TP-Link EAP225 Omada AC1350 Dual-Band WiFi 5 Access Point
TP-Link EAP225 Omada AC1350 Dual-Band WiFi 5 Access Point
Does anyone know which (if any) Access Points out there will enable me to isolate guests from my home LAN? I would just like to be able to connect my main router via a 20m cable to this new device located in our annexe such that 'Guests' connect to it on wifi but won't be able to access any part of the main house network.
Would a ... 'TP-Link EAP225 Omada AC1350 Dual-Band WiFi 5 Access Point (AC)' possible work?
Thanks
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
Hey
The answer is YES and NO sadly.. let me explain
On its own the EAP225 cant do this, it requires a Controller to enable this feature.
If you have a raspberry PI around you can create a controller for FREE.. else the OC200 is very reasonably priced (€60 $65 US) and that will do the job. Set up your home SSID on the controller as you would normally, then create another SSID called GUEST or whatever you fancy, tick the box for "guest network" and presto... 2 SSIDs setup and one the Guest one is locked away for talking to anything. Adopt the AP onto the controller and job done..
Guest mode on the controller disables the ability of anyone on that SSID to do anything but internet surfing.. its locked out of your SSID and cant even talk to other guests..
Hope that helps and screenie below
- Copy Link
- Report Inappropriate Content
Hey
The answer is YES and NO sadly.. let me explain
On its own the EAP225 cant do this, it requires a Controller to enable this feature.
If you have a raspberry PI around you can create a controller for FREE.. else the OC200 is very reasonably priced (€60 $65 US) and that will do the job. Set up your home SSID on the controller as you would normally, then create another SSID called GUEST or whatever you fancy, tick the box for "guest network" and presto... 2 SSIDs setup and one the Guest one is locked away for talking to anything. Adopt the AP onto the controller and job done..
Guest mode on the controller disables the ability of anyone on that SSID to do anything but internet surfing.. its locked out of your SSID and cant even talk to other guests..
Hope that helps and screenie below
- Copy Link
- Report Inappropriate Content
@Philbert Many thinaks for the info.
- Copy Link
- Report Inappropriate Content
Just a quick question on this.
I've since bought both an OC200 and an EAP225 and set them up such that I 'think' I have 'guest' isolation from my LAN. It seems to be fine. However, I'm a little puzzled by some of the youtube videos that seem to indicate that I also need VLANs too. I created them but had no luck in connecting at all on the WiFi so I've removed them.
Thoughts?
- Copy Link
- Report Inappropriate Content
Hey
It really depends on what you want to achieve? If you are just looking for a Guest SSID locked away so that anyone connected to it cant see your other devices, then what you have at the moment will work
However if you are wanting total isolation, by this I mean a different IP range, subnet etc etc then you will need to implement vlans.. more below
Before starting I'm assuming you don't have an Omada Switch and Router? Namely you are using your ISP router / switch? If so then the "guest" setting on the SSID is all you have to work with as vlans require a full omada network (more later).
Assuming you don't have an Omada setup, in short the "guest" setting will allow the devices to get an IP address in the same range as your other SSIDs (192.168.z.x) but will automatically set controls to stop them from talking to the other devices. So your PC could have 192.168.1.5 and your guest has 192.168.1.6 however the guest will be blocked from talking to anything on your network. Fundamentally internet use only.
The disadvantage of this is it only works on wireless devices and should anyone plug into your switch, they will have full access. It's handy for home guest users in fairness
A full Omada network (Router, Switch and EAP) will allow you to take this further by creating VLANs.. This basically means you can have all the "guests" on a separate network address, say 192.168.50.x and then use Access Control Lists (ACLs) to block traffic between your private VLAN and the guest VLAN. Its almost like having a totally separate network for your Guests, you can even apply the VLAN to ports on the switch so if anyone plugs into the switch.. its locked to guest access only.
This is more secure, but more complicated and costs more in hardware. As said if you don't have the router and switch to run this, creating vlans wont do anything for you.
Hope that helps?
- Copy Link
- Report Inappropriate Content
Hi,
Thanks for that. I guess it's like I thought in that I'd need to invest in say an ER605 router (or similar) in order to create new subnets for different groups.
Much obliged for clarifying.
- Copy Link
- Report Inappropriate Content
Got it in one
The ER605 sets up the IP Ranges for you to allocate out. The Omada switch then 'trunks' the data along those VLANs to the ER605..
Its probably overkill for most people to be honest!
- Copy Link
- Report Inappropriate Content
Thanks. Now just one further question.
In the 'Outhouse' where I have the guest access, I use(d) an old router as the access point and dumb switch. If I continue with this just as a switch with my new oc200 and EAP225 hooked up, I guess I'm still open to someone plugging in a cable to the old router and getting into my LAN.
So... If I use a smart switch in its place (I have one somewhere), will I be able to configure that to block out inquisitive cable-plugger-inner people?
- Copy Link
- Report Inappropriate Content
Hey
If im correct in interpreting what you are saying, then sadly not a smart switch wont help you; you would need an Omada router and switch to control this.
As you wont have VLANs at present and the old router wont offer anything like this, then sadly anything on those ports will be straight into your private network. Even if you had a smart switch and all ports locked down, there is nothing stopping someone just unplugging the router and jacking in that way.
One possibility is a smart switch at your side with some MAC address control on the port for the Old AP, that way it only allows that specific device to connect.. but that's not ideal really. As you have no VLAN capable router, VLANs are not an option for you
What you are looking to do would require a VLAN, ideally the only traffic going to the 'outhouse' should be guest traffic on a guest vlan. Any non vlan setup could be easily bypassed as the trunk port to that AP could be jacked into.
Tricky one for you..
- Copy Link
- Report Inappropriate Content
Thanks again. I better get the new router ordered soon huh. The costs just keep mounting. :)
- Copy Link
- Report Inappropriate Content
Just a further question. Is there any setting that I might have missed whereby I can have the Oamda App notify me immediately if anyone joins the 'Guest' network?
Thanks
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 1670
Replies: 15
Voters 0
No one has voted for it yet.