How to disable the lanport of poe injector for eap225 and eap610 outdoor?

How to disable the lanport of poe injector for eap225 and eap610 outdoor?

How to disable the lanport of poe injector for eap225 and eap610 outdoor?
How to disable the lanport of poe injector for eap225 and eap610 outdoor?
2023-11-23 23:41:53 - last edited 2023-11-30 07:38:44
Model: OC200  
Hardware Version: V1
Firmware Version:

I have deployed a mesh EAP225 and EAP610 with omada controller and TL-SG3428MP v3.0 poe switch.

The deployment on remote area where i seldom visit and worry if someone from the poe injector connect and hook up a lan cable and use my internet for free in my mesh deployed EAP's MESH.

I'm using the setup of remote deployed mesh eap's from residential houses payonly  a monthly electricity or power consumption.

 

Please help if there a configuration from omada hardware controller oc200 v1 or on the switch side of TL-SG3428MP v3.0 to secured mesh lan port of poe injector.

 

Appreciate.

  0      
  0      
#1
Options
1 Accepted Solution
Re:How to disable the lanport of poe injector for eap225 and eap610 outdoor?-Solution
2023-11-24 14:31:06 - last edited 2023-11-30 07:38:44

  @JhonneL-MDA 

 

You are correct to be concerned, the ethernet port of a meshed AP is essentially bridged back to the same ethernet port that the associated root AP is connected to.  There is not 'built in feature' to do what you want to do as stated above.  However, with the controller and the switch you should have enough to implement the required VLAN separations, management VLAN, perhaps some MAC address filters etc to achieve isolation from those ports from internet access.  However, this is not some 3-step process.

 

At a high level you will want to create a subnet and VLAN per SSID that you use.  You will also create another subnet/VLAN pair for the management VLAN (the IPs that the switch, controller and APs will all get) and i recommend you continue to use DHCP, but with Reserved IPs for each piece of hardware and no unassigned IPs should be available. You may also want to implement MAC based filtering to only allow known devices. Since you are meshing APs, you will probably need a router in addition to the switch and APs for everything to work in controller mode, otherwise, you'll need to un-adopt the switch and manage it manually if you are trying to use its native L3 capabilties.

 

Next you will want to prevent the management VLAN from talking to any other VLAN and from accessing the internet using ACLs.  You will probably need to do something special with the controller as you will probably want it to have access outside the management VLAN.  There are FAQs on how to change the management VLAN of APs etc.

 

Anyways...let's see what your reaction is to the above :)

 

Note: you could also just modify the cable (unpin pin1 and pin2 from the AP end) to remove the ability for data to communicate across it, but I don't recommend this, as you'd require a ladder anytime you have an issue with a device and need to connect to it directly (say a failed firmware for instance).

<< Paying it forward, one juicy problem at a time... >>
Recommended Solution
  1  
  1  
#4
Options
3 Reply
Re:How to disable the lanport of poe injector for eap225 and eap610 outdoor?
2023-11-24 06:08:09

  @JhonneL-MDA 

 

There is no such block-port feature on the omada system, maybe you can achieve it via the vlan settings.

Just striving to develop myself while helping others.
  0  
  0  
#2
Options
Re:How to disable the lanport of poe injector for eap225 and eap610 outdoor?
2023-11-24 07:42:55

Dear @Virgo,

I want to express my gratitude for your valuable input and advice. Unfortunately, my current environment setup does not have a VLAN, and I am facing some difficulties in figuring out how to proceed. I was wondering if you have any experience with configuring a VLAN to block the map I need to secure in a remote area. I would greatly appreciate it if you could assist me in this matter.

On-site, some EAPs have used the LAN port of the power injector to expand the signal by adding one more EAP via LAN. However, I am not certain if this approach is optimal for my needs. Your guidance on this matter would be highly appreciated.

Thank you very much for your time and consideration. I look forward to hearing from you soon.

Virgo wrote

  @JhonneL-MDA 

 

There is no such block-port feature on the omada system, maybe you can achieve it via the vlan settings.

  0  
  0  
#3
Options
Re:How to disable the lanport of poe injector for eap225 and eap610 outdoor?-Solution
2023-11-24 14:31:06 - last edited 2023-11-30 07:38:44

  @JhonneL-MDA 

 

You are correct to be concerned, the ethernet port of a meshed AP is essentially bridged back to the same ethernet port that the associated root AP is connected to.  There is not 'built in feature' to do what you want to do as stated above.  However, with the controller and the switch you should have enough to implement the required VLAN separations, management VLAN, perhaps some MAC address filters etc to achieve isolation from those ports from internet access.  However, this is not some 3-step process.

 

At a high level you will want to create a subnet and VLAN per SSID that you use.  You will also create another subnet/VLAN pair for the management VLAN (the IPs that the switch, controller and APs will all get) and i recommend you continue to use DHCP, but with Reserved IPs for each piece of hardware and no unassigned IPs should be available. You may also want to implement MAC based filtering to only allow known devices. Since you are meshing APs, you will probably need a router in addition to the switch and APs for everything to work in controller mode, otherwise, you'll need to un-adopt the switch and manage it manually if you are trying to use its native L3 capabilties.

 

Next you will want to prevent the management VLAN from talking to any other VLAN and from accessing the internet using ACLs.  You will probably need to do something special with the controller as you will probably want it to have access outside the management VLAN.  There are FAQs on how to change the management VLAN of APs etc.

 

Anyways...let's see what your reaction is to the above :)

 

Note: you could also just modify the cable (unpin pin1 and pin2 from the AP end) to remove the ability for data to communicate across it, but I don't recommend this, as you'd require a ladder anytime you have an issue with a device and need to connect to it directly (say a failed firmware for instance).

<< Paying it forward, one juicy problem at a time... >>
Recommended Solution
  1  
  1  
#4
Options

Information

Helpful: 0

Views: 156

Replies: 3