Deco X20 NO Guest Network Isolation
I recently setup my TP-Link Deco X20 system, and noticed that the guest network was not isolated from other devices!
My modem/router currently does all DNS and stuff, and is connected to my printer, desktop pc, NAS, etc. with a switch. My Deco X20 units are also connected to this switch.
However, I noticed that even on the Deco's guest network, I can still print, access my NAS, and remote into my desktop computer. This is a huge security flaw. Is there a way to fix this?
I am reluctant to put all my network traffic behind my deco, since I have lots of static IP addresses in my router that would be messed up.
Diagram of my network setup:
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
Hi, Guest network isolation in AP mode is supported on firmware 1.5.x;
For the Deco X20, There are V1,V1.2 and V2, both V1 and V1.2 have reached to 1.5.0 so that they supported guest isolation.
For the Deco X20 V2, the current firmware 1.0.9 is still not supported yet and you might need to pay attention to the Hardware you got;
Thank you very much.
- Copy Link
- Report Inappropriate Content
Hi, Guest network isolation in AP mode is supported on firmware 1.5.x;
For the Deco X20, There are V1,V1.2 and V2, both V1 and V1.2 have reached to 1.5.0 so that they supported guest isolation.
For the Deco X20 V2, the current firmware 1.0.9 is still not supported yet and you might need to pay attention to the Hardware you got;
Thank you very much.
- Copy Link
- Report Inappropriate Content
The Decos are in access point mode.
The switch is unmanaged, and we have not changed any VLAN settings.
- Copy Link
- Report Inappropriate Content
I have this same issue with essentially the same setup using the X60 Deco (in AP mode) and a TL/SG1024DE switch, any advice?
- Copy Link
- Report Inappropriate Content
I am also waiting for this feature.
A few thoughts of migitating this issue in the intern would be the following scenario's:
1. Deco AP Mode (VLANS). All devices are wired into a managed switch:
Change Deco to AP mode. Use a managed Switch (or VLAN capable router/switch) to segregate at least 2 Deco's on their own port/VLAN subnet. For example, all the wifi devices on the non-guest network would be attached to one VLAN 1 via one of the Deco's, and the guest network attached to VLAN2 via another Deco. If you want to be able to communicate with a device on the guest network (ie. a ring doorbell) you can configure inter VLAN routing for specific devices/ports only if needed.
2. Enabling WIFI on router for guest only + Deco WIFI enabled for non-guest (my least favorite)
Enable Guest Wifi on your router which likely has this option. Use the Deco for your main wifi (non-guest). I'm not keen on this one since I pressume it adds un-necessary wifi interference in the home.
3. Main Deco wired. Other deco's wifi attached (use rules):
Most common setup I presume. Main Deco is wired, the others are connected via wifi. In this scenario, the recommended approach is to ensure that devices using the wifi network (guest or non-guest), have static IP addresses assigned to them so that you can control the rules for them. For all static IP's (devices you are AWARE of), allow access to internal network. For DHCP addresses (guests using your wifi and/or devices connecting to your wifi using DHCP) will have access to the internet (via the gateway/router) but NOT the internal network.
At the end of the day, TPLink can enable this option to prevent people from jumping through hoops. Latest update did not have it.
I am currently using AP mode since I wanted my router to sit in front of the DECO since it has many options the Deco does not. I also did not want to use the DCHP server from the Deco (Deco does not allow us to disable DHCP server). When NOT in AP mode and using a seperate router in front, it creates a double NAT with your router which I did not like (separate topic). I will be testing out option 1 soon since I now have ethernet cables which allow me to plug each Deco into its own port. Option 3 is the next best solution if you have a router or switch that supports creating rules/acl's. Just make sure your 'Deny' rules are at the end.
- Copy Link
- Report Inappropriate Content
I like this one: Enabling WIFI on router for guest only + Deco WIFI enabled for non-guest.
Especially, because I run Deco mesh on 5GHz, which means I can enable guest network on router with only 2.4GHz and will not have interference with my main network. In addition, having 2.4GHz will somewhat throttle Guest network vs. Main netwoek, which is even better.
Also, this one is easiest to implement.
Expanding on your thoughts, that will also work even if router does not have separate Guest network, of course in that case Deco must run in Router mode. Yes, potential double NAT issue, but not every network would be impacted by it. Mine won't.
Anyway, thanks for good ideas and workarounds.
- Copy Link
- Report Inappropriate Content
- Copy Link
- Report Inappropriate Content
@mikers I would assume never, and it's a nice bonus when it happens.
Keep in mind this is ONLY in AP mode -- in router mode it works like a dream. I ended up just switching to router mode and dealing with the headache of re-mapping all my static-ip devices like printers, scanners, etc.
credit where it's due, the deco app is pretty good and makes assigning static IP easy.
- Copy Link
- Report Inappropriate Content
Hello, anyone got guest network isolation in AP mode from the latest firmware yet? Planning to upgrade my home network with deco x20 but this is issue I need to concern about. Please response soon!
- Copy Link
- Report Inappropriate Content
Depends on hardware version and, possibly, region. For example, for US and Canada, X20 with hardware 1.0 and 1.2 have AP network isolation, with hardware 2.0 do not (yet?). Check TP-Link web site of your region, for Deco X20, under Support/Firmware.
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 5940
Replies: 9
Voters 0
No one has voted for it yet.