Not isolated Guest Wlan with EAP 220

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

Not isolated Guest Wlan with EAP 220

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Not isolated Guest Wlan with EAP 220
Not isolated Guest Wlan with EAP 220
2020-02-15 19:38:04 - last edited 2020-02-17 08:20:26
Model: EAP220  
Hardware Version:
Firmware Version:

Hello,

 

 

I bought an EAP220 because my old DSL router did not support 5 GHz Wifi. The old one could provide a guest WLAN - becuase I can create multiple SSID's with EAP220, I thought this would be an easy job.

 

Environment:

 

SSID "FirstWiFi" is for my own private Clients,  and so on.

SSID "Guest" for poeple visiting me AND using a wireless printer, which is using "Guest" also.

 

If I do turn on SSID isolation, "Guest" devices can not access my private devices using "FirstWiFi" - so far so good. But becuase of SSIS isolation they also can not see each other WITHIN "Guest", and therefore can not use the printer.

 

My question is: How can I provide a WiFi network that has no access to "FirstWiFi" but devices within the guest SSID can communicate with each other?

 

Thank you for any help and best regards!

 

 

 

  0      
  0      
#1
Options
2 Reply
Re:Not isolated Guest Wlan with EAP 220
2020-02-17 09:37:22

@dggro 

 

When we create an SSID and check SSID Isolation, the clients connected to this SSID cannot communicate with each other. 

 

If I do turn on SSID isolation, "Guest" devices can not access my private devices using "FirstWiFi" - so far so good.

Here you say the clients connected to the Guest can not communicate with the "First WiFi", can you upload a photo about the settings of the SSID Isolation? We want to check it.

  0  
  0  
#2
Options
Re:Not isolated Guest Wlan with EAP 220
2020-02-17 12:35:34 - last edited 2020-02-17 13:02:39

 

dggro wrote

If I do turn on SSID isolation, "Guest" devices can not access my private devices using "FirstWiFi" - so far so good. But becuase of SSIS isolation they also can not see each other WITHIN "Guest", and therefore can not use the printer.

 

Client Isolation is a setting in the WiFi chip, so it affects all clients inside the same SSID. If you enable Client Isolation (sometimes called SSID Isolation despite the fact that it isolates clients, not SSIDs) it always will affect all client devices in this SSID.

 

In case of Omada or EAP controller it will also deny access to clients in other SSIDs on the same radio and even to wired clients in the RFC1918 Private IP space, which IMO is wrong (tested with EAP Controller V2.7.0 as well as with Omada Controller V3.0.2, which both had a separate Client Isolation setting).

 

In order to grant access to a wireless printer, you have to create an ACL allowing access to your printer and you need to move the printer into the private network (SSID: FirstWiFi). For example, if your printer has IP 192.168.1.10, modify the default ACL in EAP Controller V2.7.0 or create a new ACL in newer versions of Omada Controller:

 

 

Remember to bind the ACL to the guest network:

 

 

 

Note 1: You cannot use an Allow ACL to allow access to your printer, because an Allow ACL will allow access only to the given network(s)/device(s), so your guests would end up having no access to the Internet anymore. When creating Allow ACLs, the default policy (the last resort) will become Deny resp. Block.

 

Note 2: the printer must be located in the first (non-guest) network FirstWiFi if connected wirelessly. Access to devices inside the guest network is still denied even if you set the above ACL allowing access to the printer's IP address – and yes, that's the way Client Isolation is supposed to work, because Client Isolation is an on/off toggle in the WiFi chip, not an ACL.

 

However, IMO it should leave it up to the user to define a policy such as allowing or denying access to other SSIDs and/or to other wired networks. With the ACL above you gain control back over this policy decision.

 

If you want to set up a fully isolated guest network with routing/forwarding to resources such as shared printers/servers in a separate wired or wireless network, see this HowTo (scroll down to Method 2).

༺ 0100 1101 0010 10ཏ1 0010 0110 1010 1110 ༻
  0  
  0  
#3
Options