IoT network issue on Deco X55
I have a fairly new 3-pack Deco X55 system, v1.6, which I really like. TP-Link just released a new firmware version (1.2.0 Build 20230113 Rel. 54525) with a separate IoT network feature, which is what I (and many others apparently) have been waiting for. It's great that TP-Link is listening!
However, I installed the new firmware, but unfortunately I think that they messed up and didn't really understand what was needed. In particular, I did some simple testing, and when logged on the IoT WiFi SSID, I can see all the devices on my main network: computers, NAS, printers, etc. IMO, the main point of an IoT network is to isolate the IoT devices from the rest of the network, so this new feature is basically useless to me as-is! Does anyone know of a workaround? If not, I'm hoping the the TP-Link engineering team is listening and can fix this soon. Right now I maintain two physically separate router networks, one dedicated for IoT, but it would be great to use the Deco X55 for both functions.
Also, I really want the option of having the IoT network devices see each other, but not devices on the main network. That way, if multiple IoT devices need to talk to each other, they could do so (if I so allow), but the main network is protected. As another example, sometimes during the setup for a new IoT device, the configuring system (phone app or website) needs to be able to talk directly to the IoT device, which isn't usually possible on a guest network. If TP-Link is listening here, this should be a user-selectable option on the IoT network (as well as on the guest network, imo). I have seen older D-Link routers that had that kind of user-selectable option on their guest network, and it was very useful at times (e.g., when configuring a new IoT device).
Any input or feedback is appreciated. Thanks!
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
@dwhiting56;
Thanks for bringing this up. The IoT feature for the X55 was just released last week, so you are most likely one of the first users to use the feature. We always appreciate the feedback, and will always forward your feedback to our development teams.
Our team has a few questions regarding your network setup and what you are looking at:
When you see the devices from the IoT network, are you looking at a list of your networked devices on a client, or are you looking at the overall client list in the deco app?
How is your network configured? Since you had multiple routers on the network, are you using a separate DHCP server, or was one of the routers operating in AP mode?
The toggle that you mention exists on the guest network for both deco and archer, for Deco the toggle for guest networks is "Allow Local Access" I believe that the setup process when it comes to adding IoT devices has been streamlined for IoT networks and that is why the toggle does not exist, however, I will pass the feedback to the team separately as adding a toggle for the setting may be necessary for some niche situations
- Copy Link
- Report Inappropriate Content
Thanks for the quick response! Here are my answers:
- to check connectivity from the IoT network, I connect to that Wifi on a laptop and ping several devices on the main network. The pings succeed. I can also view the web pages for my printers and I can access my NAS, all on the main network, which should no happen if yourIoT network is isolated.
- I currently have a "3 router" solution. First, I have a TP-Link AX55 which connects to the cable modem on its WAN port. Then I have both a Deco M5 mesh network (for my current IoT devices) and this new Deco X55 "main" mesh network (for my computers, printers, NAS, etc), each of which has their WAN ethernet port plugged into a LAN port on the AX55. This way, my main and my IoT networks are physically isolated. Each of the three routers has its own DHCP server, with non-overlapping IP address ranges (in particular, 192.168.205.xxx, 192.168.206.xxx, and 192.168.207.xxx). That is, each is acting as a separate router, not as an AP (although the mesh nodes for the two mesh networks -- Deco M5 and Deco X55 are effectively acting as mesh APs on their respective networks).
- For my test, I enabled the IoT network on the new Deco X55 system, connected to it from a laptop, and started pinging and accessing devices on the main network. As far as I could tell, everything was fully accessible.
Yes, please forward the suggestion for "Allow Local Access" to your team. Some IoT devices require that the configuring computer (typically a smartphone) be able to access the device directly. Also, for example, I have Google Home devices on my current IoT network to which I cast audio from my phone, but only if my phone can see the Google Home device on its WiFi connection, so in this case the feature is required, but sometimes it might be nice to turn it on or off. If you have to pick a default, then "Allow Local Access" would be my recommendation.
I hope this helps. I am very happy to discuss or explain as much as necessary to clarify. I am a software engineer, so I know that at times direct customer feedback can be really helpful.
Doug
- Copy Link
- Report Inappropriate Content
I have attached an image with a network map for our house. You can see that the main network (Twofish, Deco X55) and the IoT network (iotaMesh, Deco M5) cannot talk to each other, but the devices on iotaMesh network (Deco M5) can all see each other.
This is what I would like, as well as that "Allow Local Access" option switch for the Deco X55 IoT network (and, imo, for the Deco X55 guest network too)
- Copy Link
- Report Inappropriate Content
Any update on this? I have the same exact problem and have done the same troubleshooting. It serves no purpose to have an IoT network that can still reach everything on the main network. They should be in a different subnet and have access policies that block that traffic. Like you said, like the guest network.
- Copy Link
- Report Inappropriate Content
It does make sense to have the devices see each other when looking at the network from a Smart Home perspective, just not necessarily from a device isolation/network security perspective; as many devices are beginning to rely on local communication with smart hubs, TVs, or even fridges to create a coherent and responsive smart home - however when the devices are by default isolated from each other, it begins to break down these lines of communication that the devices rely on.
Furthermore, placing these devices on your IoT network as opposed to your Main Network, will allow for better connections on your main network as a result of the IoT devices not cutting into your overall bandwidth or sending constant traffic over your local network.
I have given the feedback to our development and R&D teams, and it was positively received by the teams, so we may see this toggle added in a future update. For now, The toggle to isolate individual devices from your network has been added, and your guest network will still be able to operate as you mentioned, with devices being isolated by default. Now that the feature is seeing a wider rollout, we may start to see improvements and additional options added.
- Copy Link
- Report Inappropriate Content
Thanks for letting the R&D folks know about this. It would be wonderful to have that feature, especially with the two configuration options I mentioned in an earlier message, which were available on the guest networks of some older TP-Link routers (e.g., Archer C9): namely, (a) allow IoT devices to see and be seen by devices on the main network, and (b) allow IoT network devices to see each other.
However, your reasoning for the current Deco X55 IoT network configuration isn't very convincing (or is just wrong). For example:
- yes, IoT devices often want to communicate among themselves, but your list (smart hubs, TVs, fridges, etc) should all be on the IoT network, and they would need (at least) the option to communicate among IoT devices on your IoT network. Isolating those devices from my main network (computers, NAS,etc) is critical for security purposes, since IoT devices are well known to be hacked, often without firmware updates. This isolation is what I do, using 3 routers, and it isn't hard to control/manage those IoT devices when needed, whether through the vendor app/server or by connecting temporarily to the IoT network. I hoped that Deco X55 would do this for me in one mesh system , so hopefully that can still happen with a future update.
- your assertion that having an IoT network helps with bandwidth is just silly and wrong. All devices on the Deco router are using the same WiFi, so there is no extra bandwidth. Yes, I guess you could configure it so that, for example, the main WiFi used only 5GHz and the IoT WiFi used 2.4GHz, but that's true whether or not the IoT devices can see nodes on the main network, and in any case that is just dividing the bandwidth, not adding anything.
Thanks!
- Copy Link
- Report Inappropriate Content
I'll also see what I can find out about the toggle being added for guest networks in router mode. Currently, the toggle for Allow Local Access is only available when a satellite is in AP mode, as the guest network will automatically isolate the network in router mode..
The IoT network on Deco is still a very new feature, and our teams are taking feedback on how to best implement the feature, so all this feedback is extremely useful to our teams.
And yes you are correct that they should be on the IoT network, but it often causes a problem with certain features that you use day to day - such as Casting to a Display/TV or Streaming from Local Media Servers. Meaning, If they are isolated, they should not appear in the list of available devices for casting - which is unfortunate as there has been a large shift towards adding IoT hub functionality to TVs.
This is also why there has been such a dramatic shift to new communication techniques, such as Matter and Sub-GHz, which allows a hub to be on the main network, while also providing a secure line of communication to your devices, while not being solely dependent on Wi-Fi.
- Copy Link
- Report Inappropriate Content
@dwhiting56 I'm having the exact same problem on my Archer AX53 here in Brazil, HW version 1.0, FW version 1.1.5 Build 20230516 rel. 41162.
With my smartphone connected to the IoT wireless network, I can see and ping to all devices that are clients of the router, including the ones that are connected on the main wireless network, which should not bê possible.
Addtionally, when I'm connected to the main wireless network, I can't see or ping any IoT device connected to the IoT wireless network, only can see and ping devices of the main wireless network.
As it is, the clients that are connected to the main wireless network have "limited power" and the clients that are connected to the IoT wireless network have "unlimited power", seeing and communicating with all devices with no restriction, voiding the most important and declared feature of this IoT network, whick should be the complete isolation of IoT devices from the rest of the network.
I've already sent a message to TP Link's support in Brazil, waiting for a fix for this problem.
- Copy Link
- Report Inappropriate Content
@Riley_S To pile on here, the default really does need to be that any device added to the IoT network cannot talk to the main network nor talk to other devices on the IoT network. That's the secure by default design. Then features should be added as needed to temporarily allow more lax network connectivity for the whole IoT network (eg when required for some device setup), or to configure the more lax settings permanently per IoT device based on MAC address.
I just ran an nmap scan from my IoT network and I'm pretty flabbergasted. I thought all of my $10 totally-insecure IoT sensors from totally-not-trustworthy-country-X were fully isolated because they were on the IoT network ... and they are not by a long shot.
- Copy Link
- Report Inappropriate Content
Thanks, we always appreciate the feedback, especially when there are multiple requests for a feature or product.
The device isolation for the entire network is still up in the air, I am forwarding everyone's feedback to make sure that the point is made.
Last week, the M5 received the 1.7.0 firmware which brings the device isolation features that were first seen on the Wi-Fi 7 models. This allows you to isolate select devices whether they are on the main network or the IoT network. We should begin to see the feature roll out to more models as it is now being pushed to older models via firmware updates. Previously, this feature was limited to models that were released with the 1.6.0 firmware already installed.
I am planning to spend a little time experimenting with the Device Isolation feature this week and publishing an article on how to use it. Until we receive more information regarding the long-term plans for the IoT network and the reasoning for the isolation choices, your best bet for a completely isolated SSID will be the guest network, as it isolates devices by default.
- Copy Link
- Report Inappropriate Content
Information
Helpful: 3
Views: 15108
Replies: 34