Block airplay via EAP

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

Block airplay via EAP

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Block airplay via EAP
Block airplay via EAP
2023-06-19 17:15:15
Model: EAP110-Outdoor  
Hardware Version: V5
Firmware Version:

Hi, 

 

I have 7 EAP-110 and 1 EAP-225 which goes through unmanaged switched back to the router which is a TP link MR400 and an Oc200 controller. 

 

The EAP-225 has three further 225's meshed to it

 

Every EAP is set to Guest mode, clients can only connect to SSID's set as guest mode and from testing I could not find a way where a client could ping or see another client on the network. 

 

I have not currently setup a vlan for each EAP. 

 

However it turns out airplay and potentially other Google home/alexa/roku devices are visible across the network and clients are able to attempt to stream to other clients devices. 

 

I'm sure this is user error on my part because this can't be acceptable in any business but tp link support are telling me it's not possible to block this. 

 

Can someone else shed some light on this please. 

  0      
  0      
#1
Options
6 Reply
Re:Block airplay via EAP
2023-06-19 19:37:10

  @Anthony1001 

 

As I understand it, even though the clients may 'see' each other, they are not permitted to establish point to point connections to other clients on private IPs.  So I might see your printer or Roku box based on broadcast packets....but you should never be able to ping it directly or establish any kind of connection with it.  

 

You could try playing around with switch ACLs to try to block broadcast packets originating locally and terminating locally.

<< Paying it forward, one juicy problem at a time... >>
  0  
  0  
#2
Options
Re:Block airplay via EAP
2023-06-19 20:15:32

  @d0ugmac1 

 

Sadly thats not quite the case. Clicking the found device attempts to connect. In my test case the phone sent a command to the TV to display a connection code via the Roku box, so this caused the Roku box to turn the TV on. So certainly to much of a connection is being made.

 

Its also suggests there could be more vulnerabilities where clients could connect to each other.

 

Could you show me a suggested outline for the ACL?

  0  
  0  
#3
Options
Re:Block airplay via EAP
2023-06-19 20:20:58 - last edited 2023-06-19 20:22:15

  @Anthony1001 

 

I think you may need a managed switch (ie SG2008 or better) to implement a working ACL, which I would do as a Switch ACL.  You can try as an EAP ACL (which doesn't have the bidirectional option) but historically the Gateay and EAP ACLs have not always worked as expected.

 

Here I block all LANs from talking to one another, which logically should also prevent members of the same subnet (but I don't know if that is how the controller->switch is implemented).

 

<< Paying it forward, one juicy problem at a time... >>
  0  
  0  
#4
Options
Re:Block airplay via EAP
2023-06-19 21:04:44
Ok, only option I have is the SSID from Source and Destination leaves IP Group_Any. Correct me if im wrong though, but if both clients are on the same EAP then a managed switch wont help as traffic wont be routed to the switch? I currently cant setup Vlans as the MR400 doesnt support it. Its been suggested the ER7206 is a good start, which will then route to the MR400. All of this seems overkill though, for something that should be stopped by guest mode
  0  
  0  
#5
Options
Re:Block airplay via EAP
2023-06-19 21:06:58

  @Anthony1001 

 

Agree.  Sounds like a ticket or feature request.

<< Paying it forward, one juicy problem at a time... >>
  0  
  0  
#6
Options
Re:Block airplay via EAP
2023-06-19 21:17:05
Sadly im two tickets in with tp link and they dont understand, or dont seem to think this is an issue. I must be missing the point because any premises with Omada is going to be having this issue. Am I right in thinking two clients connected to an EAP, their traffic doesnt go through the router, or would all traffic go to the router even if both clients are on same EAP?
  0  
  0  
#7
Options