Guest wifi/AP isolation in AP mode

[taured]

Having a router in AP mode:
Guest wifi clients can ping each other + main router.
If I turn on the AP isolation option: wifi clients can't reach each other but they can reach the main router.
Is this a normal behavior?

 

[ColinTaylor]

Yes this is normal behaviour.

 

[OzarkEdge]

Having a router in AP mode:
Guest wifi clients can ping each other + main router.
If I turn on the AP isolation option: wifi clients can't reach each other but they can reach the main router.
Is this a normal behavior?

Guest networks defined on the wired AP have access to its WAN port... access to the main router LAN/WLANs/WAN/Internet... so, not good enough to isolate guests from your intranet.

Guest networks defined on the main router have access to its WAN port... typically just the Internet.

OE

 

[taured]

So basically guest wifi in AP mode is useless, better off using the ap isolation option if you have some smart devices

 

[ColinTaylor]

So basically guest wifi in AP mode is useless, better off using the ap isolation option if you have some smart devices

Don't confuse AP isolation with Intranet access. A normal access point has no way of restricting access on the intranet it's connect to. That's why the option "Access Intranet" disappears from the GUI when in AP mode. AP isolation is a function of the Wi-Fi chip and restricts client to client communication on a given SSID.

If your main router and access point are both Asus devices supporting AiMesh you can configure the access point as an AiMesh node and extend an isolated guest network from the main router to the node ("Sync to AiMesh Node").

 

[taured]

Don't confuse AP isolation with Intranet access. A normal access point has no way of restricting access on the intranet it's connect to. That's why the option "Access Intranet" disappears from the GUI when in AP mode. AP isolation is a function of the Wi-Fi chip and restricts client to client communication on a given SSID.

If your main router and access point are both Asus devices supporting AiMesh you can configure the access point as an AiMesh node and extend an isolated guest network from the main router to the node ("Sync to AiMesh Node").

Yes I know (layer 3) but as far as I know even with isolated guest network enabled on the main router I can still access that intranet if connected thru vpn to the main router.
Given that all the smart devices are connected thru wifi I guess the best option is to enable ap isolation so those devices cannot communicate with anythting else.

 

[ColinTaylor]

Yes I know (layer 3) but as far as I know even with isolated guest network enabled on the main router I can still access that intranet if connected thru vpn to the main router.
Given that all the smart devices are connected thru wifi I guess the best option is to enable ap isolation so those devices cannot communicate with anythting else.

Sorry, you seem to be talking about something different now. You didn't say anything about connecting to the router through a VPN. I thought we were talking about guest networks configured on an access point.

 

[taured]

Sorry, you seem to be talking about something different now. You didn't say anything about connecting to the router through a VPN. I thought we were talking about guest networks configured on an access point.

Sorry, wanted to learn about different scenarios. My goal is to isolate some smart devices even if connected thru vpn.

 

[ColinTaylor]

Sorry, wanted to learn about different scenarios. My goal is to isolate some smart devices even if connected thru vpn.

I see you already have a thread discussing VPN access here so I'll leave that discussion to that thread.

In that other thread you say that your access point is an RT-AC51U which is not AiMesh compatible. Therefore you cannot create guest networks on it that are isolated from your main intranet.