- Dynamically assign VLANs and "static" public IPv4 /32 and IPv6 /60 subnet to each resident ONT. Do this by ONT's MAC address / GPON Serial number
- Dynamically assign VLANs and local IPv4 /24 and IPv6 /64 to RADIUS accounts.
For APs; Two Methods
- Management VLAN
- Guest VLAN or VLAN per account
- Keep DNS logs per account for BTK
All RADIUS accounts on a guest VLAN + AP isolation
- Completely secure from local devices on the network
- Cannot access other devices on the VLAN thanks to AP isolation
Each RADIUS accounts on seperate VLANs + no AP isolation
- Completely secure from local devices on the network
- Can access other devices logged in by the same account as a feature.
- Somehow have to automate VLANs and IP subnet range given to each account.
For Cameras; One Method
- Cameras and storage server on the same VLAN
- DHCP server giving static addresses to the devices
- Don't route "from" this VLAN. No accessing the internet VLAN or other VLANs.
- Route "to" this VLAN from management VLAN.
VLAN Configuration on management ONTs
Set up camera ports as access port vlan <ID>