Wifi guest network on a different vlan for network isolation, ACL problem

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

Wifi guest network on a different vlan for network isolation, ACL problem

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Wifi guest network on a different vlan for network isolation, ACL problem
Wifi guest network on a different vlan for network isolation, ACL problem
2024-01-18 01:55:47 - last edited 2024-01-18 02:20:56
Model: ER707-M2  
Hardware Version: V1
Firmware Version: 1.2.1

Hi 

 

I have recently got a ER707-M2 router and I'm trying to setup guest network with Omada controller and EAP660 AP.

 

Everything are running with the latest software/firmware.

 

Software Controller is running in a Synology NAS via Docker.

 

My guest wifi network is connected to a different vlan from the main network for isolation. This is because the wifi guest feature won't stop peoples connected to the guest network to see devices that are in the same network (can see but can't connect) and also if I have IPv6 enabled, then the "guest" feature wont work at all (can see and can connnect).

 

Guest Wifi is run with the voucher portal for user authorization.

 

Everything is fine with the different guest wifi vlan setup expect someone on the guest network can still connected to the devices on the main network if they know the IP address.

 

Therefor I have setup the ACL rule so the Guest network's vlan is totally ioslated from all other netwroks. (oneway deny to all protocols)

 

Now I have encountered a problem that when people connected to the guest network, the captive page (the popup page for user to enter the voucher code) wont load due to the Controller is hosted on the main network.

 

Does anyone know how do I fix this problem? Is it possible to allow access to a specific IP address with port number in ACL?

 

Thanks in advances.

 

  0      
  0      
#1
Options
6 Reply
Re:Wifi guest network on a different vlan for network isolation, ACL problem
2024-01-19 06:06:48

  @OMG-NZ 

 

Do you have the omada switch? Use the switch ACL with IP-PORT Group.

Just striving to develop myself while helping others.
  0  
  0  
#2
Options
Re:Wifi guest network on a different vlan for network isolation, ACL problem
2024-01-20 07:59:22

  @Virgo No, I don't have a Omada compaiable switch.

  0  
  0  
#3
Options
Re:Wifi guest network on a different vlan for network isolation, ACL problem
2024-01-21 02:12:53

  @OMG-NZ 

hmm

Several mistakes.

1. If you enable guest network, you don't have to use acl.

2. If you have block voucher port, you pretty sure stuck at blank page.

 

Remove ACL. And test if there's any security risks.

Don't bother ACL in this setup. Guest network is already isolated.

ScReW yOu gUyS. I aM GOinG hoMe. —————————————————————— For heaven's sake, can you write and describe your issue based on plain fact, common logic and a methodologic approach? Appreciate it.
  0  
  0  
#4
Options
Re:Wifi guest network on a different vlan for network isolation, ACL problem
2024-01-22 09:25:44

  @Tedd404 Hi, the main reason for me to setup guest wifi on a different vLan is because the "guest wifi" function won't work if I had the IPv6 enabled. Also the guest function wont totally isolates the network, peoples can still see all the devices that are on the network (NAS etc) but they won't be able to connect. I want a guest network that is totally isolated from all other networks.

  0  
  0  
#5
Options
Re:Wifi guest network on a different vlan for network isolation, ACL problem
2024-01-22 09:26:56

  @OMG-NZ 

OMG-NZ wrote

  @Tedd404 Hi, the main reason for me to setup guest wifi on a different vLan is because the "guest wifi" function won't work if I had the IPv6 enabled. Also the guest function wont totally isolates the network, peoples can still see all the devices that are on the network (NAS etc) but they won't be able to connect. I want a guest network that is totally isolated from all other networks.

arp scanning is impossible to stop unless you create a dedicated vlan interface. 

 

ScReW yOu gUyS. I aM GOinG hoMe. —————————————————————— For heaven's sake, can you write and describe your issue based on plain fact, common logic and a methodologic approach? Appreciate it.
  0  
  0  
#6
Options
Re:Wifi guest network on a different vlan for network isolation, ACL problem
2024-01-22 09:35:54
That is why my guest network is on a vlan that are different from my main network. but without the ACL, peoples on the guest network CAN still connect to devices in the main network if they know the IP address. If I setup ACL to deny the guest network for accessing the main network then they can't access the portal page....
  0  
  0  
#7
Options