@Philbert Many thinaks for the info. 

  @Philbert 

Just a quick question on this.  

I've since bought both an OC200 and an EAP225 and set them up such that I 'think' I have 'guest' isolation from my LAN.  It seems to be fine.  However, I'm a little puzzled by some of the youtube videos that seem to indicate that I also need VLANs too.   I created them but had no luck in connecting at all on the WiFi so I've removed them.

Thoughts?  

  @tp4sb 

Hey

It really depends on what you want to achieve?   If you are just looking for a Guest SSID locked away so that anyone connected to it cant see your other devices, then what you have at the moment will work

However if you are wanting total isolation, by this I mean a different IP range, subnet etc etc then you will need to implement vlans..   more below

Before starting I'm assuming you don't have an Omada Switch and Router?   Namely you are using your ISP router / switch?     If so then the "guest" setting on the SSID is all you have to work with as vlans require a full omada network (more later).

Assuming you don't have an Omada setup, in short the "guest" setting will allow the devices to get an IP address in the same range as your other SSIDs  (192.168.z.x) but will automatically set controls to stop them from talking to the other devices.   So your PC could have 192.168.1.5  and your guest has 192.168.1.6   however the guest will be blocked from talking to anything on your network.  Fundamentally internet use only.

The disadvantage of this is it only works on wireless devices and should anyone plug into your switch, they will have full access.   It's handy for home guest users in fairness

A full Omada network (Router, Switch and EAP) will allow you to take this further by creating VLANs..   This basically means you can have all the "guests" on a separate network address, say 192.168.50.x  and then use Access Control Lists (ACLs) to block traffic between your private VLAN and the guest VLAN.     Its almost like having a totally separate network for your Guests, you can even apply the VLAN to ports on the switch so if anyone plugs into the switch.. its locked to guest access only.

This is more secure, but more complicated and costs more in hardware.   As said if you don't have the router and switch to run this, creating vlans wont do anything for you.

Hope that helps?

  @Philbert 

Hi,

Thanks for that.  I guess it's like I thought in that I'd need to invest in say an ER605 router (or similar) in order to create new subnets for different groups.

Much obliged for clarifying. 

  @tp4sb 

Got it in one

The ER605 sets up the IP Ranges for you to allocate out.   The Omada switch then 'trunks' the data along those VLANs to the ER605..

Its probably overkill for most people to be honest!

  @Philbert 

Thanks. Now just one further question. 

In the 'Outhouse' where I have the guest access, I use(d) an old router as the access point and dumb switch. If I continue with this just as a switch with my new oc200 and EAP225 hooked up, I guess I'm still open to someone plugging in a cable to the old router and getting into my LAN.

So... If I use a smart switch in its place (I have one somewhere), will I be able to configure that to block out inquisitive cable-plugger-inner people? 

  @tp4sb 

Hey

If im correct in interpreting what you are saying, then sadly not a smart switch wont help you; you would need an Omada router and switch to control this.

As you wont have VLANs at present and the old router wont offer anything like this, then sadly anything on those ports will be straight into your private network.    Even if you had a smart switch and all ports locked down, there is nothing stopping someone just unplugging the router and jacking in that way.

One possibility is a smart switch at your side with some MAC address control on the port for the Old AP, that way it only allows that specific device to connect.. but that's not ideal really.  As you have no VLAN capable router, VLANs are not an option for you

What you are looking to do would require a VLAN, ideally the only traffic going to the 'outhouse' should be guest traffic on a guest vlan.    Any non vlan setup could be easily bypassed as the trunk port to that AP could be jacked into.

Tricky one for you..

  @Philbert 

Thanks again. I better get the new router ordered soon huh. The costs just keep mounting. :) 

  @tp4sb 

Just a further question.  Is there any setting that I might have missed whereby I can have the Oamda App notify me immediately if anyone joins the 'Guest' network?

Thanks