Curious about client isolation on a guest or IOT VLAN. On a peplink router, I don’t see a way of doing native client isolation (where one client on the network sees itself and the router but not the other clients) which is necessary for me in a setup I am doing. I have found some articles on this community that are very old and mention L2 client isolation for Peplink APs, but I do not have those, I am using a third party AP that broadcasts several VLANs. How can I do client isolation at the router level?
For stopping routing between the VLANs on the Peplink you can do this a couple of ways:
- Disable the “inter-vlan routing” option on the VLAN config.
- Add some firewall rules to drop traffic between the subnets.
- Do both of the above for good measure.
As for layer 2 isolation that will need your 3rd Party AP to support that configuration as the Peplink plays no part in passing traffic between clients attached to the same SSID on that AP as it is more likely than not that any traffic between two devices on the same SSID will just be forwarded internally with in the AP rather than placed on the wire and returned.
Will summed it up nicely. I would suggest option 3 for sure. I have a couple other thoughts/notes that may be helpful.
To expand on what Will said, client isolation is more of an AP feature than a router feature. That is because at the router level it cannot completely isolate clients within the same LAN/VLAN. For example, any device hooked into the network via ethernet and a switch can see other devices on the same switch at a minimum. The clients do not need to pass through the router to reach another device on a switch. The router also should not block traffic passing along the same subnet that passes through its ethernet ports because of the previous example (unless there are weird rules that I am not thinking of). If you have to traverse subnets the router can step in there to block, as that is inter-VLAN routing. Given you are talking about a AP, I am guessing this is not your use case, this is just more general knowledge. Client isolation is possible from the AP as Will stated.
I would think most 3rd party APs support some form of client isolation. I have a TP Link Omada AP that has a “guest mode” the provides client isolation within a VLAN. Works great with my Peplink router. Most consumer routers also offer a guest mode that provides isolation, which I would suspect works in bridge mode (though they likely do not support VLANs). Look for a guest mode or something similar in the settings. If it does not support it, I would unfortunately recommend getting a different AP. It should be a fairly standard feature at this point, especially if the AP supports VLANs.
Client Isolation in Peplink could be useful if you have switches with Port Isolation, which Cisco calls Private VLAN’s, which is similar functionality to only communicate upstream, not between devices, and if you also have AP’s with appropriate functionality. For example on the low end, TP-Link Deco has Wireless Isolation functionality (sometimes called AP or Device Isolation or other names) where no device can talk with another one, but only communicate upstream outside of Deco. (I’ve noticed this on some newer Deco’s but don’t have any personal experience with it.)
However, switches with Port Isolation functionality tend to be enterprise level with commensurate price tags. And if you are going to spend that type of money, the expectation is you are going to utilize VLANS and have AP’s that support VLANS.