<
WiFi
EAP320 Client Isolation
This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
EAP320 Client Isolation
Posts: 1
Helpful: 0
Solutions: 0
Stories: 0
Registered: 2016-12-12
2016-12-12 01:51:54
Posts: 1
Helpful: 0
Solutions: 0
Stories: 0
Registered: 2016-12-12
EAP320 Client Isolation
2016-12-12 01:51:54
Tags:
Model :
Hardware Version :
Firmware Version :
ISP :
Hello,
I'm installing 3 EAP APs with a PC on wich is EAP Controller software installed. Even if I enable the "SSID Isolation" on the specific network all clients can access each other. Is there a simple way to enable the client isolation at AP or controller level?
Thanks!
Hardware Version :
Firmware Version :
ISP :
Hello,
I'm installing 3 EAP APs with a PC on wich is EAP Controller software installed. Even if I enable the "SSID Isolation" on the specific network all clients can access each other. Is there a simple way to enable the client isolation at AP or controller level?
Thanks!
#1
Options
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
Thread Manage
Announcement Manage
8 Reply
Posts: 2
Helpful: 0
Solutions: 0
Stories: 0
Registered: 2017-01-19
Re:EAP320 Client Isolation
2017-01-19 05:30:56
I would like to know this as well, having the same issue...
0
We appreciate your feedback. Feel free to let us know more. Log in to submit feedback.
0
We appreciate your feedback. Feel free to let us know more. Log in to submit feedback.
#2
Options
- Copy Link
- Report Inappropriate Content
Thread Manage
Announcement Manage
Posts: 1
Helpful: 0
Solutions: 0
Stories: 0
Registered: 2017-01-30
Re:EAP320 Client Isolation
2017-01-30 19:52:13
Same here...Please put "Client isolation" to the wishlist :)
0
We appreciate your feedback. Feel free to let us know more. Log in to submit feedback.
0
We appreciate your feedback. Feel free to let us know more. Log in to submit feedback.
#3
Options
- Copy Link
- Report Inappropriate Content
Thread Manage
Announcement Manage
Posts: 9
Helpful: 0
Solutions: 0
Stories: 0
Registered: 2017-09-18
Re:EAP320 Client Isolation
2017-09-25 00:57:26
Ditto. I need to have my wr702n communicate with only a single client. I want no others to be able to access the internet via the 702. The 702n drives a remote ring doorbell. It is not for any other public consumption. Authorizing access to a single MAC would do the trick nicely.
0
We appreciate your feedback. Feel free to let us know more. Log in to submit feedback.
0
We appreciate your feedback. Feel free to let us know more. Log in to submit feedback.
#4
Options
- Copy Link
- Report Inappropriate Content
Thread Manage
Announcement Manage
Posts: 4334
Helpful: 1046
Solutions: 173
Stories: 3
Registered: 2015-12-05
Re:EAP320 Client Isolation
2017-09-25 08:12:13
Drdan wrote
Ditto. I need to have my wr702n communicate with only a single client. I want no others to be able to access the internet via the 702. The 702n drives a remote ring doorbell. It is not for any other public consumption. Authorizing access to a single MAC would do the trick nicely.
Indeed, "SSID isolation" (also called "client isolation") on EAPs work as expected with current firmware. "Client isolation" is a feature of the WiFi chip and it prevents connections between a wireless client to any other wireless clients. Client isolation is not suitable to deny access of clients to the (wired) LAN nor to the Internet.
What you would need to disable Internet access for specific clients is called "access control". To deny access to the Internet for specific clients you either need firewall rules in the router or access control lists (which effectively is the same as firewall rules on a router, but could be set in EAP controller or in a L2+/L3 switch, too).
As for the WR702, I don't know wether it has access control features. This is the forum for EAPs, so you might want to ask for in the Home / WiFi Routers subforum.
༺ 0100 1101 0010 10ཏ1 0010 0110 1010 1110 ༻
0
We appreciate your feedback. Feel free to let us know more. Log in to submit feedback.
0
We appreciate your feedback. Feel free to let us know more. Log in to submit feedback.
#5
Options
- Copy Link
- Report Inappropriate Content
Thread Manage
Announcement Manage
Posts: 9
Helpful: 0
Solutions: 0
Stories: 0
Registered: 2017-09-18
Re:EAP320 Client Isolation
2017-09-25 08:24:25
Thanks much r1d2 for the education. I can always put epoxy in the LAN jack. It was indeed the wireless I wanted to restrict to a single device. Reckon I need to research access control.
0
We appreciate your feedback. Feel free to let us know more. Log in to submit feedback.
0
We appreciate your feedback. Feel free to let us know more. Log in to submit feedback.
#6
Options
- Copy Link
- Report Inappropriate Content
Thread Manage
Announcement Manage
Posts: 4334
Helpful: 1046
Solutions: 173
Stories: 3
Registered: 2015-12-05
Re:EAP320 Client Isolation
2017-09-26 01:43:38
Drdan wrote
Thanks much r1d2 for the education. I can always put epoxy in the LAN jack. It was indeed the wireless I wanted to restrict to a single device. Reckon I need to research access control.
You're welcome. To simplify your research: if you want to open your WiFi for only one device, you could use a strong WPA2 key (>= 20 characters is strong) or another built-in function of most WiFi chips called MAC filter (that's MAC authorization) or even both techniques in combination.
From your first post I thought you want just deny access of other wireless clients to the Internet, but not to your LAN - this would need access control/firewalling. But to restrict the WiFi to one device only, you could use the techniques mentioned above.
༺ 0100 1101 0010 10ཏ1 0010 0110 1010 1110 ༻
0
We appreciate your feedback. Feel free to let us know more. Log in to submit feedback.
0
We appreciate your feedback. Feel free to let us know more. Log in to submit feedback.
#7
Options
- Copy Link
- Report Inappropriate Content
Thread Manage
Announcement Manage
Posts: 2
Helpful: 0
Solutions: 0
Stories: 0
Registered: 2017-01-19
Re:EAP320 Client Isolation
2017-09-26 04:21:56
The only issue here is a client that wants an internal wireless SSID and a guest SSID. The internal one is there to provide access for security cameras and other devices that need to access the internal network and the guest is obviously open for their clients to use. I suppose setting up VLANs would then be the solution here where internal would be VLAN1 and guest VLAN2?
The next issue would be if the router/switch doesn't support VLAN and how to get DHCP to work since your devices don't seem to allow separate IP ranges to be assigned to a guest network. I've had an in-depth discussion with support for some of our clients with a router that would only allow it to be the DHCP server for both the domain and guest network using the same pool of IPs when using isolation. This practice has proven to be a nightmare as guest devices tend to use up IPs that are needed for the internal network. A resolution to this would be to have a separate DHCP range for the guest network like any low-end Linksys/Netgear/Belkin etc etc etc does.
The next issue would be if the router/switch doesn't support VLAN and how to get DHCP to work since your devices don't seem to allow separate IP ranges to be assigned to a guest network. I've had an in-depth discussion with support for some of our clients with a router that would only allow it to be the DHCP server for both the domain and guest network using the same pool of IPs when using isolation. This practice has proven to be a nightmare as guest devices tend to use up IPs that are needed for the internal network. A resolution to this would be to have a separate DHCP range for the guest network like any low-end Linksys/Netgear/Belkin etc etc etc does.
0
We appreciate your feedback. Feel free to let us know more. Log in to submit feedback.
0
We appreciate your feedback. Feel free to let us know more. Log in to submit feedback.
#8
Options
- Copy Link
- Report Inappropriate Content
Thread Manage
Announcement Manage
Posts: 4334
Helpful: 1046
Solutions: 173
Stories: 3
Registered: 2015-12-05
Re:EAP320 Client Isolation
2017-09-26 18:08:41
KalanVryce wrote
VLAN and how to get DHCP to work since your devices don't seem to allow separate IP ranges to be assigned to a guest network.
First of all, please note that I am not from TP-Link and the EAPs are not "my" devices. I'm just another user as you, too.
Re guest network: The way TP-Link implements guest networks is through a multi-nets NAT-capable router such as the TL-ER6120 together with a L3/L2+-switch such as the T2600G-28TS. This is the business class solution, it's not comparable to SOHO devices from Linksys/Netgear/Belkin, which pack - to a certain amount - some functionality in only one device, but at the price of a very restricted flexibility, which might not allow certain customizations.
As for a way to set up a guest network with TP-Link's business class gear, see http://forum.tp-link.com/showthread.php?99022-How-to-configure-Multiple-SSIDs-work-with-Multiple-VLANs-based-on-EAP-products.
Next alternative is to use a cheap SOHO device with a guest network. Since those SOHO devices often don't offer VLANs, you will need a VLAN-capable switch such as the TL-SG2008 or T1600G-28TS (if you want business class devices). If a SOHO device would be o.k., you could also use a TL-SG108E.
Third alternative is to use a SOHO router running OpenWRT, DD-WRT, Tomato, Gargoyle or LEDE. This OS (it's basically the same base for all of the mentioned distributions) does offer separate networks to implement a guest network and it also supports 802.1Q VLANs. A recipe for such a setup is available in the OpenWRT wiki and also in the TP-Link subforum for Easy Smart Switches.
Fourth and last alternative I know of is to wait for a new router announced already by TP-Link, which will implement a guest network separation for easy setups with EAPs. But I have no idea when this device will be available finally.
Anyway, I can't find this to be a "nightmare", I have set up such networks with EAPs many times in different ways.
༺ 0100 1101 0010 10ཏ1 0010 0110 1010 1110 ༻
0
We appreciate your feedback. Feel free to let us know more. Log in to submit feedback.
0
We appreciate your feedback. Feel free to let us know more. Log in to submit feedback.
#9
Options
- Copy Link
- Report Inappropriate Content
Thread Manage
Announcement Manage
Posts: 1
Helpful: 0
Solutions: 0
Stories: 0
Registered: 2016-12-12
2016-12-12 01:51:54
Posts: 1
Helpful: 0
Solutions: 0
Stories: 0
Registered: 2016-12-12
Information
Helpful: 0
Views: 2039
Replies: 8
Voters 0
No one has voted for it yet.
Tags
Report Inappropriate Content
Transfer Module
New message