Tomo2607 wrote

For IOT devices such as Hue Hubs, or Blink / Ring Hubs that are directly connected, being able to group these on the IOT network would be convenient.

  @Tomo2607 , I agree. Unfortunately, TP-Link's IoT feature isn't really a true IoT network. All it does is provide another SSID for your wireless IoT devices. Every device on the network -- both wired and wireless -- belong to the same IP network. It's a single, flat network. Instead, TP-Link provides the device isolation feature to "sort of" create a IoT network. It doesn't provide all the functionality of a real IoT network, though, as that "network" is not firewalled from the main "network" -- they are really the same network.

  @dwhiting56 

I recently purchased a two pack of X55 and not quite a 'techy' guy.  I put my main X55 in my bedroom and the second once at the opposite end of the house.  We have lots of devices linked to the main X55, so was able to put some of the kids phones, pc's, tablets on the secondary X55.  I'm finding that my Ring devices are not staying connected.  I talked to technical support who suggested that I change my primary DNS to 8.8.8.8 and secondary to 8.8.4.4.

I am hearing about the IoT and not sure what that is, but wanted to know if the Ring Devices could be on a separate network to maintain stability.  Can't seem to get the Deco tech support guys to understand my concern.

Hopefully this is in your wheelhouse, and I thank you in advance!

Craig

  @CraigLittleton 

Placing the Ring doorbell on the IoT network will not have any affect on it maintaining a connection to your local network. Both the main network and IoT network are on the same wi-fi network, but just using different SSID's. Your best bet for improving connectivity is to move your X55 units around in your house to find the optimal coverage for your home.

A problem I've observed with device isolation on the Guest Network relates to the DNS server - if it's on a different IP address to the gateway router then clients on the Guest Network cannot access it, making internet connections nigh on impossible.

My network has a broadband router on 192.168.10.1 and a DHCP/DNS server on 192.168.10.254.  The DHCP server correctly advertises the default gateway and DNS server addresses in the DHCP Response, so it should be possible for the Decos (I have a bunch of X55s) to permit access to both - because clearly it is permitting access to the default gateway.

The same should be true when the IOT network finally gets device isolation - clients need access to a DNS server as well as the defaut gateway.

Yes, I could fudge it in my DCHP server by advertising the default gateway or even an external address as a secondary DNS server, but that circumvents the use of a single DNS server on the main network, which I need to have for things like DNS resolution of local hostnames and a local override for an externally-visible FQDN.

  @dwhiting56 

I wish I had come across this discussion before I bought all the Deco gear.  I was under the impression that IoT devices would automatically be isolated (i.e. they will not be able to communicate with anyone outside that SSID).  I am very puzzled by what TPLink was thinking. Device isolation helps but why not just isolate IoT all together - or at least provide an option to configure that behavior.  This one is def a head-scratcher.

  @LaatSaab if you want device isolation use the Guest Network feature and remember that the router needs to be running DNS as well as being the gateway, because that's the only LAN IP address that isolated clients are allowed to communicate with. 

  @Riley_S 

TP-Link apparently has something very different in mind when they say "IoT Network". They have tried to explain it to me a couple of times, but it sounds like jibberish. Maybe it is related to the new Matter standard, but I can't figure it out. In any case, having to isolate on a device-by-device basis is both painful and error prone. The entire point of an IoT network, as I and some reasonable fraction of the networking world understand the phrase (e.g., see Steve Gibson on the popular podcast "Security Now"), is precisely to isolate the IoT devices from the rest of the network. I cannot for the life of me figure out why (a) they don't understand this and (b) won't implement it. As long as it's an optional setting, implementing IoT network isolation doesn't change how TP-Link thinks the IoT Network should be used (whatever the heck they think that is), and it solves the problem for those of us (the majority of customers, I suspect) who want that feature.

What I find particularly galling about this is that older and less expensive TP-Link routers had EXACTLY this functionality on their Guest Networks, with configuration options allowing owners to decide to isolation guests from the main network and from each other. So TP-Link knows how to do this, they know it's easy to do, and they know it has some value. Adding a so-called "IoT Network" without (easily enabled) device isolation frankly seems like a bad joke to me.

Just my $0.02 worth...

  @dwhiting56 Agreed.

Any updates on this?

  @Riley_S 

These conversations are going round and round. I'm using the x55 in AP mode. It's silly everyone keeps saying "network" when they mean SSID. If you are on the same broadcast domain you are not on a different network. As far as I can tell the new IOT "Network" SSID does nothing for security. 

My one feature request... Treat your customers like adults. Don't create the arbitrary SSID profiles with little to no advanced settings. Allow for vLAN tagging. I see some models allow this in guest but apparently not on my x55s. Maybe it's a pro feature requiring more horsepower, but since the guest network is in the 591 it would be nice to have access to it. I tried to tag 591 to my switch and no go. Seems your document only allows 591 AP to AP with setups where a managed switch is extendimg the backplane. 

I'm quite frustrated because I like the devices, but without vLAN tagging I'm going to have to move on to another system, or buy another mesh setup just so I can run IOT on a separate vLAN.