Guest network not isolated from main network

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

Guest network not isolated from main network

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Guest network not isolated from main network
Guest network not isolated from main network
2024-06-02 17:48:14
Model: Deco XE75  
Hardware Version:
Firmware Version: 1.2.5 Build 20231255 Rel. 58766

I recently got this setup and am having a problem isolating the Guest network from the Main network. From a laptop on the Guest network, I can get ping replies and connect to ports on devices in the Main network. For example, I can open up a webpage on a web server in the Main network.

 

The first time I setup my Deco system this successfully worked to block the Guest network from accessing the Main network and that was great. But then:

 

  1. I changed the mode to AP Mode to test it out.
  2. Changed it back to Router Mode and then this problem started.
  3. I factory reset both units and setup the system from the beginning. This didn't fix the problem.
  4. I factory reset both units and cleared all the storage on my phone Deco app and setup the system from the beginning. This didn't fix the problem.

 

Here are the relevant documents I reviewed:

 

https://www.tp-link.com/us/support/faq/1460/

https://community.tp-link.com/us/home/kb/detail/412694

 

I also use device isolation but this shouldn't be the problem.

 

So it worked the first time but since changing modes it's always broken. Why can't my Deco network isolate the Guest network from the Main network since I changed modes on step 2 from above?

 

I like this system but will have to return it if this problem isn't fixed. Any help is appreciated.

 

Thanks,

alex

  0      
  0      
#1
Options
1 Reply
Re:Guest network not isolated from main network
2024-06-15 11:02:23 - last edited 2024-06-15 19:24:27

  @ajmxco do you happen to have a switch in place on your network?

 

the reason I ask is the guest network uses a VLAN to isolate from other traffic. If your switch is not preserving or setting the tag correctly then this could be the result. 
 

also you mention having device isolation on. Isolation is not the same as traditional client isolation or AP isolation options you see in other equipment.

 

meaning: setting a device to isolated does not segregate it and block it from talking to any other IP's besides the gateway/internet. It sets the device to only be able to talk to any OTHER devices that also have isolation cut on.

 

So if I have device A, B and C... and A and B have isolation cut on, but C doesn't— A and B can talk to each other, but nobody can communicate with C.

 

In most situations, having A and B with isolation on would mean that A can't see or talk to anyone else, B can't see or talk to anyone else... and C can't see or talk to either A or B. So it pretty much can't see anyone else... unless D joins and doesn't have isolation on... then it would be able to see and talk to D. In most implementations, client isolation applies to all devices on the SSID on which it is set. All or nothing. Each device is an island. 

 

In this way, the deco's version of device isolation is really the same as putting those devices on a separate SSID/guest network without actually having to put them on a different SSID/network than your other traffic. 
 

the only benefit that I could think of there is if you already had like 100 IoT devices already configured to connect to a single/main wireless network and you wanted to now segregate those devices from your personal devices without having to go and reset and reconfigure every one of the devices to connect to a different SSID which would be a huge pain. 
 

So in other words, it's pretty much dynamically putting all those now "isolated devices" on their own VLAN for security. I'm not sure on this but I also think any isolated devices can also talk to the devices on the IoT network and vice versa... and the actual guest network acts in a way that traditional AP/client isolation does. That is, anything on the guest network cannot talk to anything else- nothing else on the guest network; nothing on the main and/Or IoT networks and can't talk to any devices with isolation cut on.

 

The implementation is about as clear as mud. They've taken concepts and technologies that are and have been in use for a long time and sort of combined them, renamed them- usually both.. so even if you are very familiar with those things, you'll be confused by this.

 

So anyways -all that said I think the root of your issue is VLAN or VLAN-ish.

 

Edit: Confirmed with their documentation - devices that are in Isolation mode are able to talk across across all 3 networks: main, IoT and  guest. So if you have the isolation option on these devices you're having issues with, I would start by cutting that OFF and trying again.

 

Remember that in their implementation, there seems to be no subnetting so there is as far as I can tell, no differentiation between connected devices other than some software controls. 
 

If they're all on say 192.168.1.x, regardless of SSID, then the Deco must be the thing that keeps or allows them from talking. There is no actual "routing" in a traditional sense, that is, moving traffic between subnets via routing tables, gateways and subnet masking. 

  0  
  0  
#2
Options