Business Community > WiFi > No way to isolate AP clients without isolating from other subnets
< WiFi

No way to isolate AP clients without isolating from other subnets

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

No way to isolate AP clients without isolating from other subnets

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
No way to isolate AP clients without isolating from other subnets
No way to isolate AP clients without isolating from other subnets
2023-11-07 18:59:05 - last edited 2023-11-08 00:00:34
Tags: #EAP ACL #VLAN & Multi-Networks #Network Connectivity
Model: EAP610  
Hardware Version: V3
Firmware Version:

I need my AP clients to be isoalted between each other, but with possibility to reach a chosen IP in LAN (outside AP, wired one) - a network printer.

 

It is currently not possible to achieve this in Omada.

 

The "Guest network" enabled in wifi isolates too much. It isolates AP clients - good, BUT it also isolates AP clients from the network printer - BAD. No way to bring the connectivity back.

 

On the other hand, ACLs do not work when trying to isolate clients connected to the same SSID to the same AP - no way to isolate AP clients between each other.

 

This is a regression to te feature available some months ago with possibility to "Isolate SSID" without isolating from all the other private IP subnets under the hood (10.0.0.0 - 10.255.255.255; 172.16.0.0 - 172.31.255.555; 192.168.0.0 - 192.168.255.255 ).

 

My stack - full omada, namely:

 

- router and controller: ER7212PC (latest available firmware: 1.1.1)

- access point: EAP610 connected to the above router (latest availabble firmware)

- the printer connected via LAN directly to the router

- clients connected to the access point via wifi

  0      
 
  0      
 
#1
Options
4 Reply
Re:No way to isolate AP clients without isolating from other subnets
2023-11-07 20:26:01

  @wosiu 

 

Guest mode, forces those clients out the WAN port, then agreed will not work.

 

ACLs on the other hand should. At a minimum you should be able to create 2 LAN subnets, let's call them WIFI (ie 192.168.10.0/24) and PRINTER (192.168.20.0/24).  You create ACLs to block WIFI-WIFI traffic, but allow WIFI-PRINTER.  Things can get messy if you don't have a the full Omada stack (ie controller, gateway, switch, ap) and you didn't mention what you had other than having an AP.  If you are trying to isolate users from each other but not the printer using just an AP, you're out of luck, you need a gateway and/or managed switch at a minimum.

<< Paying it forward, one juicy problem at a time... >>
  0  
  0  
#2
Options
Re:No way to isolate AP clients without isolating from other subnets
2023-11-07 23:55:05 - last edited 2023-11-08 00:53:04

d0ugmac1 wrote

(...) create 2 LAN subnets, let's call them WIFI (ie 192.168.10.0/24) and PRINTER (192.168.20.0/24).  You create ACLs to block WIFI-WIFI traffic (...)

 

I tried that already (screenshots below) and the isolation unfortunately doesn't work. I tried both - "Switch ACL" and "EAP ACL". It seems like ACLs are not respected if 2 clients are connected to he same AP and the same SSID. 

 

 

 

FWIW ACLs seem to be respected for clients connected to 2 different SSIDs (even if it's the same signle AP). But that's not my case.

 

 

I edited the original message with my full stack - full omada, namely:

 

- router ER7212PC

- access point: EAP610 connected to the above router

- the printer connected via LAN directly to the router

 

 

  0  
  0  
#3
Options
Re:No way to isolate AP clients without isolating from other subnets
2023-11-08 01:54:38

  @wosiu 

 

I am pretty sure the 'switch' in the ER7212 isn't a fully managed switch, ie ACLs don't appear to work like they would on say an external SG2008...much like gateway ACLs didn't work for the longest time on TPlink routers.

 

https://community.tp-link.com/en/business/forum/topic/608306 

 

Short story, to do what you want, now, you'll most likely need to insert an Omada switch between your AP and the ER7212, SG2008 being the cheapest option.  If it's any consolation, I had to do the same thing having started out with just ER605's and EAPs.

<< Paying it forward, one juicy problem at a time... >>
  1  
  1  
#4
Options
Re:No way to isolate AP clients without isolating from other subnets
2023-11-08 12:02:15

  @d0ugmac1 

Thank you for pointers, appreciated a lot :)

 

So to wrap up the thread for the others:

Unfortunately it is currently not possible to achieve what we're describing here with just the omada router (like ER7212 o ER605) and any EAP access point.

Anyone reading this thread - please vote for this feature here: 

https://community.tp-link.com/en/business/forum/topic/608306 

 

I did a writeup summary, linking to more apparently already existing threads which needs similar functionality.

  0  
  0  
#5
Options

Information

Helpful: 0

Views: 460

Replies: 4

Tags

EAP ACL VLAN & Multi-Networks Network Connectivity
Related Articles
AP IS HAVING MORE ISOLATED ISSUE
826 0
 Feature Request: Separate 'Guest Network' into 'AP Isolation' and 'Internet only'
904 0
 Clients not getting IP after AP restart
392 0
 clients keeps on getting disconnect from AP
846 0
 HOW TO isolate webgui with port vlan on other way ?
292 0
AP without Gateway
1126 0
About Us
Press
Copyright © TP-Link Systems Inc. All rights reserved.