Guest Wifi Feature - Deco M9
Hi,
I've just purchased a deco M9 home mesh wifi system and I am running it in route mode. I've enabled the wifi guest feature and it doesn't seem to be much of anything other than a seperate wifi SSID with it's own password.
The guest network uses the underlying main network. For example, the IP addresses assigned to the guest network are part of the main networks DHCP range and there appears to be no way of isolating it from the main network from an IP4 perspective (at least I haven't found a way). I think that having a guest network should mean that the administrator has some way of isolating it from the main host network. For example, I should be able to assign a seperate subnet/cidr block to the guest network or provide different routes and internet gateways as desired. The way it currently stands, the "Guest Network" feature is nothing more than a seperate password and SSID to the same underlying network. Am I missing something?
Thanks,
B
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
The Deco is the DHCP server when it works in router mode, and the IP address of connected devices will be assigned by Deco directly, no matter which wifi it is connected. So the device which connect to the guest network will still be in the same subnet.
For your information, the guest network is isolated from host network by default when Deco works in router mode. That is to say, the devices connected to guest /host network won't be able to access each other.
May it help.
- Copy Link
- Report Inappropriate Content
While there is no physical separation between the LAN and the Guest LAN interfaces (wireless radios in this case) TP-Link seems to do the "isolation" at the firewall layer. As you pionted out, the DHCP range is the same for both networks. Best I can tell, they are using iptables under the hood, but thats just a guess. In my case, I have to migrate a bunch of clients from an old SSID to the new Mesh SSID but in order to change the client configs, I need to be on the old SSID. I quickly discovered that the guest cannot communicate with the non-guest and vice-versa. I did find, however, that if you connect two devices to the guest network, both can talk to each other and no ports seem to be blocked. For me this worked well, but I completely agree that there needs to be more control.
At a minimum I'd like to see a separate DHCP range for the guest network and preferably the ability to create an entire separate subnet. This way, the network admin can tell at a quick glance of the UI which devices are guests.
I also feel that there should be an option to let the guest and non-guest clients talk to each other. The default should definitnely behave as it does by creating the isolation, but I feel the option to override it for situations like the one I describe should be left to, and controlled by, the network administrator.
@can_nw_admin1 Sorry, this is probably not a helpful response, but hopefully support reads it and makes this a more versatile product for us all.
- Copy Link
- Report Inappropriate Content
There is only one DHCP server on the Deco itself, and it does not supports multi subnets unlike the business router; So the clients connected to the Deco will be in the same subnet, no matter which wifi it is connected to.
But the Deco does not support SSID isolation. The clients connect to the guest network can still talk to each other, so does the host network.
And the guest network and host network are not isolated from each other when Deco works in AP mode. And for the plan to add the option to toggle isolation on/off manually. You can wait for the updates.
May it help.
- Copy Link
- Report Inappropriate Content
Thanks for the reply, although I'm not referring to AP mode.
I've done a fair amount of testing and am sure the guest addresses are being blocked to communicate with the host network when in Router mode. Even ICMP is blocked.
The other observations and suggestions from my previous post are just that, suggestions so thanks for listening. So far I"m very happy with the product with a few exceptions which I've posted in other threads.
- Copy Link
- Report Inappropriate Content
I agree with you. I've dug a bit also and does look like,as you said, traffic is blocked at the deco router from flowing to an ip on the non-guest network. I would also agree that there must be some use of ip tables to do this.
I feel the same about the product. Overall I'm happy with it I just find the guest wifi feature a bit rudimentary and lacking any ability to administer it. I think the product road map needs to include some enhancements to make the guest network customizable. Features for me would be:
- customizable route tables
- Ability to assign separate separate IP cidr blocks for guests
- custom fw rules
thanks for everyone's responses to this thread.
- Copy Link
- Report Inappropriate Content
Hi, I am running my Deco M9 Plus set in AP mode. I have changed my wifi configuration (not broadcasting, new pw) as I don't want to have the kids share the wifi & password with guests. I have read this thread but still a bit confused: is the guest network feature (in AP Mode) secure?
- Copy Link
- Report Inappropriate Content
@kaja69 In AP mode the guest network is not separated from the main network.
- Copy Link
- Report Inappropriate Content
@6b6561 ok... In AP mode (only config I have used so far) the app defaults with the option to enable an open (no password) guest network (I know I can set a pw). From what you are saying, does that mean NO security at all becasue of AP mode? In other words, full access to all other nodes on the network loged in through the regular wifi (with hidden ssid and secure pw)?
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 9043
Replies: 8
Voters 0
No one has voted for it yet.