When will be fixed the Guest Network issue in AP mode for Deco M4?
When will be fixed the Guest Network issue in AP mode for Deco M4?
Hello,
More than eight months passed since the last firmware that implements "Guest Network" in AP mode, only that the "Guest Network" actually don't comply with the minimal requirement, be separate from the main network. This issue was clearly reported just after firmware release and TP-Link reply the fix would be added in next firmware.
So, when this next firmware will be actually released with the fix?
Regards
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
@PCH that is just Wifi Client isolation, so the Wifi clients can't talk to eachother. Everything "below" the Deco AP can be seen.
In my case:
Internet router -> Switch -> Deco
The switch has several wired clients (and actually some more switches attached). The Deco guest network can see all the wired clients, which is not what I want.
I want the Deco (in AP mode) to use VLAN tagging for the guest network on it's ethernet port, so the (VLAN-aware) switch can send the traffic to just the internet router and prevent access to it's wired clients.
M5 seems to have an option for VLAN-tagging for the guest network, but M4 doesn't have it...
- Copy Link
- Report Inappropriate Content
@Ed-win I also have the same network architecture (Internet router -> Switch -> Deco), the devices connect to the guest network can see the devices on the main network (using Fing, for example) but the firsts can't communicate with the lasts (tried accessing shared folder and DLNA server from wired connected desktop). This behaviour isn't just WiFi client isolation, is it?
- Copy Link
- Report Inappropriate Content
@PCH , I thought it was, but you might be right. At least seeing the devices on my main network didn't make me feel comfortable, but I have to test if a wifi-guestnetwork device can access e.g. my storage device and see if Fing finds open ports...
I would prefer real VLAN separation, though (M5 supports it), although for now I don't really need it, because I kept one of my old "accespoints" (actually a router) that runs the guest network now and the guests don't need streaming video performance on all floors of my house ;-)
- Copy Link
- Report Inappropriate Content
@Ed-win let us know what you find out from your tests. I've just run the "open ports" test with Fing and it finds none while connected to the guest network.
Nevertheless, I would also prefer to omit the names of the devices connected to the main wifi network from the guests :-)
- Copy Link
- Report Inappropriate Content
@PCH , I also did some tests (using Fing and a laptop).
Fing "sees" all the wired and wireless devices. But indeed, to most of them you cannot connect.
However, to the main router (the one that is the gateway for my internal network), all open ports are probably accessible (I tested connecting succesfully to ssh/22 and https/443).
Also, one of the Deco's was accessible, probably the one to which the "guest" was connected (connecting to port 80/http succeeded; I noticed there's also an open port 443 and 22).
I'm not a network guru, but I think that all (at least some) broadcast traffic from guests will be received by non-guests and they happily and succesfully reply to the guest.
For one-to-one (unicast) traffic, I think that because the Deco has to forward guest traffic to the router (gateway) so it can potentially get out to the internet, it also allows traffic destined for the router itself and therefor the router remains accessible from the guest network (unfortunately, so I still hope for VLAN support).
- Copy Link
- Report Inappropriate Content
@Ed-win Thanks for the feedback. Hopefully, someone from TP-Link will clarify your findings to the peace of mind of eventually related security issues.
- Copy Link
- Report Inappropriate Content
@PCH So if I understand this thread correctly, in AP mode, a Guest network will allow people to connect to your Deco mesh in a semi secure fashion? ie: They won't have as much access as if connected to your main wifi network, but if they were intent on mischief they might be able to achieve something as the Guest network isn't as secure as it could/should be?
ie: If I created a guest network called "Guest" with no password, that might not be wise security wise currently?
- Copy Link
- Report Inappropriate Content
@NeilF I haven't explored the eventual security risks on the current Deco M4 Guest network. I'm hoping that someone from TP-Link explains to us how the feature is implemented. The devices connected to the Guest Network, although having IPs of the same range of the main network, can't access what is being shared by the devices in the main network (folders, media streaming services, ...) but can access the Internet, which is the main purpose of a Guest Network. As it is, it seems to be working fine for me, fulfilling my expectations.
Guest Networks without password don't seem like a wise choice...
- Copy Link
- Report Inappropriate Content
@PCH "can't access what is being shared by the devices in the main network (folders, media streaming services, ...) "
Well, that seems a good sign! As you say, it's doing what it should be doing at least to some degree!
- Copy Link
- Report Inappropriate Content
Information
Helpful: 2
Views: 4507
Replies: 19