Deco Guest isolation not working even in router mode

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

Deco Guest isolation not working even in router mode

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Deco Guest isolation not working even in router mode
Deco Guest isolation not working even in router mode
2019-12-22 13:57:11 - last edited 2019-12-24 17:50:43
Model: Deco M5  
Hardware Version: V3
Firmware Version: 1.3.2 Build 20190624 Rel. 59384

I've got a single Deco M5 (V3, firmware 1.3.2 Build 20190624 Rel. 59384), connected to the host network (192.168.1.x) via an ethernet cable.

Clients on the Deco Guest WiFi network (192.168.68.x) can access everything on the host network, desktops, printers, the Deco Web UI itself. That's clearly not ideal, I'd like guests to only be able to browse the internet and be completely firewalled off the host network.

The Deco M5 is in "router mode", as confirmed by the fact that host (wired) and guest (WiFi) networks have different address ranges.

 

Has anyone experienced the same issue?

 

any help is appreciated,

--

Giuliano

  0      
  0      
#1
Options
1 Accepted Solution
Re:Deco Guest isolation not working even in router mode-Solution
2019-12-23 15:15:08 - last edited 2019-12-24 17:50:43

@Kevin_Z 

The issue is that currently, @giuliano108 is using the Deco in router mode, but connected to his isp router like in AP mode.

 

@giuliano108, you should actually move everything behind the Deco if you want proper guest network isolation. And if you can put your isp modem or router in bridge mode, as suggested by Kevin _Z, that would be even better and easier to manage. 

Recommended Solution
  0  
  0  
#5
Options
9 Reply
Re:Deco Guest isolation not working even in router mode
2019-12-22 21:03:58

@giuliano108 

If I am not wrong, you are simply doing a double NAT, without having the Deco handle directly the connection. Then, your 192.168.1.x is considered as "the Internet" for the Deco in router mode, and is therefore allowed for guest network... 

  0  
  0  
#2
Options
Re:Deco Guest isolation not working even in router mode
2019-12-22 21:51:07

Thanks for replying @Glassman1976 !

 

The topology is exactly as you described it.

 

Do you know if there's an easy workaround to get what I want? If the Deco supported custom firewall rules it'd be just a matter of dropping all traffic with source 192.168.68.x and destination 192.168.1.x ...

Otherwise I guess I'll have to move all the existing non-Deco clients (wired or wifi) "behind the Deco" too...

 

thanks again,

--

Giuliano

  0  
  0  
#3
Options
Re:Deco Guest isolation not working even in router mode
2019-12-23 07:22:23 - last edited 2019-12-23 07:24:22

@giuliano108 

 

Hello, the guest network and host network are separated from each other by default in router mode. From your description, they obtain IP addresses in different subnet, there should be something wrong. Cause the IP address is assigned by the same Deco, the devices connected to the guest network/host network have the same subnet IP address.

 

You can open Deco app and enable guest network; Then try to connect two computer/smart phones to the guest network and host network separately; after that, try to ping each other and show us the results. 

 

To avoid double NAT issue, you can configure the main router as the bridge mode and use the main Deco as the only DHCP server; or configure the Deco as access point to boost the wifi signal. 

 

Good day. 

Nice to Meet You in Our TP-Link Community. Check Out the Latest Posts: Connect TP-Link Archer BE550 to Germany's DS-Lite (Dual Stack Lite) Internet via WAN Archer GE550 - BE9300 Tri-Band Wi-Fi 7 Gaming Router Archer BE800 New Firmware Added Support for EasyMesh in AP Mode, DoH&DoT, and 3-Band MLO Connection Archer AX90 New Firmware Added Support for EasyMesh and Ethernet Backhaul If you found a post or response helpful, please click Helpful (arrow pointing upward icon). If you are the author of a topic, remember to mark a helpful reply as the "Recommended Solution" (star icon) so that others can benefit from it.
  1  
  1  
#4
Options
Re:Deco Guest isolation not working even in router mode-Solution
2019-12-23 15:15:08 - last edited 2019-12-24 17:50:43

@Kevin_Z 

The issue is that currently, @giuliano108 is using the Deco in router mode, but connected to his isp router like in AP mode.

 

@giuliano108, you should actually move everything behind the Deco if you want proper guest network isolation. And if you can put your isp modem or router in bridge mode, as suggested by Kevin _Z, that would be even better and easier to manage. 

Recommended Solution
  0  
  0  
#5
Options
Re:Deco Guest isolation not working even in router mode
2019-12-24 17:50:31

 

 

> you should actually move everything behind the Deco if you want proper guest network isolation. And if you can put your isp modem or router in bridge mode, as suggested by Kevin _Z, that would be even better and easier to manage. 

 

That's what I ended up doing. Since the ISP router can't act as a bridge I simply connected it (and nothing else) to the first ethernet port on the Deco (I've also disaled WiFi on the ISP router). The wired clients are connected to a switch, which in turn goes on the second ethernet port on the Deco. Guest isolation works properly now.

 

Thanks @Glassman1976 and @Kevin_Z  !

  0  
  0  
#6
Options
Re:Deco Guest isolation not working even in router mode
2021-02-08 18:43:26

@giuliano108 

I tried the exact same config and can still access the private LAN on a Deco X20. I cannot fathom why TP-Link would neglect to include an isolation setting for the guest networks like almost everyone else in the industry does. I would rather not create VLANs or bridging routers simple because of the unnecessary complexity. It would even be nice if one could route all guest SSID traffic from one of the Deco ports to a specific gateway, e.g. the ISP router/modem.

 

I will keep my old guest network on and go back to using extenders until this issue is resolved.

  0  
  0  
#7
Options
Re:Deco Guest isolation not working even in router mode
2021-02-09 02:50:13 - last edited 2022-02-24 07:07:12

@Gus5301 

Hi, Thank you very much for your kind feedback.

Since I tested on my side, the guest wireless network and main wireless network are separated from each other.

So for your case, could you please help me draw a detailed picture of your network structure;

And please also post some pictures that how you found out guest devices were still accessible to the main wireless network;

Thanks a lot and wait for your reply.

  1  
  1  
#8
Options
Re:Deco Guest isolation not working even in router mode
2022-02-23 11:13:28

  @TP-Link 

 

I did the same test. I have my deco in router mode. i connected one IOT device to guest network and another one to the main network. I can do actions between this two IOT devices, so i suppose that isolation not work properly. regards

  1  
  1  
#9
Options
Re:Deco Guest isolation not working even in router mode
2022-02-24 07:17:00

  @hj44 

Welcome to the community.

May I know what are these two IoT devices that you used for the test?

How did you test the communication between these two devices?

Thank you very much.

  0  
  0  
#10
Options