AP access restrictions


#1

I am using a group of AP One Mini access points behind a Balance 210. The 210 is running firmware 6.3.3. The access points are running 3.5.2 and 3.5.3.

We have an internal SSID, and a guest SSID. I need to block the guest SSID from our LAN and also our Pep-VPN routes. I went to AP > wireless SSID > guest and clicked the question mark to get to the advanced settings. I still don’t see any settings to block subnets, hours of operation, etc.

I know these restrictions can be done by logging directly into the access point, but then the AP Controller in the router won’t work so changing passwords for multiple devices becomes a lot more work. How do I change those settings in this method? If I upgrade the router to 7.0, will those settings become available?


#2

I would think you could just disable the inter-VLan routing on your guest VLan. That limits them to only the internet and other guests. You can enable layer 2 isolation to keep them from talking to each other.

You could also create firewall rules to block access. The bottom group of rules should be internal. I assume since your router has VLans, it would have these options. V7 does for sure.


#3

Jones - yes that would work if I was using a Vlan, but I’m not doing that. All one LAN. The access points are in AP mode, not router mode, so each client gets an IP on the primary LAN. This was all an easy thing to configure with prior AP firmware, you could specify subnet blocking. It appears that option has gone away.

I updated the router to 7.0, and the AP devices to 3.5.4. I still don’t see the subnet blocking that the old firmware had. I also tried moving to InControl2 instead of using the router to control. InControl2 has an option to deny LAN access which solves one problem, but I need to deny PepVPN routes as well.


#4

Gotcha. I began using Peplink right before 6.something. My apologies for the confusion/mixup.

Now, to accomplish what you want, I believe you create outbound policies for PepVPN stuff (I believe one or two algorithms support it- but I could be wrong). They can be further secured by internal firewall rules. I didn’t have much luck with my PepVPN stuff - but I don’t really have a remote endpoint to play with. I would love to try out a speedfusion setup. Wink wink.

You can try your luck at moving your wireless traffic to a separate VLan. Depending on your requirements for UPnP and other automated service discovery protocols - it might do exactly what you want by disabling inter-VLan routing, or using outbound policies, or internal firewall stuff. It worked great except for some mobile device application / device specific incompatibilities. You may have better luck, and I hope that you do.