Client isolation or L2 isolation without other guest policy? across APs ?

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

Client isolation or L2 isolation without other guest policy? across APs ?

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Client isolation or L2 isolation without other guest policy? across APs ?
Client isolation or L2 isolation without other guest policy? across APs ?
2021-10-26 20:17:31
Model: EAP225  
Hardware Version: V7
Firmware Version:

Hello ! I don't have Omada APs yet.   Currently I use Unifi APs, but I have another project, and I am considering on using something else. EAP225 (or something else) came in question because of good reviews, and it seems many people switch from Unifi to Omada.

 

I wanted to ask if one can activate client isolation across the APs, without activating other guest policy. I prefer to set guest policies by firewall rules on the router (OpenWRT), and I also let the router run the captive portal. So for that, I don't want any firewall rules set on the APs or the controller. But of course the router can't do the client isolation;; On Unifi, I could click L2 isolation, then that did the job.

 

And, if I buy 11 pieces of EAP225 and want to power them over a PoE switch, which switch (dumb) should I look at ?

 

I would appreciate your info! And also whatever suggestions in using omada: I only know unifi. Can I install omada controller as a docker on Raspberry pi 4?

  0      
  0      
#1
Options
5 Reply
Re:Client isolation or L2 isolation without other guest policy? across APs ?
2021-10-28 02:51:40

@doremifajb 

 

1. " I wanted to ask if one can activate client isolation across the APs, without activating other guest policy. "

You may set the guest network to meet this needs.

 

2. There is a tplink website link about PoE Switch, look at it and pay attention to see whether the total PoE Budget can support all 11 EAP225 when you choose.

 

3. " Can I install omada controller as a docker on Raspberry pi 4? "

I think it's OK. This is a forum I once as reference: https://community.tp-link.com/en/business/forum/topic/261734

  0  
  0  
#2
Options
Re:Client isolation or L2 isolation without other guest policy? across APs ?
2021-12-12 14:25:29

@doremifajb 

Thank you for your reply ! Somehow I overlooked your posting for a long time. Only now I found it.

I installed Omada controller v4.4.6 on win8.1 on Virtualbox. Now I see that client isolation is not available independently of enabling guest network. However I don't see any category where you can prescribe exactly what the guests are allowed to do. All I need is client isolation, nothing else, I do need the clients to have access to the router, so I don't want Omada to block any traffic.  I see "portal" and "access control", but it seems it's not where the guest network parameters are set.

I heard that earlier Omada Controller did have client isolation option independent of guest network. Perhaps I should downgrade the Controller ? Or is there any way to set only client isolation using ssh to each AP? (however the isolation should be effective across all the APs under the same SSID.)

  0  
  0  
#3
Options
Re:Client isolation or L2 isolation without other guest policy? across APs ?
2021-12-13 21:12:39

@Virgo 

 

Now I think I figured it out, but please correct me if I'm wrong:

 

My setting& goal:

 

I have SSID:guests, subnet 192.168.2.1/24, vlan11. All what they are supposed to do/not to do are set in firewall on my OpenWRT router, as long as the traffic goes through the router. I have a captive portal on the router which also controls bandwidth of the users.

 

The only thing the router can't do: to block clients of this subnet talking to each other, i.e. client/L2 isolation. So that's what I need APs to do. 

 

I did NOT activate the guest network.

 

What I did:

Network Security->ACL:

Rule 1="portal", permit, protocol: all, Source: SSID:guests, destination: IP group "router" 192.168.2.1/32

Rule 2="block access", Deny, protocol: all, Source: SSID:guests, destination: IP group "guests" 192.168.2.1/24

 

Portal on my router did work, and I got another device to be on the net, ran Angry IP scanner, the IP of this device is not there. So it seems it did what I wanted. Only, I just have one AP now (ordered for testing: I should be getting 10), so I haven't tested yet if communications between clients on different APs would be also blocked. But as it looks like, it's supposed to work that way as well ?

 

Reference:

https://community.tp-link.com/en/business/forum/topic/159499?replyId=406110

 

I think the version of Omada Controller is different, ACL doesn't have an explicit description like in this posting.

 

I would appreciate your opinions and suggestions ! It would be still a lot easier if there is a simple click of "client isolation" or "L2 isolation", like Unifi, though....

 

 

  0  
  0  
#4
Options
Re:Client isolation or L2 isolation without other guest policy? across APs ?
2021-12-14 07:24:51

@doremifajb 

 

Maybe this can help you, very similar settings: https://www.tp-link.com/en/support/faq/1060/

  0  
  0  
#5
Options
Re:Client isolation or L2 isolation without other guest policy? across APs ?
2021-12-14 12:49:41

@Virgo 

This page seems to be old: It is as of 11.Sept 2020, and the oldest Omada controller you can get from TP-Link is November 2020. In any case, mine is v.4.4.6 for Win (tried to install the newest one but didn't work on my Virtualbox win8.1 on Macbook Pro 2012), and it does not have configuration options that this FAQ uses, above all, SSID isolation.

 

However, as I was reading it, I see why TP-Link wanted to eliminate/modify this way of configuring client isolation: If clicking "SSID isolation" does not isolate clients connected to different APs, that's against the expectation of the most people: clicking of "xyz isolation" (whatever each manufacturer wants to call it) should isolate all the wireless clients under the same SSID, no matter where they are connected. And "Access control Rule", as this page describes, also gives an impression that it should also work when two devices are connected to the same AP. But it doesn't. So it was rather badly designed.

 

So in all, I see why they had to reorganize the options regarding the client isolation. And as it seems that putting pretty much the same thing under Network Security->ACL as this page is doing under Wireless Control->Access Control->Add Access Control Rule works for the devices connected to the same AP as well, it seems to be a good solution: you configure something, and it works as you expect. And it is better than offering a simple click for SSID isolation to isolate all, because it offers configurability as to the exceptions you want to make right there. If you know how to deal with firewall, you can do it. If you don't, you click "guest network", which works for most people.

 

The only thing missing here is a properly updated tutorial.

 

I'm still hoping that someone could comment on my configuration on ACL, though... I do deal with firewall but still a beginner :)

  0  
  0  
#6
Options