LAN port isolation on ER707-M2

LAN port isolation on ER707-M2

LAN port isolation on ER707-M2
LAN port isolation on ER707-M2
2024-08-09 19:36:20 - last edited 2024-08-29 01:35:19
Model: ER707-M2  
Hardware Version: V1
Firmware Version: 1.2.2

 

I have an ER707-M2 for firewall/gateway with PORT1 (WAN) and PORT2(LAN), PORT3(AP). I am using PORT3 as guest wifi access point. I want to isolate PORT3 from the main LAN on PORT2 but retain internet access via the router for PORT3. How do I configure this?

  0      
  0      
#1
Options
1 Accepted Solution
Re:LAN port isolation on ER707-M2-Solution
2024-08-11 14:18:06 - last edited 2024-08-29 01:35:04

  @JamesLu 

 

This seems to be the solution except you can't block all access to the router (aka Me), so I just blocked HTTP.

 

https://www.tp-link.com/ca/support/faq/4025/

 

Recommended Solution
  0  
  0  
#7
Options
8 Reply
Re:LAN port isolation on ER707-M2
2024-08-10 07:57:22 - last edited 2024-08-10 08:05:38

  @JamesLu 

 

you can only do it on a vlan switch. on router you cannot remove LAN or vlan1 on a port.

 

on router all ports are untagged with vlan1.
the only thing you can do is change pvid on a port, you do that on router property and port.

 

but why do you use a separate access point for guests, can't you use vlan and give the guests access to the ordinary access points?

 

 

  0  
  0  
#2
Options
Re:LAN port isolation on ER707-M2
2024-08-10 14:35:07

  @MR.S Is there a good general reference on the VLAN behavior, tags, etc. other than the user guide?

  0  
  0  
#3
Options
Re:LAN port isolation on ER707-M2
2024-08-10 14:41:29
  0  
  0  
#4
Options
Re:LAN port isolation on ER707-M2
2024-08-10 14:44:41
thank you.
  0  
  0  
#5
Options
Re:LAN port isolation on ER707-M2
2024-08-11 03:17:24 - last edited 2024-08-11 03:18:01

  @MR.S 

 

I created a second LAN and associated VLAN for the port connected to my guest network wifi AP, seems to work, but the new LAN still can access the original LAN. Any way to isolate the two?

  0  
  0  
#6
Options
Re:LAN port isolation on ER707-M2-Solution
2024-08-11 14:18:06 - last edited 2024-08-29 01:35:04

  @JamesLu 

 

This seems to be the solution except you can't block all access to the router (aka Me), so I just blocked HTTP.

 

https://www.tp-link.com/ca/support/faq/4025/

 

Recommended Solution
  0  
  0  
#7
Options
Re:LAN port isolation on ER707-M2
2024-08-28 14:59:18

  @JamesLu 

In the Firewall - Access Control section, create a policy that blocks the direction LAN_NEW->LAN_ORIGINAL where the source network is LAN_NEW and the destination network is LAN_ORIGINAL
This way you will have internet but you will not be able to access the equipment on your original network through that Wi-Fi, but you will be able to access that AP from your original network. You can block both directions if you want. I hope it helps you.
  0  
  0  
#8
Options
Re:LAN port isolation on ER707-M2
2024-08-28 15:17:54

  @David11 I ended up with blocking LAN->LAN with source AP destination !AP type ANY, and LAN->LAN with source AP destination Me type HTTP.

  0  
  0  
#9
Options