Hi @terziyski 

Thanks a lot for your prompt answer.

Now having cleared that the network topology is OK and "the way to do it" I have a more serious question:

Looking at the Official AX55 V1 Firmware download page (ver 1.3.3) it seems like the following new features are supposed to work in AP mode:

6.Add support for EasyMesh in AP mode;
7.Add support for EasyMesh Network via Ethernet Backhaul;
9.Add isolation of Guest Network and Main Network in AP mode;

Now if you (while running in AP mode/Easymesh/Ethernet Backhaul) activate the Guest network and untick: 

   Allow guests to see each other

   Allow guests to access your local network

IMHO - this means that clients connected to the Guest WiFi mesh are now supposed to be isolated from the LAN and from each other - BUT is this really the case..

Which devices in the drawing above are expected to be seen in a complete port-scan (all subnet IPs all ports) if scanned from a WiFi client connected to the "isolated" Guest WiFi network?

Regards

zEnterHacker

Hi @terziyski 

Yea - all IP address on the LAN subnet (except from the Default Gateway) should be blocked for Guest WiFi clients  - But I tell you that not how it works!

First of all I see no Guest Network on the satellite AP only one 2,4 GHz channel and one 5GHz channel generated on the Master AP.

So IMHO GUEST networks do not operate correctly under EasyMesh. This is totally unexpected from what you would expect from a router mesh pair of the exact same make & model.

Secondly - If I port-scan the entire subnet from a roaming WiFi client connected to the GUEST network of the main AP - I get open ports for ALL DEVICES on my LAN except the from the IP of the main AP itself (well there is one single response from UDP port 5351 - perhaps this is the Ethernet Backhaul port?)

So again IMHO the LAN network is TOTALLY OPEN to Guests while it was supposed to be isolated. What is this? (A MAJOR SECURITY HOLE!)

- While connected to the Guest Network I can access the stream from every Chineese Sequrity CAM also on the "isolated Guest Network" meaning that they can also access every device on the LAN and WiFi clients can indeed see each other - NOT excatly a cool feature this Guest isolation!

If You want an isolated GUEST EasyMesh network do it like this - but it will double your investment and your electricity bill - see below.

The RED GUEST routers are not using a Guest Network SSID but just configured as if it were a normal LAN & EasyMesh - but uplinked to a DMZ port on the main Firewall (Creating a real isolation of the LAN network - Clients on this network can see each other).

Yea I know - totally unacceptable solution - but I just don't trust this GUEST network ting!

If someone in R&D / Senior Engineering would care to comments of this - it would be much apreciated because this is really not good!

(Note: The DHCP server is in Auto Mode - meaning the it is the DHCP server in the main gateway/firewall that handles all IP asignments)

Regards

zEnterHacker
 

Hi @terziyski 

Yes - but that thread is more about the other issue with the missing option to see and manage clients on the satellite AP when Ethernet Backhaul mode is active (it works in normal WiFi EasyMesh mode) - so I thought I'd try to isolate the problems a bit - you got my point ;-)

If you say it's a know limitation that enabling a Guest Network on the main router of an EasyMesh system does not work - or does not include any satellites - then you could argue that this should have been warned about in the WebGUI. I mean, you loose the ability to setup a Guest network locally on the satellite AP as soon as it becomes a part of an EasyMesh system - so the only logical conclusion is that this is should have been controlled by settings on the main EasyMesh router. Is there a plan to fix this?

Anyway the claimed isolation of Guests from the LAN should definitely work and not only just block normal TCP traffic to the IP of the main AP. I mean imagine all the users that does not know how to port scan - how are they to be told, that their LAN Network is TOTALLY OPEN to Guests when they have set all possible isolation features of the AX55 in AP mode?

As I said - I have un-ticked:

   -Allow guests to see each other  (should have prevented Guest WiFi clients from being able to see each other)

   -Allow guests to access your local network (should have prevented any access to any client and somehow only allowed traffic that is supposed to be routed to the WAN via the main Gateway)

Further I tried to tick:

   +AP Isolation Enabled (should have prevented all WiFi clients from being able to see each other)

And yet I get port scan responses from all devices including LAN clients and WiFi clients on both the normal SSID and the Guest SSID - as if turning on the AP feature simply makes the AX55 perform like an un-managed switch for all reachable network devices.

I am deeply shocked - and really hope this is being taken as a serious problem especially since the AX55 must have some sort of SPI firewall that takes care of protecting the local network when acting as a normal router directly exposed the Internet via the the ISP modem/router.

Regards

zEnterHacker

Hi @terziyski 

All port scans are done with a roaming WiFi client connected to the GUEST SSID and yes the roaming client in question has knowledge of the normal SSID giving full acces to all devices. Just to be sure I deleted the normal SSID ad did a re-scan. Everything was still open - all devices responded: WiFi clients on normal SSID as well as clients on the GUEST SSID and all wired LAN clients.

The only difference between scanning from the normal SSID and the GUEST SSID is:

Normal SSID scan response from main AX55 in AP mode:
 Port 80 (TCP)
 Port 443 (TCP)
 Port 20001 (TCP)
 Port 5351 (UDP)
 

GUEST SSID scan response from main AX55 AP in AP mode:

 Port 5351 (UDP)

The rest of device responses are identical on the two scans. This means that the only form of isolation taking place is that you cannot access the WebGUI of the main Router from an "isolated" client on the GUEST SSID but the other satellite AX55 AP, private NAS servers, Printers and stuff are all completely open to attacks from a GUEST Client. This is NOT what is supposed to happen!

I hope this will be officially acknowledged by TP-Link and fixed in an upcoming release.

Regards

zEnterHacker