throttling guest internet on Apple Airport Extreme

December 18th, 2013

I’ve been happily running my Apple Airport Extreme as m home router for the past few years (since my debian router died, and I’ve been too lazy to replace it).  One of the cool features was the ability to create a guest network (SSID) to access the internet without being able to access your trusted network.  One feature I wanted was the ability to throttle the speed guests can access the internet at.  While I couldn’t do this with the Airport Extreme alone, Add a Juniper SRX100 into the mix that the awesome Cooper Lees gave me into the mix and problem solved.

apple-airport-extreme-base-station_1

SRX100, signed by the #1 Juniper Engineer

SRX100, signed by the #1 Juniper Engineer

AirPort Utility

AirPort Utility-2

In not so many words, performing these actions will do a number of things.  The gig ethernet switch on the back of the airport will be bridged with the WAN port.  Any traffic from your normal SSID(s) and switchports will be sent out the WAN port untagged.  Traffic from your guest network will be sent .1q tagged with vlan 1003.

I popped this into fe-0/0/1 on my SRX100 and the following config works the magic.

[interfaces]
    fe-0/0/1 {
        unit 0 {
            family ethernet-switching {
                port-mode trunk;
                vlan {
                    members vlan-guest;
                }
                native-vlan-id 3;
            }
        }
    }

    vlan {
        unit 0 {
            family inet {
                address 10.0.1.1/24;
            }
        }
        unit 1003 {
            family inet {
                filter {
                    input limit_guest_upload;
                    output limit_guest_download;
                }
                address 10.0.2.1/24;
            }
        }
    }

[system services]
        dhcp {
            pool 10.0.1.0/24 {
                address-range low 10.0.1.2 high 10.0.1.199;
                router {
                    10.0.1.1;
                }
            }
            pool 10.0.2.0/24 {
                address-range low 10.0.2.2 high 10.0.2.254;
                router {
                    10.0.2.1;
                }
            }
            propagate-settings fe-0/0/0.0;
        }

[security]
    nat {
        source {
            rule-set private-to-internet {
                from zone [ guest trust ];
                to zone untrust;
                rule source-nat-rule {
                    match {
                        source-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
    }
    policies {
        from-zone trust to-zone untrust {
            policy trust-to-untrust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone guest to-zone untrust {
            policy guest-to-internet {
                description "Allows guest access to internet";
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    }

[security zones]
        security-zone guest {
            host-inbound-traffic {
                system-services {
                    dns;
                    ping;
                    traceroute;
                }
            }
            interfaces {
                vlan.1003;
            }
        }

firewall {
    policer guest-shaping {
        if-exceeding {
            bandwidth-limit 500k;
            burst-size-limit 300k;
        }
        then discard;
    }
    filter limit_guest_download {
        term guest-shaping {
            then {
                policer guest-shaping;
                accept;
            }
        }
    }
    filter limit_guest_upload {
        term guest-shaping {
            then {
                policer guest-shaping;
                accept;
            }
        }
    }
}
vlans {
    vlan-guest {
        vlan-id 1003;
        l3-interface vlan.1003;
    }
    vlan-trust {
        vlan-id 3;
        l3-interface vlan.0;
    }
}

And there you have it! A really simple way of limiting the bandwidth of guest users on your network using the power of Junos with an Airport Extreme!

 

Throttled Speed

12 responses

  1. Brett comments:

    Hi Scott,

    This is fascinating.

    I’ve known about VLAN 1003 for the Airport Guest network for awhile, as I have 6 Airport Extreme/Express nodes in bridge mode, using an Airport Extreme as a router (with 6 different smart switches also on the network).

    My network is probably too complex for the Airport Extreme router. I gave up using it as a DHCP server (except for the guest network) because that seemed to lead to the Airport needing to be restarted every few days.

    But it still gives me fits sometimes.

    So I’d like a better router and to turn my existing Airport router into another bridged WAP.

    While I don’t absolutely need bandwidth throttling on the guest network that would be a nice plus.

    However, I’ve never worked with Juniper OS before.

    From the moment of unboxing … How difficult is it to apply the config you described?

    Do I have to do it via a command line interface, or can it be edited via a web interface?

    Thanks!

  2. scottyob comments:

    Howdy,

    Junos does indeed have a web interface (J-Web) and a but ton of documents in the knowledge base to help you setup a lot of scenarios. You should be pretty right

    In terms of the wireless with those many AP’s, it might be time to start thinking of lightweight access points with a Wireless LAN Controller instead of autonomous AP’s chucked around left right and centre..

    Good Luck,
    - Scotto

  3. Brett comments:

    Thanks for the feedback Scott … I am going to give this an attempt with the SRX100 in about a week’s time, once I get a hold of a unit.

    Everything in your config looks relatively straightforward … I just have one question.

    What is the significance of native-vlan-id 3? I assume that this is not necessary and may be related to something else you are doing with VLANs on your network?

  4. scottyob comments:

    No worries Brett. VLAN 3 is my “Trust” VLAN. It’s native because the Airport will send frames connected to the switch at the back as well as my normal SSID’s I want on this VLAN… Why I choose VLAN-3 instead of the default/native VLAN for my “trusted” VLAN? I can’t remember :P For no good reason.. Maybe that was part of the default config?

  5. Brett comments:

    Hi Scott,

    I wanted to leave a follow-up. I did successfully deploy an SRX100 as my router … and not only does it provide the throttling function you describe, it does seem to have resolved my biggest recent networking problems.

    That said, I have to say that J-Web is embarrassingly bad and largely dysfunctional, and I almost gave up at first.

    To prep the SRX100, I needed to add static address assignments for some of my networked devices. After a couple were added, J-Web would just lock up and if I tried to log back in, would block me for 5 to 10 minutes.

    I decided to persevere and used CLI and Point-and-Click CLI to make my configuration adjustments, which worked much better, and increased my confidence that the device was actually going to work.

    The SRX100 has now been deployed for a little over a week, my network is now stable, and guest internet access is throttled.

    (Side note: Shortly after my first post here, I had to reboot my router Airport 4 times in one evening until I discovered that the Airport would crash every time my daughter’s iPad connected to the guest network … other devices did not have or trigger any such problems. I’m still puzzled about that, but I think it had something to do with her device being configured to connect either to guest or main network, and had something to do with her moving between bridged Airports in the house, sometimes on guest, sometimes on main.)

    Anyway, I appreciate you sharing this post and responding to my questions.

    One note that I wanted to share …

    There is a problem with 802.11ac versions of Airport and the guest network in bridged mode. They use 7.7.x (currently 7.7.2) firmware, while older Airport devices use 7.6.x.

    The problem is described here:

    https://discussions.apple.com/message/23266202#23266202

    Basically the guest network on bridged 7.7.x Airports gives such slow throughput that it is unusable.

    Originally, I thought the issue was some incompatibility between 7.7.x in bridged mode, and 7.6.x on the router. But it appears to be more fundamental.

    I have bridged Airport Express and 4th and 5th gen Airport Extreme running 7.6.4 in bridged mode and the guest network is fine.

    I have a bridged 802.11ac TC running 7.7.2 in bridged mode and the guest network is so slow as to be unusable (so I leave it disabled and have it running in a location where the guest network is not needed).

    I’ve had the same results on this particular issue with the SRX100 as my router or Airport Extreme 5th gen as my router. So I would caution anyone looking to this page and thinking about deploying a business class router for guest network access that 802.11ac versions of Airport & TC have issues. I would suggest checking the Apple discussion thread to see first if a firmware update has fixed the problem.

    Thanks again for sharing this post!

    Cheers,

    Brett

  6. Josh comments:

    I’d like to echo Brett’s comments regarding the latest gen 802.11ac Airport Extreme and the guest network.

    I’m using a Vyatta box as my router instead of an SRX, but it’s effectively the same config & topology.

    I have a 100Mbit downstream internet connection which I can max out with a speed test on the main wifi network, but when I switch to the guest network the speed drops down to around 1-3Mbit. The upstream throughput appears to be unaffected.

    I recently opened a support case with apple and sent them a bunch of diag logs. The case was escalated to engineering, however when they saw that the AE is in bridge mode, they said its an unsupported configuration and the case was closed.

    Hopefully this gets sorted with a future firmware revision.

  7. scottyob comments:

    That’s a shame. Let us know if you do find it gets fixed in another update.

  8. Nick comments:

    Same issues as Josh and Brett – I have the following setup:

    pfsense -> Cisco SG300 -> Airport extreme. The guest network is using tagged vlan 1003. Download speed is crippled on the guest network (about 1Mbps). Looks like it is an Apple issue as I have seem this issue scattered around the web.

    I’m dumping my Airport Extreme’s and going to try Engenius access points.

  9. Sven comments:

    It’s remarkable in favor of me to have a site, which is valuable in support of
    my know-how. thanks admin

  10. New Orleans Data Recovery comments:

    People keep saying that Apple’s not innovating these days, I won’t why they just don’t listen to their users and add the features we’ve been wanting for years.

    Anyways, I found an SRX100 on eBay for $64, but Is there a cheaper box we can use?

  11. FirstMozelle comments:

    I see you don’t monetize your page, don’t waste your traffic, you can earn extra cash every month because you’ve got hi
    quality content. If you want to know how to make extra bucks, search for:
    Mrdalekjd methods for $$$

  12. James Campolo comments:

    Do you have a network diagram for this setup? I need to know how things are connected physically.

Leave a comment