Guest SSID vs AP Isolation

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

Guest SSID vs AP Isolation

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Guest SSID vs AP Isolation
Guest SSID vs AP Isolation
2019-11-06 17:34:56
Model: EAP245  
Hardware Version: V3
Firmware Version:

Hi,

 

I am trying to setup a wireless VLAN for IOT devices in my home network using a TP-LINK EAP245.

 

I do not want my IOT devices to communicate between each other, but I still want to be able to manage them from a different VLAN and control them using firewall rules.

 

When I enable "Guest" on the IOT SSID, all communication between the devices is halted save for ARP and some other protocols. But from what I understand, access to all private networks is also denied.

 

I suspect the latter part is preventing me from accessing my IOT network.

 

It seems that the "Guest" option produces a catch 22 in this use case; I can't manage my IOT devices and isolate them at the same time.

 

I wish TP-Link could decouple this option so that intra-VLAN blocking and private network blocking are separated.

 

Unless someone has a better way of doing this without resorting to the controller software.

 

Thanks.

 

 

  0      
  0      
#1
Options
1 Reply
Re:Guest SSID vs AP Isolation
2019-11-06 19:13:22 - last edited 2019-11-06 19:14:32

 

pemapon237 wrote

It seems that the "Guest" option produces a catch 22 in this use case; I can't manage my IOT devices and isolate them at the same time.

 

Sure you can. Just add the private IPs you want to have access to in the "Exclude subnet" field of a blocking ACL. For example, my BlockPrivNet ACL blocks access to 192.168.0.0/16, 172.16.0.0/12 and 10.0.0.0/8, but excludes hosts 192.168.2.5/32 and 192.168.2.15/32.

 

I wish TP-Link could decouple this option so that intra-VLAN blocking and private network blocking are separated.

 

I second this. We also need to separate between wireless client isolation and blocking of private network IPs.

 

Unfortunately, TP-Link did combine client isolation and blocking PrivNets into one "Guest Network" settings, but they still could have left the usere a choice to only enable "Client Isolation" and set up specific ACLs. That's how it was done in previous Controller versions. There was absolutely no reason to remove the "Client Isolation setting". Both options, "Guest Network" and "Client Isolation" could co-exist perfectly in the Controller's web UI: "Client Isolation" for power users and "Guest Network" for noobs.

 

@forrest, any decision from R&D about bringing back "Client Isolation" setting in Omada Controller's web UI?

༺ 0100 1101 0010 10ཏ1 0010 0110 1010 1110 ༻
  0  
  0  
#2
Options