OC200 4.1.5 1.7.0 Build 20200703 Rel.59609 Client Isolation for SSID to LAN devices

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

OC200 4.1.5 1.7.0 Build 20200703 Rel.59609 Client Isolation for SSID to LAN devices

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
OC200 4.1.5 1.7.0 Build 20200703 Rel.59609 Client Isolation for SSID to LAN devices
OC200 4.1.5 1.7.0 Build 20200703 Rel.59609 Client Isolation for SSID to LAN devices
2020-09-29 18:10:31
Model: OC200  
Hardware Version: V4
Firmware Version: 1.7.0 Build 20200703 Rel.59609

Hi

 

Recently purchased OC200 + 5 x EAP115-Wall and 5 x EAP115 APs

 

Replacing an existing Openmesh network.

 

Flat LAN single IP schema 192.168.0.0/24 with a gateway of 192.168.0.254

Sonicwall providing the Gateway and LAN DHCP range

 

two SSID's -

 

 - "Secure" with devices having full LAN access including printers etc

 - "Guest" with No LAN access (Client Isolation so only to have access to itself and the Internet)

 

When we initially did the scope to replace the existing solution, the Omada solution ticked all the boxes for Cloud management and guest client Isolation.

 

But having come to set it up and configure it the current version seems far from straight forward.

 

Having setup Guest Wifi and ticked the Guest Network (this seems to indicate client isolation), wireless clients although cannot access each other they do seem to be able to scan the LAN network and the devices on the network. How is this prevented?

 

Having skimmed through the various documents / FAQs and these support pages, it seems to imply that when Guest network is ticked then some hidden ACL rules are enabled that prevent wireless clients accessing LAN devices, but having connected a Laptop to the Guest Wifi and run a network scan, I see all the LAN devices and whilst I am unable to access any of the devices having knowledge of the issued IP addresses and MAC addresses is not acceptable.

 

Is there a guide on how to prevent this on a guest connected device?

 

  0      
  0      
#1
Options
3 Reply
Re:OC200 4.1.5 1.7.0 Build 20200703 Rel.59609 Client Isolation for SSID to LAN devices
2020-09-29 23:14:18

@Ueella, you can prevent it by using VLANs and two broadcast domains.

 

See the HowTo here, read about the two methods for a guest network. If you have questions, feel free to post in this thread you did create.

༺ 0100 1101 0010 10ཏ1 0010 0110 1010 1110 ༻
  0  
  0  
#2
Options
Re:OC200 4.1.5 1.7.0 Build 20200703 Rel.59609 Client Isolation for SSID to LAN devices
2020-09-30 08:05:24

@R1D2 

 

Thank you, but that's not really an option for us. We don't manage the network or the firewall and having been told by the client that VLANS are not an option for the network and so it's not a route I would want to pursue with them.

 

We have little to no experience with the TP-Link units, but the InWall APs were the main reason for choosing this solution over the Openmesh, Engenius, Rucus and Draytek solutions we have previously used (all of which provide simple Client Isolation check boxes and truly deliver client isolation from everything apart from themselves and access to the external gateway). All the documentation indicates that Client Isolation is straight forward, but looking at your link to the documentation, it seems far from straight forward and a requires network reconfiguration in order to achieve it.

 

The solution seems to offer partial Client isolation, in that wireless users are unable to discover each other, but can discover LAN devices via a simple network scan, although from initial testing actual access is denied, so it is how to prevent a scan of the network from wireless client devices. There seemed to be other threads that indicate the use of ACL can prevent this but access is still required for the gateway, the DHCP/DNS and the OC200, but it's unclear how this is achieved.

 

Kind Regards
Andy

 

  0  
  0  
#3
Options
Re:OC200 4.1.5 1.7.0 Build 20200703 Rel.59609 Client Isolation for SSID to LAN devices
2020-09-30 11:11:56

@Ueella, ok, if VLANs are not an option, then I cannot help any further, sorry.

 

Just a note: I do not speak for TP-Link and I'm not a TP-Link employee.

༺ 0100 1101 0010 10ཏ1 0010 0110 1010 1110 ༻
  0  
  0  
#4
Options

Information

Helpful: 0

Views: 971

Replies: 3

Related Articles