EAP610 - Guest Network vs SSID isolation

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

EAP610 - Guest Network vs SSID isolation

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
EAP610 - Guest Network vs SSID isolation
EAP610 - Guest Network vs SSID isolation
2022-01-05 16:31:24
Model: EAP610  
Hardware Version: V1
Firmware Version: 1.0.3 Build 20210806 Rel. 64734(5553)

First off, I just replaced a EAP245 V1 (not V3). I am NOT using any controller, but a single EAP in standalone mode. I configure the device via the EAP web interface.

 

Setting up the new AP I noticed that the SSID isolation checkbox is missing and replaced with a new Guest Network. From the description, this is a horrible change, but maybe I am misunderstanding it. It says this new feature blocks access to private IP addresses. Isn't that the responsibility of a router? These EAP devices are APs, not routers.

 

I have outside family that bring their wireless devices onto my network, so I have been using SSID isolation to prevent inter-wireless communication. However, their devices need to be able to access some IP addresses on my local private network..namely a DNS server and an NTP server. Any routing permissions are left to my pfSense firewall. For some devices my firewall allows access to a local web server on my private network too. Same for wireless cameras...they should not be able to access any other device on the same SSID, but need to access/stream their data to a local server on my private network.

 

With this new feature if I turn guest network on, I have no access to any of my local LAN devices. If I turn it off, I can have virus/malware infected wireless devices communicating with other wireless devices on the same SSID.

 

I saw some posts about ACL settings, but I am not running a controller, just a single EAP and those settings are not present on the web interface of the EAP!

  0      
  0      
#1
Options
3 Reply
Re:EAP610 - Guest Network vs SSID isolation
2022-01-06 07:53:36

Dear @krbvroc1 ,

 

This article will help you to learn more details of Guest Network, please check Method 2.

How to set Access Control to create guest SSID on Omada Controller/EAP

 

Best Regards!

Best Regards! >> Omada EAP Firmware Trial Available Here << >> Get the Latest Omada SDN Controller Releases Here << *Try filtering posts on each forum by Label of [Early Access]*
  0  
  0  
#2
Options
Re:EAP610 - Guest Network vs SSID isolation
2022-01-06 19:59:59

@Hank21 So the answer is that it is no longer possible to have just SSID isolation when using the EAP 6xx in standalone mode. TP-Link requires that I install the Omada Controller on my network to provide equivalent functionality to the EAP 245 v1 I am replacing. This is a bad engineering decision and one I hope will be reversed. As I mentioned, I do not want inter-SSID communication to avoid a compromised wireless device from being an attack vector to other wireless devices. But now I have to install Omada Controller software on my network, which itself contained the most serious security vulnerability (log4j exploit) in recent history.

 

Additionally, the FAQ link you provided does not match the Omada Controller 4.4.8 software that I downloaded. Where did those screenshots come from? On the software I downloaded, I had to goto Settings, Site, Network Security, ACL and use the EAP ACL tab to add a Permit policy to Permit Source SSID to Destination IPGroup_Any. This effectively disable the private IP blocking that was introduced with the change from SSID Isolation to Guest Network. None of that is explained in the link you provided, even under 'Method 2: How to configure Geust Network on Omada Controller?'

 

Once this is configured, if I power off the Omada Controller, will the EAP continue to operate with these ACL rules (even through power cycles)? Are they permanent without needing to keep the Omada Controller running?

 

I hope this change will be reverted or reworked for those of us using the product in the supported standalone mode. I do not have a large deployment that requires an Omada Controller and I am fine with using the built-in web interface. Layer 3 routing decisions like this do not really belong in a standalone AP.

  1  
  1  
#3
Options
Re:EAP610 - Guest Network vs SSID isolation
2022-01-07 06:06:11

Dear @krbvroc1 ,

 

Yes, now the guest network function is more like ACL + AP Isolation, so if you only need to use the AP Isolation, you can set the EAP ACL on the controller.

 

krbvroc1 wrote

@Hank21

Once this is configured, if I power off the Omada Controller, will the EAP continue to operate with these ACL rules (even through power cycles)? Are they permanent without needing to keep the Omada Controller running?

 

And this function don't need the controller keep running.

And you can download the latest firmware version V5 of controller, it has fixed the security vulnerability.

 

Best Regards!

Best Regards! >> Omada EAP Firmware Trial Available Here << >> Get the Latest Omada SDN Controller Releases Here << *Try filtering posts on each forum by Label of [Early Access]*
  0  
  0  
#4
Options