So iv been tinkering around and iv found that its when iv got the firewall switched on

firewall = on
Allow (the packets not specified by any filtering rules to pass through the device)

No rules can be set to block LAN-LAN connections in the FW as it is just for HOST to WAN filtering

The FW being switched on should not affect the "guest networks" access to the LAN regardless of how the FW is set up!

I have been in contact with TP-Link support and they have reproduced this serious fault.

According to our test, we may only switch on deny of the firewall or disable the firewall so that the advanced settings on the guest network will take effect.

The guest network advanced settings should always take the highest prescience, This is the whole point of "Guest" network.

So IF you give someone access to a GUEST connection and set the advanced settings to deny access to LAN & deny access to NAS be aware that you may be opening up your entire LAN to being accessed by the guest regardless of how you have set it up!

I have only tested with the guest on 5GHz guest wifi so maybe the 2.4GHz guest wifi is ok but please be very careful when using the guest wifi

Thanks for pointing this out, my 9980 displays the same behaviour. I also found that if you have a site-to-site IPSec VPN, users on the guest network can access devices on the remote network.

There are a couple of workarounds:
1. Plug a separate AP into one of the LAN sockets, configure that socket as a separate interface group, and use the AP as the guest network.
2. Use either 2.4 or 5 GHz as your main wireless, and the other one as guest wireless, and put the guest one in a separate interface group.

With either approach, disable the onboard guest wireless.

Go into LAN settings and configure the guest interface group on a separate subnet, then guests cannot access other devices on the LAN.

Then go into system tools / manage control and set local management to a non-standard port to restrict access to the router web portal.

You can then use the firewall to control which ports the guest wireless allows (e.g. restrict DNS to OpenDNS servers).

Of course the other alternative is to not bother with the firewall, as it's easy to bypass by anyone who knows what they're doing (VPN on port 80).

P.S. I wonder if these problems are why TP-Link removed the configurable firewall on the latest GUI...? None of the new routers have it.

Cheers for the response , I am aware of your suggestions but always helpful to anyone looking at this particular problem.

In my case i switched off the FW as setting all that up would be a pain especially as i add/remove nodes all the time. (well separate wifi bands is ok but defeats the point in having them).

I suppose my gripe was that a general user (me included) would be assured the guest was secure (according to advanced settings) and can end up losing everything to a guest without having a clue why or that its even happened, until its to late! This is a far worse bug than just a normal fault like dns or ip assignment with dhcp where its just a connection problem etc because of potential data loss / packet sniffing etc

I feel that TP-link have just brushed me off as if to say its nothing important in fact they hardly admitted it was a fault at all but in reality this is very serious (even call-back serious).

I have had several "guests" using my AP for over a year and i use it for certain untrustworthy nodes/apps that should definitely be isolated from my main subnet so who knows what i may have lost.

Thx for your feedback, pity TP-Link have nothing much to say.

Agree, I flagged the IPSec vulnerability 18 months ago and they said it would be fixed in the next firmware. It wasn't.

Still it's easy to address once you know it's happening, and guest wireless isn't any better on other routers; Linksys don't encrypt theirs and the password is in the clear.

indeed, Im just glad you posted because TP-link were implying it was me that was misunderstanding how to use the router but i think its clear this IS a dangerous situation because as you say its easy once you know but why would you even suspect in the first place !

They did ask me to upgrade the firmware too but i strongly suspected it would make no difference and did not want to mess about with it as its the only vdsl i have, you have confirmed i made the correct decision although the router does need reseting every now and again (it does all sorts of weired and wonderful things on occasion). so maybe one day, but i digress.

As for me at least i know now,

thx.

I was quite pleased I'd configured our 9980 firewall to block all manner of traffic until one of the guys from the workshop popped his head around the door and said "there's something wrong with the guest network mate, we had to try loads of different vpn apps until we found one that got through, but SkyBet is working ok now". Waste of time.