Deco Guest isolation not working even in router mode
This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
I've got a single Deco M5 (V3, firmware 1.3.2 Build 20190624 Rel. 59384), connected to the host network (192.168.1.x) via an ethernet cable.
Clients on the Deco Guest WiFi network (192.168.68.x) can access everything on the host network, desktops, printers, the Deco Web UI itself. That's clearly not ideal, I'd like guests to only be able to browse the internet and be completely firewalled off the host network.
The Deco M5 is in "router mode", as confirmed by the fact that host (wired) and guest (WiFi) networks have different address ranges.
Has anyone experienced the same issue?
any help is appreciated,
--
Giuliano
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
The issue is that currently, @giuliano108 is using the Deco in router mode, but connected to his isp router like in AP mode.
@giuliano108, you should actually move everything behind the Deco if you want proper guest network isolation. And if you can put your isp modem or router in bridge mode, as suggested by Kevin _Z, that would be even better and easier to manage.
- Copy Link
- Report Inappropriate Content
If I am not wrong, you are simply doing a double NAT, without having the Deco handle directly the connection. Then, your 192.168.1.x is considered as "the Internet" for the Deco in router mode, and is therefore allowed for guest network...
- Copy Link
- Report Inappropriate Content
Thanks for replying @Glassman1976 !
The topology is exactly as you described it.
Do you know if there's an easy workaround to get what I want? If the Deco supported custom firewall rules it'd be just a matter of dropping all traffic with source 192.168.68.x and destination 192.168.1.x ...
Otherwise I guess I'll have to move all the existing non-Deco clients (wired or wifi) "behind the Deco" too...
thanks again,
--
Giuliano
- Copy Link
- Report Inappropriate Content
Hello, the guest network and host network are separated from each other by default in router mode. From your description, they obtain IP addresses in different subnet, there should be something wrong. Cause the IP address is assigned by the same Deco, the devices connected to the guest network/host network have the same subnet IP address.
You can open Deco app and enable guest network; Then try to connect two computer/smart phones to the guest network and host network separately; after that, try to ping each other and show us the results.
To avoid double NAT issue, you can configure the main router as the bridge mode and use the main Deco as the only DHCP server; or configure the Deco as access point to boost the wifi signal.
Good day.
- Copy Link
- Report Inappropriate Content
The issue is that currently, @giuliano108 is using the Deco in router mode, but connected to his isp router like in AP mode.
@giuliano108, you should actually move everything behind the Deco if you want proper guest network isolation. And if you can put your isp modem or router in bridge mode, as suggested by Kevin _Z, that would be even better and easier to manage.
- Copy Link
- Report Inappropriate Content
> you should actually move everything behind the Deco if you want proper guest network isolation. And if you can put your isp modem or router in bridge mode, as suggested by Kevin _Z, that would be even better and easier to manage.
That's what I ended up doing. Since the ISP router can't act as a bridge I simply connected it (and nothing else) to the first ethernet port on the Deco (I've also disaled WiFi on the ISP router). The wired clients are connected to a switch, which in turn goes on the second ethernet port on the Deco. Guest isolation works properly now.
Thanks @Glassman1976 and @Kevin_Z !
- Copy Link
- Report Inappropriate Content
I tried the exact same config and can still access the private LAN on a Deco X20. I cannot fathom why TP-Link would neglect to include an isolation setting for the guest networks like almost everyone else in the industry does. I would rather not create VLANs or bridging routers simple because of the unnecessary complexity. It would even be nice if one could route all guest SSID traffic from one of the Deco ports to a specific gateway, e.g. the ISP router/modem.
I will keep my old guest network on and go back to using extenders until this issue is resolved.
- Copy Link
- Report Inappropriate Content
Hi, Thank you very much for your kind feedback.
Since I tested on my side, the guest wireless network and main wireless network are separated from each other.
So for your case, could you please help me draw a detailed picture of your network structure;
And please also post some pictures that how you found out guest devices were still accessible to the main wireless network;
Thanks a lot and wait for your reply.
- Copy Link
- Report Inappropriate Content
I did the same test. I have my deco in router mode. i connected one IOT device to guest network and another one to the main network. I can do actions between this two IOT devices, so i suppose that isolation not work properly. regards
- Copy Link
- Report Inappropriate Content
Welcome to the community.
May I know what are these two IoT devices that you used for the test?
How did you test the communication between these two devices?
Thank you very much.
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 4117
Replies: 9
Voters 0
No one has voted for it yet.