Guest Network on ER7206
Hello TP-Link Community.
We have a TL-ER7206. And we want to configure some kind of guestnetwork. Where the clients can't communicate with each other and they should not be able to access the webinterfaces of the network components (Router, Accesspoints)
We created to 2 VLANs. (VLAN1 => 192.168.0.0/24 called "LAN"; VLAN2 => 10.0.0.0/23 called "guest")
We also created IP groups for the 2 VLANs and one for the network components (10.0.0.1 - 10.0.0.10)
No matter want we setup in "Firewall/Access Controll", we can't stop the clients in the guest VLAN to reach each other and they always have access to the webinterfaces.
Here are some screenshots of the configuration.
I would be very nice if some one can help us.
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
you cannot stop a client from accessing the gateway web ui. but i remember that ap can set up the so-called 'access control' where you block device from accessing the web ui. only admin can do that.
brought up before by someone. i remember.
i don't know what to say. if you cannot access the gateway ip. how would it be posssible to access the internet? gateway is accessible, that somehow explains this issue you see. from the perspective of the networking, gateway should be accessible by ping. just block the network web ui. maybe you do something like acl to block visit gateway ip by http or https for your guest network?? a workaround?
- Copy Link
- Report Inappropriate Content
We didn't want block the hole access of the gateway IP, we only tried to block Port 80/443 for the gateway IP and for other devices in the ACL. But this doesn't work. everybody can see the web UI.
- Copy Link
- Report Inappropriate Content
OK. I just did a simple test by creating the ip-port acl. blocking port 80 and 443, because the gateway is still using both for access.
default lan 10.0.0.1/24
create a vlan for test 172.168.1.1/24 and i set up the acl and i can block the access from client to the gateway web ui and i can still get internet.
>switch acl > type ip-port > src any network; dst ip-port group of following entry:
ip-port group=172.168.1.1/32 port 80 port 443. nothing else need to be configured.
ok. it works immediately. i cannot telnet into 172.168.1.1 80 or 443 anymore.
- Copy Link
- Report Inappropriate Content
Thanks for your help! But can you post an screenshot of that config?
We can't follow your description.
- Copy Link
- Report Inappropriate Content
- Copy Link
- Report Inappropriate Content
ok, i see. No I know why this works for you. We don't have that options. We only can great IP groups without the Ports.
We are using the ER7206 in standalone mode.
This is the IP Group creation mask.
We created an IP Group for the Router/Gateway, called "IPGROUP_Router"
And here we tried to block the HTTP Port.
- Copy Link
- Report Inappropriate Content
yep. same thing. http 80 https 443, so two rules should make the same thing.
you can also use the ip/subnet. 32 refers to a single ip address which means it's one and only. so, you can use 10.0.0.1/32 as well. anyway it works the same way, just blocking 80 and 443 so that nobody can access the gateway web ui but still can get internet.
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 1046
Replies: 7
Voters 0
No one has voted for it yet.