JP2017163209A - Wireless communication device, wireless communication method, and program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To easily achieve a communication group separated from others in a wireless communication device.SOLUTION: A wireless communication device can operate a plurality of SSIDs and performs communication between terminal devices using the SSID. A unique identifier for specifying the terminal device is registered at a table prepared in advance for at least each two port among three or more distinguishable ports including the plurality of SSIDs, which is a port as an interface that can connect the terminal device. When grouping about at least two ports is designated, the wireless communication device allows communication between the terminal devices registered at the table and does not allow communication between the terminal device connected with a non-grouped port and the terminal device registered at the table.SELECTED DRAWING: Figure 2

Description

  The present invention relates to a wireless communication device, a wireless communication method, and a program.

  In recent years, the spread of wireless communication devices has been remarkable, and it is widely established that a wireless LAN is constructed in a general home and a plurality of users are connected to a wide area network such as the Internet by wireless communication from a terminal such as a computer, a tablet or a smartphone. It is done. Some of these wireless LANs can handle both the 2.4 GHz frequency band channel and the 5 GHz frequency band channel that have been used in the past, and some can use a plurality of SSIDs for each band. .

  In a wireless LAN that can operate a plurality of SSIDs, it has been conventionally attempted to limit users who can access each port specified by the SSID. This is because a wireless LAN can receive radio waves as long as it is within the wireless range, so that it is required to restrict access by a user who does not have a valid usage right. Various techniques for such access restriction have been proposed (see, for example, Patent Documents 1 to 4 below).

  As one example of access restriction, one of a plurality of SSIDs that can be used in a wireless LAN is used for home wireless LAN operation, and the other is restricted so that it cannot be connected to the home wireless LAN. At the same time, there is an operation such that it can be connected to the Internet and is released to guests. This can be said to be a function of isolating a user for each SSID. Also, in an environment where a plurality of users using wireless LANs are mixed, there is a request to have another LAN environment inside that is separated from other users, that is, cannot be accessed by other users, So-called VLAN technology has been developed and used in offices. Recently, the use of wireless LAN in homes and share houses has progressed, and as described above, there is an increasing demand for building another LAN environment that is isolated from other users and kept secret inside the wireless LAN. ing.

Patent No. 4908818 JP2012-242990 JP-A-2005-252717 Patent No. 3522284

  However, with the existing isolation function, the user is isolated for each SSID, and cannot communicate with a slave connected to a different SSID, a device connected by wire to a wireless LAN router, or the like. On the other hand, as a result of trying to strictly restrict access, the VLAN technology has a problem that a lot of equipment is required for use in a normal home and setting is not easy. Furthermore, recently, a channel bonding technology that uses adjacent channels of the same frequency band in a bundle has also been developed, contributing to higher communication speeds. Could not be shared by multiple users.

  SUMMARY An advantage of some aspects of the invention is to solve at least a part of the problems described above, and the invention can be implemented as the following aspects or forms.

(1) As a first embodiment of the present invention, there is provided a wireless communication apparatus capable of operating a plurality of SSIDs and enabling communication between terminal apparatuses using each SSID. The wireless communication device is a port as an interface to which the terminal device can be connected, and a communication unit that communicates with the terminal device using three or more distinguishable ports including the plurality of SSIDs; A table in which at least two of the above ports can be grouped, and a unique identifier for identifying the terminal device is registered in at least two of the groupable ports. Here, when the grouping for the at least two ports is designated, the communication unit permits communication between the terminal devices registered in the table, and is connected to the ungrouped ports. Communication between the terminal device and the terminal device registered in the table may not be permitted.

  According to such a wireless communication device, when grouping is specified, communication between terminal devices registered using a unique identifier in the table is possible, but communication with terminal devices not registered in the table is not possible. It can be set as a state. Such grouping may be designated by the user, or may be designated from the beginning as to which port is to be grouped.

(2) In the wireless communication apparatus, different SSIDs of different frequency bands may be assigned to each of the at least two ports that can be grouped among the three or more ports. If it carries out like this, it can communicate between the terminal devices connected to the port to which different SSID of a different frequency band was allocated, and can be made into the state which cannot communicate with other terminal devices.

(3) In the wireless communication device, one of the three or more ports is a port to which a terminal device can be connected by wire, and the one port is included in the groupable ports It is also good. In this way, when a wired communication port is provided in the wireless communication device, terminals connected by wire can also be added to the grouping.

(4) In such a wireless communication device, a combination of at least two ports that can be grouped may be set in advance. In this way, there is no need to set grouping at once.

(5) In such a wireless communication device, a setting screen of the wireless communication device is displayed on the terminal device by designating a predetermined address by a browser operating on the terminal device connected to one of the ports; The grouping may be designated by operating a designation button provided on the setting screen. In this way, it is possible to specify the grouping from the terminal device.

(6) In the above wireless communication apparatus, a default gateway connected to a wide area network may be assigned in advance to one of the ports to be grouped. In this way, the default gateways can be grouped without showing them one by one. If default gateways are grouped, access to the default gateway is restricted from ungrouped terminal devices, so the default gateway settings can be viewed and changed from ungrouped terminal devices. Is not possible in principle. For this reason, the security of the whole LAN connected to the default gateway can be enhanced.

(7) Such a wireless communication apparatus can be realized as an access point of a wireless LAN or an extender that extends a wireless communication range by the access point. In this way, the wireless LAN access point alone or the extender alone can communicate with terminal devices registered in the table, but cannot communicate with terminal devices not registered in the table. can do.

(8) As a second embodiment of the present invention, there is provided a wireless communication method capable of operating a plurality of SSIDs and performing communication between terminal devices using the SSIDs. This wireless communication method has the same effect as the above wireless communication apparatus.

(9) As a third embodiment of the present invention, a computer that can operate a plurality of SSIDs, is loaded into a wireless communication device that performs communication between terminal devices using the SSID, and is built in the wireless communication device Provides an executable program. This program has the same effect as the above wireless communication apparatus. Such a program can be provided in a state of being recorded on a recording medium, but may be placed on a site on a wide area network and downloaded to a wireless communication apparatus connected to the wide area network. With such a program, the above function can be newly added to an existing wireless communication apparatus.

1 is a schematic configuration diagram of a wireless LAN system according to an embodiment. 1 is a schematic configuration diagram of a wireless LAN relay device (extender) included in a wireless LAN according to an embodiment. Functional block diagram of the bridge in the extender. The flowchart which shows a personal mode setting process routine. Explanatory drawing which shows an example of the setting screen displayed on the terminal side. Explanatory drawing which shows typically the table reflecting the setting in personal mode. Explanatory drawing which shows an example of table TBL which matches and registers the MAC address of a terminal with an input port, and an example of matching according to a group and a port. The flowchart which shows an example of the operation | movement in an extender.

  An embodiment of the present invention will be described. FIG. 1 is a schematic configuration diagram of a wireless LAN system 100 including a wireless LAN relay device 30 corresponding to the wireless communication device of the present invention. The wireless LAN system 100 includes an access point (AP) 20 connected to a wide area network (WAN) 25 and a wireless LAN relay device 30. AP 20 comprises its own local area network LN1. The AP 20 and the wireless LAN relay device 30 are connected using a WDS (Wireless Distribution System) technique. The wireless LAN relay device 30 expands the area of the local area network formed by the AP 20 by being WDS connected to the AP 20. Therefore, hereinafter, the wireless LAN relay device 30 is referred to as an extender 30. Note that the WAN 25 is the Internet in this embodiment.

  The AP 20 has a DNS (Domain Name System) server function and a NAT (Network Address Translation) function, and requests from terminals included in its own local area network LN1 and terminals included in the local area network LN2 formed by the extender 30 Accept requests from. If the request from the terminal is a request to various servers (for example, the WWW server 60) connected to the WAN 25, the AP 20 converts the IP address of the request source terminal by the NAT function, further performs DNS resolution, and sends it to the WAN 25. A response is requested from each connected server, and the obtained information is delivered to the requested terminal.

  In the example shown in FIG. 1, a first PC 57 is connected to the extender 30 by wire, and terminals 51 and 52 that are two mobile phones, a terminal 54 that is a tablet, and a second PC 55 are connected wirelessly. Has been. That is, three terminals 51, 52, 54 and two PCs 55, 57 are connected to the local area network LN2 formed by the extender 30. These terminals and PCs correspond to subordinate concepts of the terminal device.

  Next, the configuration of the extender 30 will be described. FIG. 2 is a block diagram showing the internal configuration of the extender 30. As illustrated, the extender 30 includes an antenna 31 for wireless communication in the 2.4 GHz band and an antenna 32 for wireless communication in the 5 GHz band, and performs wireless communication in each frequency band via these antennas 31 and 32. The wireless communication unit 33 for 2.4 GHz and the wireless communication unit 34 for 5 GHz are provided. The wireless communication unit 33 is compatible with multi-SSID, and can operate two SSIDs of SSID 1g and SSID 2g, and wireless communication in the 2.4 GHz band is possible using these. Similarly, the wireless communication unit 34 also supports multi-SSID, and two SSIDs of SSID 1a and SSID 2a can be operated, and wireless communication in a 5 GHz band is possible using these.

  Both wireless communication units 33 and 34 are connected to a bridge 35. A wired LAN terminal 37 is also connected to the bridge 35. The bridge 35 is actually an interface circuit that exchanges signals with the wireless communication units 33 and 34 and the wired LAN terminal 37, and exchanges signals that are input and output through the interface circuit by the operation of the CPU 41. Thus, the function as the bridge 35 is realized. Specifically, the function as the bridge 35 is realized by the CPU 41 that is a one-chip computer executing a program loaded in a memory such as the ROM 42 or the RAM 43. Note that at least a part of the ROM 42 is configured as a flash ROM, and stores a table TBL described later in a nonvolatile manner. Of course, at least a part of the RAM 43 may be configured as a non-volatile memory backed up by a battery or the like to store the table TBL.

  In such an interface circuit for realizing the bridge 35, units for inputting and outputting signals are referred to as an input port and an output port. In the present embodiment, the bridge 35 includes two input ports and two output ports for both the wireless communication units 33 and 34 of the wireless LAN. A plurality of SSIDs in this embodiment are assigned to each input port. Similarly, a plurality of SSIDs in the present embodiment are assigned to each output port. Even if connected to the same input port or output port, the SSID for data exchange is different, so it is possible to distinguish which SSID is used for communication. As described above, data exchange between the wireless communication units 33 and 34 and the bridge 35 is performed via the input port and the output port of the bridge 35 for each SSID. Since the physical input port and output port in the bridge 35 and the exchange of data for each SSID are distinguished, in FIG. 2, the input ports G1 and G2 of the bridge 35 for the SSID 1g and SSID 2g are distinguished. There is only one port. Similarly, ports A1 and A2 of the bridge 35 for SSID1a and SSID2a are also drawn separately. For the wired LAN terminal 37, a single port is prepared. Input / output to / from the wired LAN terminal 37 is connected to the port LAN of the bridge 35.

The bridge 35 is further provided with a port STA for exchanging data via the wireless communication unit 34. The port STA is a port used for exchanging data with the AP 20 connected to the WDS. In the wireless communication part 34, it is handled as rootAP. Data exchange with the WDS-connected AP 20 is a function realized by the AP 20,
(1) Exchange as default gateway DGW,
(2) There is an exchange as an Internet INT. For this reason, in the following description, these ports are distinguished, and a port when data is exchanged as a default gateway is called a port DGW, and a port when data is exchanged via the WAN 25 which is the Internet is called a port INT. Call.

  Next, the basic operation of the bridge 35 will be described with reference to FIG. FIG. 3 is a functional block diagram schematically showing an example of the operation of the bridge 35. As will be described later, the bridge 35 has a filter function, and when a specific mode is designated, the plurality of ports described above are divided into the group 1 and other groups, and data is distributed. A mode for performing such a filter function is called a personal mode. There may be a plurality of combinations of ports belonging to the group 1 in the personal mode as described later, but in the following, in the local area network LN2 formed by the extender 30, an example in which the SSID 1a, the SSID 1g, and the wired LAN form the group 1 Explained.

  When the personal mode is designated, as shown in the figure, a port A1 for inputting data using the SSID 1a from the wireless communication unit 34, a port G1 for inputting data using the SSID 1g from the wireless communication unit 33, Port LANs for inputting data from the wired LAN terminal 37 are grouped as a group 1 in the bridge 35. On the other hand, the port A2 for inputting data using the SSID 2a from the wireless communication unit 34 and the port G2 for inputting data using the SSID 2g from the wireless communication unit 33 are grouped as other than the group 1 in the bridge 35. .

  On the other hand, the output port outputs data to the port A1 that outputs data using the SSID 1a from the wireless communication unit 34, the port G1 that outputs data using the SSID 1g from the wireless communication unit 33, and the default gateway. A port DWG, a port LAN that outputs data to the wired LAN terminal 37, and a port INT that outputs data via the WAN 25 are grouped as a group 1 in the bridge 35. Similarly, a port A2 that outputs data using the SSID 2a from the wireless communication unit 34, a port G2 that outputs data using the SSID 2g from the wireless communication unit 33, and a port INT that outputs data via the WAN 25 are provided. In the bridge 35, they are collected as other than the group 1.

  The filter function inside the bridge 35 is realized by managing the table TBL for allocating each port other than the group 1 and group 1 described above by the filter registration function when the personal mode is set. This table TBL is prepared in advance in the memory. Therefore, the process for setting the personal mode will be described first. FIG. 4 is a flowchart showing a personal mode setting processing routine executed in the extender 30. This personal mode setting processing routine is started when a browser operating on one of the terminals belonging to the local area network LN2 of the extender 30 designates an address set in a setting server built in the extender 30. The In the present embodiment, it is assumed that the call is made from the terminal 54.

  When the routine shown in FIG. 4 is called, the extender 30 first determines whether or not the personal mode setting page is called (step S100). If the call from the terminal 54 in the local area network LN2 is other than the call of the personal mode setting page, for example, other settings such as SSID setting or WDS related setting, the routine returns to RETURN and ends this routine. . If the call from the terminal 54 is a call for a setting page in the personal mode, next, setting page data is transmitted to perform display and screen update processing (step S110). That is, the server in the extender 30 responds to the call from the terminal 54 and transmits data for displaying the personal mode setting screen on the screen of the terminal 54. When the transmitted data is received, the terminal 54 displays it on the screen of the terminal 54, and if the operation on the terminal 54 is performed on the screen, the screen is updated according to the operation.

  An example of the screen displayed on the terminal 54 side is shown in FIG. The upper part (A) of FIG. 5 shows the screen display DS1 when the personal mode is not set. Since the personal mode is not set in the extender 30 by default, when this setting screen is called for the first time, the screen display DS1 shown in the upper section (A) is displayed. On the side of the terminal 54 that has called this setting screen, a pointing device such as a mouse is operated, and a check box “□” or the like is checked for designation. In the lower part (B) of FIG. 5, the check box when it is designated as valid is indicated by “■”. A check box (generally called a radio button) when only one of a plurality of setting items can be selected is indicated by “◯”, and the selected side is indicated by “「 ”.

The settings are as follows.
[1] Enabling / disabling personal mode [2] Using / not using wired LAN terminal When the check box is checked in [1] and personal mode is enabled, the screen shown in the lower part (B) of FIG. The display is switched to the display DS2. In this state
[3] Use / do not use 2.4 GHz SSID as personal mode [4] Whether to use initial setting value or input value to set as SSID when using in [3] above [5] ] Use / do not use 5 GHz SSID as personal mode. [6] Whether to use initial setting value or input value to set as SSID when using in [5] above.

  “PG-0010” and “PA-0010” shown in FIG. 5 as the initial setting values in the above [4] and [6] are examples of specific values corresponding to SSID1g and SSID1a in FIG. When the local area network LN2 is constructed using the extender 30, if the SSID used in the local area network LN2 is used as it is, the initial setting value can be used as it is. If the SSID used in the local area network LN2 has been changed, it is only necessary to select “enter a value” as the changed value and enter the set SSID in the box. In the setting screen display DS2, as shown in the figure, a wireless authentication method, an encryption key, and the like can be set, but the description thereof is omitted.

  Operations such as check boxes on the screen are performed on the terminal 54 side. When the setting button displayed on the screen is clicked using a mouse or the like after checking each check box, the fact that the setting button is clicked and the setting information displayed on the screen is displayed from the terminal 54. It is transmitted to the extender 30. After the transmission of the setting page in step S110 described above, the extender 30 determines whether or not the setting button has been clicked (step S120). It is determined whether or not the setting has been made (step S130).

  If the “personal mode” is set to be valid in the screen displays DS1 and DS2 shown in FIG. 5, this can be determined from the data transmitted from the terminal 54. If the personal mode is set to be valid, the setting for setting the group 1 to the personal mode is made valid (step S140). If the check box for making the personal mode setting valid is not selected, the personal mode is to be released. The setting for setting the group 1 to the personal mode is invalidated (step S150). After the above processing, the process returns to “RETURN” and ends this routine.

  Here, the process of enabling the group 1 setting (step S140) refers to checking the setting of each check box in the setting shown in FIG. 5B, and according to the setting, the filter shown in FIG. This corresponds to a filter registration function for setting the table TBL so as to realize the function. FIG. 6 is a diagram schematically showing the contents of the table TBL reflecting such settings. The upper row (A) shows ports belonging to group 1, and the lower row (B) shows ports belonging to other than group 1.

  For example, in the screen display shown in FIG. 5, “Use also with wired LAN terminal” and “5 GHz” are valid “■”, and if “2.4 GHz” is not valid, wired LAN terminal. The port LAN and the port G1 belong to the group 1, and the other ports A1, A2, and G2 belong to other than the group 1. Note that the default gateway (port DGW) is not displayed in FIG. 6 because it is included in the group 1 if the personal mode is set, as will be described later. Since the port INT for connecting to the Internet can be connected from other than the group 1 and the group 1 regardless of whether the personal mode is enabled or not, this is also not shown in FIG.

In the table TBL managed by the filter registration function, for each port that the extender 30 can handle, the MAC address (s) of the terminal associated with the port and whether the port belongs to group 1 or other than group 1 , Is registered. FIG. 7A shows an example in which the data input to each port (input port) is arranged in terms of which port (output port) can or cannot be passed (discarded). Indicates. FIG. 7B shows the same correspondence by arranging the MAC addresses of associated terminals by group and by port. As shown in FIG. 7B, in the case of a wireless LAN, the MAC addresses of terminals that use the same SSID are registered in association with the same port. In this table TBL, in addition to the MAC address of each terminal, a MAC address such as a default gateway is also associated and registered. The MAC address can be handled as a unique identifier of each terminal. FIGS. 7A and 7B show the correspondence in the following conditions.
(A) The personal mode is set to be valid, and the use at the wired LAN terminal, 2.4 GHz and 5 GHz are all valid “■” (see FIG. 5).
(B) The MAC address addresses of the terminals 51, 52, and 54, the first PC 57, and the second PC 55 shown in FIG. 1 are XXX4, XXX1, XXX2, XXX3, and XXX5, respectively.
(C) The terminal 52 and the terminal 54 use the SSID 1g and the SSID 1a, and the terminal 51 and the second PC 55 use the SSID 2g and the SSID 2a.
(D) The first PC 57 is connected to the wired LAN terminal 37.
(E) The MAC address of the default gateway is associated with the DWG port.

  In the above case, as shown in FIGS. 6 and 7B, the port LAN, the port A1 (SSID1a), and the port G1 (SSID1g) belong to the group 1. Furthermore, the port DGW also belongs. On the other hand, in addition to group 1, port A2 (SSID2a) and port G2 (SSID2g) belong. As a result, as shown in FIG. 7A, data reaching the input ports A1, G1, and LAN belonging to group 1, that is, data from terminals 52 and 54 and first PC 57 belong to the same group 1. It passes through the output ports A1, G1, LAN, and DGW, but is not passed through the output ports A2 and G2 that do not belong to the group 1 and is discarded. For this reason, all data can be exchanged between the terminals 52 and 54 and the first PC 57. Further, the terminals 52 and 54 and the first PC 57 can access the default gateway and the Internet INT. Data cannot be exchanged with the second PC 55 at all.

  On the other hand, data arrived at the input ports A2 and G2 belonging to other than the group 1, that is, data from the terminal 51 and the second PC 55 pass through the output ports A2 and G2 belonging to other than the group 1, but the group 1 The output ports A1, G1, LAN, and DWG belonging to are not passed but are discarded. For this reason, all data can be exchanged between the terminal 51 and the second PC 55, and further, the terminal INT and the second PC 55 can access the Internet INT. However, no data can be exchanged from the terminal 51 or the second PC 55 to the terminals 52 and 54, the first PC 57, or the default gateway.

  Accordingly, communication between the terminals belonging to group 1 is permitted, but the terminals belonging to group 1 and the terminals belonging to other than group 1 are separated from each other, and their existence and The data to be exchanged is kept secret.

  The operation as the bridge 35 that exhibits the filter function will be described with reference to the flowchart of FIG. The CPU 41 of the extender 30 monitors whether or not a packet has arrived through communication with the outside. When the packet arrives, the CPU 41 executes a packet distribution process shown in FIG. When the process of FIG. 8 is started, first, a process of acquiring an arrived packet is performed (step S210). The packet arrives via the wireless communication units 33 and 34 and the wired LAN terminal 37.

  Next, the acquired packet is transferred to the bridge 35 (step S220). The forwarded packet includes the MAC address of the terminal or the like that transmitted the bucket, information about which input port A1, A2, G1, G2, LAN, or STA has arrived, as well as the destination. .

  Next, it is determined whether or not the personal mode is valid (step S230). If the setting for enabling the personal mode has not been made by the setting process already described (step S230: “NO”), the bridge 35 transfers all received communication packets to the respective destinations (step S250). In this case, communication is possible between all the terminals 51, 52, 54 connected to the local area network LN2, the first PC 57, the second PC 55, and the default gateway, and an external server via the WAN 25. Etc. can also be referred from all terminals.

  On the other hand, if the setting for enabling the personal mode has been made, the table TBL is then referenced to determine the group (step S240). In step S240, by referring to the table TBL, it is determined to which group the terminal that has transmitted the received packet belongs. In this table TBL, as shown in FIG. 7B, the MAC address of the terminal and the input port are registered in association with each other, and information on which terminal belongs to group 1 is also held. Yes. When the personal mode is enabled, the MAC address is associated with the port, and if it is registered in the table TBL, the personal mode is entered and the group attribute is referenced with reference to this table TBL. What is necessary is just to determine NO. On the other hand, if the association is not yet registered in the table TBL at the time when the personal mode is enabled, the MAC address of the terminal and the port used by the terminal are displayed when the terminal first accesses. Corresponding information may be registered in the table TBL to determine whether the group belongs. Further, the MAC address of the default gateway (port DGW) may be registered after obtaining a response to the default gateway and obtaining the response result.

  The association between the MAC address and the port once registered in the table TBL cannot be changed unless the extender 30 is initialized and the personal mode is invalidated. Accordingly, for example, a terminal registered as other than the group 1 in the state where the personal mode is valid cannot be re-registered so as to be included in the group 1. When the extender 30 is initialized and the personal mode is invalidated, in this embodiment, the registration of the table TBL is discarded, so that each terminal changes the SSID to be used and then activates the personal mode. In some cases, the registration of whether group 1 or other than group 1 can be changed. Of course, the association registered in the table TBL may be held even if the personal mode is disabled. In this case, when the personal mode is enabled again, the association registered in the table TBL can be used, and there is no need to register the association between the terminal MAC address and the port again. In addition, in the present embodiment, the personal mode is disabled only when the setting screen is called from the registered terminal except for registering the terminal in which the personal mode is enabled in the table TBL and initializing the extender 30. It is supposed to be possible. In other words, the terminal in which the personal mode is enabled (the terminal 54 in the present embodiment) is handled as a master machine having authority for setting related to the personal mode. Of course, when the extender 30 is installed, the MAC address of the terminal that is to be treated as such a master machine is registered in advance, and changes in personal mode settings from terminals other than the master machine can be restricted or prohibited. good.

  Next, based on this table TBL, it is determined whether or not the packet can be transferred (step S260). Specifically, referring to the information in the table TBL, the input port and the MAC address of the terminal that transmitted the packet that has arrived at the input port match the correspondence registered in the table TBL, and the destination output port If the MAC address of the terminal or the like connected to the output port matches the association registered in the table TBL, and the groups to which both terminals belong are the same, it is determined that the transfer is allowed. In this case, the process proceeds to step S250, and the communication packet is transferred to each destination.

  On the other hand, the correspondence between the input port and the MAC address of the terminal that transmitted the packet arriving at the input port, and the correspondence between the destination output port and the MAC address of the terminal connected to the output port are stored in the table TBL. Even if they are different from the registered ones or their correspondences match, if it is determined that they belong to different groups, it is not determined that they can be transferred. In this case, processing for discarding the communication packet is performed (step S270). After transferring the packet (step S250) or discarding the bucket (step S270) described above, the process exits to “NEXT” and ends this processing routine.

  According to the first embodiment described above, in the extender 30 that operates a plurality of SSIDs, only by setting the personal mode, a plurality of terminals in the local area network LN2 formed by the extender 30 are connected. Of these, only those using ports registered in the table as belonging to group 1 in advance can be grouped. If grouped, data can be exchanged only between terminals registered in the table TBL in association with ports in the table TBL. Of course, it is possible to connect to a default gateway or WAN (Internet) 25 from a terminal or the like belonging to group 1, and to refer to a site of an external server 60 or the like. However, terminals that do not belong to group 1 cannot exchange data with terminals or the like that belong to group 1, and even if they try to see the local area network LN2 or the default gateway, their presence cannot be seen. In the table TBL, the MAC address of each terminal or default gateway is registered in association with the input port or DWG port to which each terminal or default gateway is connected, and the terminal and group 1 associated with the port belonging to group 1 are registered. This is because communication with a terminal associated with a port that does not belong cannot be performed. Therefore, the terminal 51 and the second PC 55 that do not belong to the group 1 cannot be accessed, and the default gateway setting cannot be viewed or changed. Therefore, the security of the entire LAN connected to the default gateway can be increased.

  As described above, the association between the MAC address and the port registered in the table TBL cannot be changed until the extender 30 is initialized and the personal mode is disabled. Even if a terminal registered as an association tries to connect using an SSID used by a terminal belonging to group 1, data cannot be exchanged with a terminal belonging to group 1. Similarly, the default gateway cannot be accessed. This is because the MAC address of the terminal is a unique identifier and is registered in the table TBL in a state associated with the port. As long as a terminal or the like can be identified, the unique identifier is not limited to the MAC address. For example, another identifier on the network such as an IP address may be combined with a part or all of the MAC address.

  In this way, terminals that do not belong to group 1 are kept secret from terminals that belong to group 1, but between terminals that do not belong to group 1, as before the personal mode setting, Communication using the same SSID is possible, and data can be freely exchanged. Further, it is possible to connect to a WAN (Internet) 25 and to refer to a site of an external server 60 or the like. In addition, in this embodiment, each terminal can group a part thereof using SSIDs of two frequency bands. Further, even if a part of terminals belonging to the group uses two SSIDs and a part uses one SSID, grouping is possible. For this reason, it is possible to use web search and data exchange between terminals by communication at 2.4 GHz while using 5 GHz communication for streaming video.

  Such a state can be realized by a technique such as VLAN, for example, but in this embodiment, the VLAN technique is not necessary, and the port connected to the table TBL using the SSID of each frequency band to be grouped. And the MAC address of the terminal connected to this port need only be registered in association with each other. A terminal connected to the wired LAN terminal 37 can also be added to this group. Furthermore, as shown in FIG. 6, such grouping can be realized as various combinations (seven in this embodiment). In addition, the setting can be performed very easily from the terminal side using the setting screen shown in FIG. In the example shown in FIG. 5, the minimum processing required while setting the personal mode is to simply click the checkbox for enabling personal mode and specify this item as valid “■”. .

  Hereinafter, modifications of the present invention will be described. In the above embodiment, only the group 1 is grouped in the personal mode. However, grouping may be performed for a plurality of groups. In this case, on the setting screen shown in FIG. 5, it is possible to enable / disable the group 1, group 2,... And which port belongs to the group for each group. Should be set. Those that do not belong to any group may be handled in the same manner as those belonging to other than group 1 in the above embodiment.

  In the above embodiment, the user can freely set the combination of SSIDs in the personal mode and can select from a maximum of seven combinations. However, the selectable range may be limited. For example, one combination of ports in the personal mode may be determined in advance. In this case, setting items for enabling the personal mode are reduced, and the setting is further facilitated. In the above-described embodiment, the personal mode is not enabled by default, and is set to be enabled by calling the setting screen from the terminal 54. However, the default is set to “enable” and the setting screen is used. It may be possible to change it to “not effective”. Further, it can be realized as always effective.

  In the above embodiment, the embodiment as the extender 30 has been described, but the same function can also be realized as the AP 20. Further, both the AP 20 and the extender 30 can be operated simultaneously. In this case, a group for realizing the personal mode may be separately formed in each of the AP 20 and the extender 30, or a local area of both the AP 20 and the extender 30 that share one table TBL and are connected by WDS communication. Grouping across networks may also be performed.

  In the above embodiment, the association between the MAC address and the port cannot be changed unless the extender 30 is initialized and the personal mode is invalidated once registered in the table TBL. The table TBL may be directly edited only when the setting screen is called from the terminal registered as the master device.

  In the above embodiment, the terminal device (first PC 57) connected to the wired LAN terminal can be grouped, but the terminal device connected to the wired LAN terminal may not be handled. Conversely, a plurality of wired LAN terminals may be provided, and a plurality of wired terminal devices may be grouped.

  In the above embodiment, the personal mode is set by calling the setting screen from the terminal 54 side. However, the personal mode can be set from any terminal, or can be set from a terminal registered in the extender 30 in advance. May be. Further, a setting button may be provided on the extender 30 itself, and the setting may be made by operating this button. For example, a setting such as enabling / disabling may be assigned to a dip switch or the like, and the switch position may be changed for designation. Further, a switch for setting a personal mode may be provided.

  In the above embodiment, the invention is described as the wireless LAN relay device (extender 30) that is a wireless communication device, but the present invention can also be implemented as a wireless communication method. In this case, the subject to be processed may span a plurality of devices. For example, the personal mode may be enabled in the extender 30 and the table TBL may be stored in the AP 20. Moreover, the reverse may be sufficient. Further, the grouping may be performed across a plurality of wireless communication devices.

  The present invention can also be implemented as a program. In this case, the program of the present invention can be placed on a server on the network so that a wireless communication device connected to the network can be downloaded. For example, a wireless communication device such as an existing access point that does not have a personal mode function downloads this program from the server and rewrites its own firmware to function as a wireless communication device capable of setting the personal mode. You can

  In the above description, the name “personal mode” is used and described in FIG. 5 and the like. However, such a name is arbitrary, and various types such as “secret mode”, “private mode”, and “simple VLAN” are available. Can be called. The notation on the setting screen is not limited to such names.

  In the above embodiment, the terminals 52 and 54 use SSIDs in two frequency bands, but the SSID used by the terminal may be limited to one of a plurality of SSIDs in a plurality of frequency bands. . In the above-described embodiment, a large number of ports such as four ports capable of operating a plurality of SSIDs and a wired LAN port are handled. However, the present invention can be applied if there are three or more ports. It should be noted that a larger number of ports may be handled.

  Although several embodiments of the present invention have been described above, the present invention is not limited to these embodiments and can be implemented in various modes without departing from the spirit of the invention. For example, part or all of the configuration of the present invention can be realized by hardware. As the hardware, for example, an integrated circuit, a discrete circuit, or a module combining these circuits can be used.

20 ... Access point (AP)
25 ... Wide area network (WAN)
30 ... Wireless LAN relay device (extender)
31, 32 ... Antenna 33, 34 ... Wireless communication unit 35 ... Bridge 37 ... Wired LAN terminal 41 ... CPU
42 ... ROM
43 ... RAM
51, 52, 54 ... terminal 55 ... second PC
57 ... First PC
60 ... Server 100 ... Wireless LAN system A1, A2, G1, G2, LAN, STA ... Port DS1, DS2 ... Screen display LN1, LN2 ... Local area network INT ... Port TBL ... Table

Claims (9)

A wireless communication device capable of operating a plurality of SSIDs and enabling communication between terminal devices using each SSID,
A communication unit that communicates with the terminal device using three or more distinguishable ports including the plurality of SSIDs as a port to which the terminal device can be connected;
A table that enables grouping of at least two of the three or more ports, and registers a unique identifier that identifies the terminal device in the at least two ports that can be grouped, and
When the grouping for the at least two ports is specified, the communication unit permits communication between the terminal devices registered in the table, and is connected to the ungrouped ports And a wireless communication device that does not permit communication with the terminal device registered in the table.   2. The wireless communication apparatus according to claim 1, wherein different SSIDs of different frequency bands are assigned to each of the at least two groupable ports of the three or more ports.   3. The wireless device according to claim 1, wherein one of the three or more ports is a port to which a terminal device can be connected by wire, and the one port is included in the groupable port. Communication device.   The wireless communication device according to any one of claims 1 to 3, wherein a combination of at least two ports that can be grouped is set in advance. The wireless communication device according to any one of claims 1 to 4,
By specifying a predetermined address by a browser operating on a terminal device connected to one of the ports, the setting screen of the wireless communication device is displayed on the terminal device,
A wireless communication apparatus that designates the grouping by operating a designation button provided on the setting screen.   The wireless communication apparatus according to any one of claims 1 to 5, wherein a default gateway connected to a wide area network is assigned in advance to one of the ports to be grouped.   The wireless communication device according to any one of claims 1 to 6, wherein the wireless communication device is a wireless LAN access point or an extender that extends a wireless communication range by the access point. A wireless communication method capable of operating a plurality of SSIDs and performing communication between terminal devices using the SSID,
A port as an interface to which the terminal device can be connected, wherein at least two of the three or more distinguishable ports including the plurality of SSIDs can be grouped;
A unique identifier that identifies the terminal device is registered in a prepared table in at least two ports that can be grouped,
When grouping for the at least two ports is specified, communication between the terminal devices registered in the table is permitted and registered in the table with terminal devices connected to the ungrouped ports A wireless communication method that does not allow communication with a connected terminal device. A program capable of operating a plurality of SSIDs, loaded into a wireless communication device that performs communication between terminal devices using SSID, and executable by a computer built in the wireless communication device,
A port as an interface to which the terminal device can be connected, and a function enabling grouping of at least two of three or more distinguishable ports including the plurality of SSIDs;
A function of registering, in a table prepared in advance, a unique identifier that identifies the terminal device in at least two ports that can be grouped;
When grouping for the at least two ports is specified, communication between the terminal devices registered in the table is permitted and registered in the table with terminal devices connected to the ungrouped ports A program that realizes in the wireless communication device a function that does not permit communication with a terminal device.

Images