA2-PSK passphrase, including the default IP
    address scheme (e.g. 192.168.200.1/24) and DHCP range (e.g.
    192.168.200.101 – 192.168.200.200) for each unit

 

  • Add all of your room wall-plate APs to the AP Group so they upload the
    default You are using this AP Group as a configuration template only.

 

  • If there are any common area APs (e.g. dining areas, community rooms,
    outdoor areas, ) that do not require a Guest Network, a separate AP
    Group should be defined for these APs, and these APs should remain a
    part of the common area AP Group. The SSID, security, radio, and
    advanced settings should be the same as above, except that the guest
    network should remain disabled.

 

  • REMOVE the residential unit wall-plate APs from the AP Group –
    they will retain the group settings from the AP Group, but the APs can
    now have all of their features, specifically the Guest Network, uniquely

 

  • For each residential unit wall-plate AP, make the following AP changes:

    1. AP Name: Room # of AP
    2. AP Channel:

      1. Set alternating static channel of 1 / 6 / 11 scheme on 4 GHz
        band
      2. Set alternating static channel of 36 / 44 / 149 / 157 / 165 / 40
        / 48 / 153 / 161 on 5 GHz band
    3. Guest Network

      1. Set unique SSID for resident room (suggest room number to keep
        it sane, such as “Room 232”, but a random or
        custom name can also be assigned)
      2. Set randomly generated WPA2-PSK password for each room

(recommend the use of a random password generator program or web site)

  • Make sure you document the SSIDs and Passphrases for each AP’s
    guest network so you can provide a card to the resident with the
    information