TP-Link EAP225 Omada AC1350 Dual-Band WiFi 5 Access Point

TP-Link EAP225 Omada AC1350 Dual-Band WiFi 5 Access Point
TP-Link EAP225 Omada AC1350 Dual-Band WiFi 5 Access Point
2022-05-19 10:37:43 - last edited 2022-05-24 07:43:14
Model: EAP225
Hardware Version:
Firmware Version:

Does anyone know which (if any) Access Points out there will enable me to isolate guests from my home LAN?  I would just like to be able to connect my main router via a 20m cable to this new device located in our annexe such that 'Guests' connect to it on wifi but won't be able to access any part of the main house network.  

 

Would a ... 'TP-Link EAP225 Omada AC1350 Dual-Band WiFi 5 Access Point (AC)' possible work?

 

Thanks

0
0
#1
Options
1 Accepted Solution
Re:TP-Link EAP225 Omada AC1350 Dual-Band WiFi 5 Access Point-Solution
2022-05-19 20:25:44 - last edited 2022-05-24 07:43:14

  @tp4sb 

 

Hey

 

The answer is YES and NO sadly.. let me explain

 

On its own the EAP225 cant do this, it requires a Controller to enable this feature.

 

If you have a raspberry PI around you can create a controller for FREE.. else the OC200 is very reasonably priced (€60  $65 US) and that will do the job.   Set up your home SSID on the controller as you would normally, then create another SSID called GUEST or whatever you fancy, tick the box for "guest network" and presto... 2 SSIDs setup and one the Guest one is locked away for talking to anything.  Adopt the AP onto the controller and job done..

 

Guest mode on the controller disables the ability of anyone on that SSID to do anything but internet surfing.. its locked out of your SSID and cant even talk to other guests..

 

Hope that helps and screenie below

 

Recommended Solution
2
2
#2
Options
15 Reply
Re:TP-Link EAP225 Omada AC1350 Dual-Band WiFi 5 Access Point-Solution
2022-05-19 20:25:44 - last edited 2022-05-24 07:43:14

  @tp4sb 

 

Hey

 

The answer is YES and NO sadly.. let me explain

 

On its own the EAP225 cant do this, it requires a Controller to enable this feature.

 

If you have a raspberry PI around you can create a controller for FREE.. else the OC200 is very reasonably priced (€60  $65 US) and that will do the job.   Set up your home SSID on the controller as you would normally, then create another SSID called GUEST or whatever you fancy, tick the box for "guest network" and presto... 2 SSIDs setup and one the Guest one is locked away for talking to anything.  Adopt the AP onto the controller and job done..

 

Guest mode on the controller disables the ability of anyone on that SSID to do anything but internet surfing.. its locked out of your SSID and cant even talk to other guests..

 

Hope that helps and screenie below

 

Recommended Solution
2
2
#2
Options
Re:TP-Link EAP225 Omada AC1350 Dual-Band WiFi 5 Access Point
2022-05-20 11:09:26

  @Philbert Many thinaks for the info. 

2
2
#3
Options
Re:TP-Link EAP225 Omada AC1350 Dual-Band WiFi 5 Access Point
2022-06-07 15:31:58

  @Philbert 

 

Just a quick question on this.  

 

I've since bought both an OC200 and an EAP225 and set them up such that I 'think' I have 'guest' isolation from my LAN.  It seems to be fine.  However, I'm a little puzzled by some of the youtube videos that seem to indicate that I also need VLANs too.   I created them but had no luck in connecting at all on the WiFi so I've removed them.

 

Thoughts?  

0
0
#4
Options
Re:TP-Link EAP225 Omada AC1350 Dual-Band WiFi 5 Access Point
2022-06-07 18:24:39

  @tp4sb 

 

Hey

 

It really depends on what you want to achieve?   If you are just looking for a Guest SSID locked away so that anyone connected to it cant see your other devices, then what you have at the moment will work

 

However if you are wanting total isolation, by this I mean a different IP range, subnet etc etc then you will need to implement vlans..   more below

 

 

Before starting I'm assuming you don't have an Omada Switch and Router?   Namely you are using your ISP router / switch?     If so then the "guest" setting on the SSID is all you have to work with as vlans require a full omada network (more later).

 

Assuming you don't have an Omada setup, in short the "guest" setting will allow the devices to get an IP address in the same range as your other SSIDs  (192.168.z.x) but will automatically set controls to stop them from talking to the other devices.   So your PC could have 192.168.1.5  and your guest has 192.168.1.6   however the guest will be blocked from talking to anything on your network.  Fundamentally internet use only.

The disadvantage of this is it only works on wireless devices and should anyone plug into your switch, they will have full access.   It's handy for home guest users in fairness

 

A full Omada network (Router, Switch and EAP) will allow you to take this further by creating VLANs..   This basically means you can have all the "guests" on a separate network address, say 192.168.50.x  and then use Access Control Lists (ACLs) to block traffic between your private VLAN and the guest VLAN.     Its almost like having a totally separate network for your Guests, you can even apply the VLAN to ports on the switch so if anyone plugs into the switch.. its locked to guest access only.

 

This is more secure, but more complicated and costs more in hardware.   As said if you don't have the router and switch to run this, creating vlans wont do anything for you.

 

Hope that helps?

 

0
0
#5
Options
Re:TP-Link EAP225 Omada AC1350 Dual-Band WiFi 5 Access Point
2022-06-07 18:38:01

  @Philbert 

 

Hi,

 

Thanks for that.  I guess it's like I thought in that I'd need to invest in say an ER605 router (or similar) in order to create new subnets for different groups.

Much obliged for clarifying. 

0
0
#6
Options
Re:TP-Link EAP225 Omada AC1350 Dual-Band WiFi 5 Access Point
2022-06-07 18:52:21

  @tp4sb 

 

Got it in one

 

The ER605 sets up the IP Ranges for you to allocate out.   The Omada switch then 'trunks' the data along those VLANs to the ER605..

 

Its probably overkill for most people to be honest!

 

 

0
0
#7
Options
Re:TP-Link EAP225 Omada AC1350 Dual-Band WiFi 5 Access Point
2022-06-07 19:54:00

  @Philbert 

Thanks. Now just one further question. 

In the 'Outhouse' where I have the guest access, I use(d) an old router as the access point and dumb switch. If I continue with this just as a switch with my new oc200 and EAP225 hooked up, I guess I'm still open to someone plugging in a cable to the old router and getting into my LAN.

 

So... If I use a smart switch in its place (I have one somewhere), will I be able to configure that to block out inquisitive cable-plugger-inner people? 

0
0
#8
Options
Re:TP-Link EAP225 Omada AC1350 Dual-Band WiFi 5 Access Point
2022-06-07 21:51:57

  @tp4sb 

 

Hey

 

If im correct in interpreting what you are saying, then sadly not a smart switch wont help you; you would need an Omada router and switch to control this.

 

As you wont have VLANs at present and the old router wont offer anything like this, then sadly anything on those ports will be straight into your private network.    Even if you had a smart switch and all ports locked down, there is nothing stopping someone just unplugging the router and jacking in that way.

 

One possibility is a smart switch at your side with some MAC address control on the port for the Old AP, that way it only allows that specific device to connect.. but that's not ideal really.  As you have no VLAN capable router, VLANs are not an option for you


What you are looking to do would require a VLAN, ideally the only traffic going to the 'outhouse' should be guest traffic on a guest vlan.    Any non vlan setup could be easily bypassed as the trunk port to that AP could be jacked into.

 

Tricky one for you..

 

 

0
0
#9
Options
Re:TP-Link EAP225 Omada AC1350 Dual-Band WiFi 5 Access Point
2022-06-07 22:16:34

  @Philbert 

Thanks again. I better get the new router ordered soon huh. The costs just keep mounting. :) 

0
0
#10
Options
Re:TP-Link EAP225 Omada AC1350 Dual-Band WiFi 5 Access Point
2022-06-13 17:41:48

  @tp4sb 

 

Just a further question.  Is there any setting that I might have missed whereby I can have the Oamda App notify me immediately if anyone joins the 'Guest' network?

 

Thanks

0
0
#11
Options