Drdan wrote

Ditto. I need to have my wr702n communicate with only a single client. I want no others to be able to access the internet via the 702. The 702n drives a remote ring doorbell. It is not for any other public consumption. Authorizing access to a single MAC would do the trick nicely.

Indeed, "SSID isolation" (also called "client isolation") on EAPs work as expected with current firmware. "Client isolation" is a feature of the WiFi chip and it prevents connections between a wireless client to any other wireless clients. Client isolation is not suitable to deny access of clients to the (wired) LAN nor to the Internet.

What you would need to disable Internet access for specific clients is called "access control". To deny access to the Internet for specific clients you either need firewall rules in the router or access control lists (which effectively is the same as firewall rules on a router, but could be set in EAP controller or in a L2+/L3 switch, too).

As for the WR702, I don't know wether it has access control features. This is the forum for EAPs, so you might want to ask for in the Home / WiFi Routers subforum.

Drdan wrote

Thanks much r1d2 for the education. I can always put epoxy in the LAN jack. It was indeed the wireless I wanted to restrict to a single device. Reckon I need to research access control.

You're welcome. To simplify your research: if you want to open your WiFi for only one device, you could use a strong WPA2 key (>= 20 characters is strong) or another built-in function of most WiFi chips called MAC filter (that's MAC authorization) or even both techniques in combination.

From your first post I thought you want just deny access of other wireless clients to the Internet, but not to your LAN - this would need access control/firewalling. But to restrict the WiFi to one device only, you could use the techniques mentioned above.

KalanVryce wrote

VLAN and how to get DHCP to work since your devices don't seem to allow separate IP ranges to be assigned to a guest network.

First of all, please note that I am not from TP-Link and the EAPs are not "my" devices. I'm just another user as you, too.

Re guest network: The way TP-Link implements guest networks is through a multi-nets NAT-capable router such as the TL-ER6120 together with a L3/L2+-switch such as the T2600G-28TS. This is the business class solution, it's not comparable to SOHO devices from Linksys/Netgear/Belkin, which pack - to a certain amount - some functionality in only one device, but at the price of a very restricted flexibility, which might not allow certain customizations.

As for a way to set up a guest network with TP-Link's business class gear, see http://forum.tp-link.com/showthread.php?99022-How-to-configure-Multiple-SSIDs-work-with-Multiple-VLANs-based-on-EAP-products.

Next alternative is to use a cheap SOHO device with a guest network. Since those SOHO devices often don't offer VLANs, you will need a VLAN-capable switch such as the TL-SG2008 or T1600G-28TS (if you want business class devices). If a SOHO device would be o.k., you could also use a TL-SG108E.

Third alternative is to use a SOHO router running OpenWRT, DD-WRT, Tomato, Gargoyle or LEDE. This OS (it's basically the same base for all of the mentioned distributions) does offer separate networks to implement a guest network and it also supports 802.1Q VLANs. A recipe for such a setup is available in the OpenWRT wiki and also in the TP-Link subforum for Easy Smart Switches.

Fourth and last alternative I know of is to wait for a new router announced already by TP-Link, which will implement a guest network separation for easy setups with EAPs. But I have no idea when this device will be available finally.

Anyway, I can't find this to be a "nightmare", I have set up such networks with EAPs many times in different ways.