This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.When will the Guest Network in the EAP225 be fixed ?
This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Based on a simple setup without the Omada Controller with a couple of 2.4 Mhz and 5 Mhz SSIDs and one guest SSID
I want to segment the local network for IOT devices not having acces to the local network.
The Guest Network in the EAP225 V3 2.6.1 is broken as there is no local IP isolation.
1) There is still ping access to other devices within the local networks when connected to the guest SSID
2) Having a guest SSID defined causes the isolation to function after some time on all other SSIDs necessitating a reboot of the EAP225 e.g. when wanting to using chromecast from an Android phone
This has been discussed before in this community, but no action has been taken to fix these bugs.
The Guest Network in the EAP225 V3 2.6.1 is broken as there is no local IP isolation.
This feature also takes effect on my network topology, when you create the SSID, please check the guest network. After the client devices connect to this SSID, these devices cannot communicate with each other and they cannot access the private subnet.
I am enclosing some screendumps of the setup of the EAP225. I have reduced the configuration to as simple as possible.
My Samsung Galaxy S8 on the iot_nomap SSID can ping my PC on the wired local network (same 10.30.3.0/24 subnet) as well as the TP-link HS100 on another SSID, which I don't think it should be able to.
@joergent, I'm sorry, but this works for me, too.
Tested with MacBook & Android tablet on EAP225v3 with firmware 2.6.1:
Ping from MacBook (.205) to router(.1), server (.10), Android tablet (.204):
dhcp-205 $ ping 192.168.1.1
PING 192.168.1.1 (192.168.1.1): 56 data bytes
Request timeout for icmp_seq 0
Request timeout for icmp_seq 1
^C
--- 192.168.1.1 ping statistics ---
3 packets transmitted, 0 packets received, 100.0% packet loss
dhcp-205 $ ping 192.168.1.10
PING 192.168.1.10 (192.168.1.10): 56 data bytes
Request timeout for icmp_seq 0
^C
--- 192.168.1.10 ping statistics ---
2 packets transmitted, 0 packets received, 100.0% packet loss
dhcp-205 $ ping 192.168.1.204
PING 192.168.1.204 (192.168.1.204): 56 data bytes
Request timeout for icmp_seq 0
^C
--- 192.168.1.204 ping statistics ---
2 packets transmitted, 0 packets received, 100.0% packet loss
dhcp-205 $
@joergent, the 10.0.0.0/8 IP range indeed reveals an issue:
Router: 10.30.3.1/24
Android: 10.30.3.66/24
MacBook: 10.30.3.216/24
Wireless settings as in last post, »guest_nomap« is the Guest network:
Ping to the router (.1) and Android tablet (.66):
$ ping 10.30.3.1
PING 10.30.3.1 (10.30.3.1): 56 data bytes
64 bytes from 10.30.3.1: icmp_seq=0 ttl=64 time=1.218 ms
^C
--- 10.30.3.1 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 1.218/1.218/1.218/0.000 ms
$ ping 10.30.3.66
PING 10.30.3.66 (10.30.3.66): 56 data bytes
64 bytes from 10.30.3.66: icmp_seq=0 ttl=64 time=8.239 ms
^C
--- 10.30.3.66 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 8.239/8.239/8.239/0.000 ms
$
Only client isolation inside the same virtual wireless interface works, but not blocking private IPs:
$ ping 10.30.3.66
PING 10.30.3.66 (10.30.3.66): 56 data bytes
Request timeout for icmp_seq 0
^C
--- 10.30.3.66 ping statistics ---
2 packets transmitted, 0 packets received, 100.0% packet loss
$
@forrest, please can you validate this? I can't execute ebtables on my EAP to proof it.
