Guest WiFi where guests can access each other, but not the LAN.

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

Guest WiFi where guests can access each other, but not the LAN.

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Guest WiFi where guests can access each other, but not the LAN.
Guest WiFi where guests can access each other, but not the LAN.
2020-10-10 14:18:54
Model: OC200  
Hardware Version: V1
Firmware Version: 4.1.5

For a client I've replaced a single Archer MR200 router  in a large domestic setup with an OC200 and 4 EAP225.  But I'm struggling to configure a guest network with the recent GUI update on the OC200.

 

I'm trying to emulate the previous setup, which is that the Archer AC200 permits a guest network, where the guests could see each other, but not access the LAN.

This facilitated guests in guest rooms being able to access chromecast TV on the guest wifi.   

 

With the OC200, the only option seems to be to set a SSID as having a guest status, which isolates all devices. The prevents a guest phone from reaching the guest chromecast.

 

 

 

 

 

  1      
  1      
#1
Options
1 Reply
Re:Guest WiFi where guests can access each other, but not the LAN.
2020-10-11 22:43:56

 

CarbonPepper wrote

With the OC200, the only option seems to be to set a SSID as having a guest status, which isolates all devices. The prevents a guest phone from reaching the guest chromecast.

 

Unfortunately, the common »Client Isolation« setting (falsely called »SSID Isolation« in older Omada Controllers < V3.x) has been transformed into »Guest Network« setting, which not only turns on »Client Isolation« in the WiFi chip, but also installs an invisible access control rule (ACL) blocking private IPs.

 

This option has been introduced to allow for a »single click« easy guest network setup without the need to configure a separate, isolated guest network on the router.

 

However, for your use case you need a separate guest network so you can isolate it from the LAN and you want to turn of »Guest Network«, so clients associated to the same SSID/radio can access each other. You then could define an ACL on OC200 or use firewall rules on your router to block traffic into the LAN while allowing traffic inside the guest network, thus allowing clients to access each other using even different EAPs.

 

A common way to set up such a topology is using a VLAN-aware router, since you need VLAN-mapped SSIDs for the LAN and guest network if you want to serve both networks wirelessly. See this HowTo (scroll down to the section named »Method 2«) for an example of setting up a LAN and a guest network using VLANs. Ignore the part which enables »Guest Network«.

 

༺ 0100 1101 0010 10ཏ1 0010 0110 1010 1110 ༻
  1  
  1  
#2
Options