@David-TP thanks for the reply.

The DNS server is not the gateway (neither in my main network nor my guest network). i actually do not have the typical setup where some consumer router appliance does everything.

The DHCP options for the hosts in the guest network is set such such that 8.8.8.8 is set as their DNS server (this is confirmed to be applied)--so you would expect it to go try that via the default gateway. it does not make it out. It DOES work if I enable local access (specifically, all nslookups against 8.8.8.8 works)

It was working correctly with local access off for a several weeks until it just stopped working for some reason...

Several questions:

1. Is all traffic to the gateway supposed to be let through? if i disable local access, I can't ping the gateway from the guest network. not sure if is expected
2. how does the deco decide what the gateway address for the guest clients should be? is it the gateway for the deco's management IP? They are the same in my case, but just asking.

Thank you!

  @David-TP i wasn't saying that the deco management address was the gateway, i was saying the gateway FOR the management address is the same as the gateway for all clients. 

• My whole network is on a 192.168.0.0/22 network.
• Gateway is 192.168.1.1 (i expanded the network from a 192.168.1.0/24 a while back)
  • gateway device is a firewalla gold plus
• Most things get addresses via DHCP, including the deco management hosts (and the gateway gets set to 192.168.1.1 for everyone)
• DHCP/DNS servers are MS domain controllers, and these are NOT the 192.168.1.1 address
  • Hosts on the main ssids use these DNS servers
  • There is a dhcp reservation for specific clients in the guest network to configure their DNS server to 8.8.8.8. This is working correctly.

So, the only part that isn't working correctly is the whitelisting behavior to the default gateway with "local access permitted" off, and that i guess is confirmed with what you said and the ping behavior I see.

The deco is not running the DHCP service as you can see, hence my asking how it decides what address to whitelist as the default gateway when "local access permitted" is off. I think the only reasonable guess is to use the gateway for the management address, assuming it's on the same subnet as the clients, no?

I do have the deco connected to a 10g switch via a 10g port which eventually connects to a firewalla port, and there is also a direct 2.5g connection from the deco to the firewalla, if that is of any interest.

Thanks.

  @metachronism 

Are the guest devices able to ping the DHCP server, even with "local access permitted" off?

What do you see in the arp table of a guest device, after unsuccessfully trying to ping the gateway, or other devices on the main network?

You mention that the guest device shouldn't be able to see your local dns server, but you acknowledge that they see your dhcp server.

In a regular setup, "the LAN IP of your ISP router" is both the DHCP server and the gateway.

Let us hope that the "white list" includes both the DHCP server and the gateway, if they are two distinct devices.

@yves_b no, the guest clients cannot ping anything in the subnet when the flag is off, and that includes the DHCP servers (they're actually the same hosts as the LAN DNS servers). I don't know  tplink's implementation of the "allow local access" feature, but I doubt it's some VLAN implementation under the hood but rather an IP-based filter mechanism. Thus, I would actually expect DHCP broadcasts to unconditionally be allowed through and responded to--otherwise, guests would never be able to obtain an address unless using deco's DHCP service. This is corroborated by the fact that the DHCP broadcasts do get a response on the guest network even with "allow local access" off.

I have the "allow local access" flag on as a workaround at the moment, so I'll need to turn it off again to see what the arp table looks like in that condition--I'll report back what I see once I do.

Thanks!