I am trying to determine the best setup for my network, and I have several ideas that all might work, but I don't know which one is the best.

I'm on a ship that spends about half of it's time in port and half at sea. We have three Starlink terminals, two for inport that are unmetered and one for underway that is metered. While underway, we limit access to prevent blowing through the data cap for underway. While inport, we open it back up for everyone onboard, as it's the ground based connection that isn't metered.

My hardware configuration is an ER8411 with 3 WAN connections in, an OC300 on one of the LAN connections, and a LAN connection to an SG2218P, which then connects to a bunch of other SG2210Ps, which connect to a bunch of EAP225s.

Currently, I use one SSID for both inport and at sea, and I enable or disable MAC filtering and IP based ACLs with DHCP reservations to control who has access to the internet while at sea. That is on VLAN 10. VLAN 1 is my management VLAN, which all the infrastructure is on. This works fine enough, but I'm trying to figure out a way to get each person 1GB of data per month to use, mainly so people can text their familes back home while underway, again without blowing through the datacap.

My current thought is to build two WLAN groups, one for underway and one for inport.

The underway group has three SSIDs: a restricted, an unrestricted, and a special use.

• For the restricted, I make a voucher based portal that gives each person 1GB each month of data. Everyone gets a code, and that's how their device gets registered. If you change phones, we revoke the previous voucher and issue you a new one. You lose that one, you get to come up with the best story you can find for why you are so terrible at keeping your phone, and we don't give you another.
• For the unrestricted, I make a voucher based portal that gives either 1, 10, or 100GB per day based on what you need to do underway. Those get documented of who has what voucher so that I can maintain accountability of your data usage.
• The special use SSID is so I can make short-term vouchers to fit whatever specific need someone has without adding them to the unrestricted network.

The inport group has one SSID. It's open to everyone, and I apply QOS rules to ensure the people who need bandwidth to do their jobs get the bandwidth.

When we transition connections, I just batch config all the APs to switch between WLAN groups. The WLAN groups stay apart so that people don't get charged against their 1GB of data while we are on an unmetered connection, but when we go to sea twice in a month it keeps the running data total underway when we switch back.

Each of those SSIDs gets a VLAN associated with it, along with different subnets. The underway networks will probably be something like 192.168.4.0/22, 192.168.8.0/22, and 192.168.12.0/22 for a crew of about 500. The inport will probably then be 192.168.128.0/17, because people generally like to connect multiple devices. The management VLAN will stay on 192.168.0.0/22 which it currently is.

I have several questions about the consequences of this configuration:

• If people connect WiFi extenders to the network, will those bypass the portal authentication? They seem to show up right now as wired connections, which makes them much harder to control and regulate.
• Is there a way to regulate anything showing up as a wired connection without also impacting wireless connections?
• What about people connecting their own APs that aren't in the SDN? Will those bypass the portal?
• How do the ports on the switches need to be setup? I can't seem to get the hang of what needs to be tagged vs untagged on the port profiles, and most guides seem to assume you already fully understand this.
• Will doing a batch config on all of my APs to the inport WLAN group actually stop the running total on the underway data usage?