Help With Guest Network


#1
  1. I know this has been discussed a lot and I have read many posts. But I’m still confused. This is what I’ve gleamed. “Layer 2 isolation” will separate wifi clients from each other and “guest protect” will keep them from seeing the wired clients. But I also read “guest protect” had to be supported by the router. My AP One AC Minis have a setting for “guest protect” > “block LAN access”. Does this not work unless you’re using a supported Peplink router? Or does it only work when you’re using your APs in “router” mode?

  2. Is there a way to identify wifi clients that should have full access to the LAN vs. guest clients that should only have internet access when using the same SSID? MAC filtering doesn’t seem to be the answer. It simply allows or denies access to the LAN, not a distinction between full access and guest.

  3. Is the best or only way to isolate guest wifi clients to the internet, to give them a separate SSID to connect to and then enable layer 2 isolation along with guest protect block LAN access?

Thanks.


#2

Layer 2 isolation is blocking the communication between Wifi clients within the same SSID.

Guest Protect is blocking the communication below:-

  • Wifi clients <—> wired clients within the same Vlan.
  • Wifi clients <—> clients from other Vlans

You should seperate LAN clients and guests into 2 different SSIDs and Vlans. Then enable Guest Protect as mentioned above.

I provided my answer in question 2 above.

Hope this help.


#3
  1. For my CenturyLink internet connection I have to have my WAN set to VLAN 201 in my router. Will everything still work OK if I set my full access LAN wifi SSID to VLAN 0 and set my guest wifi SSID to VLAN 1?

  2. Will just enabling “guest protect”>“block LAN access” in the SSID work or do you also have to have this setting checked in a Peplink router? I currently don’t have a Peplink router, though I will probably purchase one.


#4

Can you provide detail info for the mention setup above ? Are you referring to changing the VLAN setting for the LAN network ? If you referring Peplink device, changing VLAN setting for LAN will not affect anything for the WAN.

Please refer to the forum post URL below. Diagram included in the forum post that explaining the “L2 isolation” and also the “Guest Protect”.

https://forum.peplink.com/threads/4495-LAN-isolation-with-Balance30-and-AP-One-AC-mini-help-needed?highlight=guest+protect

Thank You


#5
  1. Here is a screenshot of the setup page of my current router where the VLAN is set to 201. I thought that was a WAN setting. Perhaps I’m mistaken. Somehow that setting is needed however to connect to CenturyLink fiber optic service. Could I just create the VLAN 0 and VLAN 1 using the access points for the wifi clients? Do they then also get tagged to VLAN 201 when they use the internet?


  1. Aren’t there guest protect settings in both Peplink routers and Peplink access points? Do I need both to prevent wifi guests from accessing the LAN computers?

#6

Base on the screenshot given, guessing it should be related to the WAN settings. If that is correct, WAN VLAN settings should not affect the LAN settings. WAN VLAN is the VLAN that need to use to connect to the service provider.

L3 Routing will be use when forwarding network traffics from LAN network (Multiple VLANs) to the WAN connection and doesn’t matters how many VLANs defined for the LAN. Normally NAT will be performed when traffics send from LAN to WAN.

Guest protect setting only available or need to enable for the Peplink access point (APs). This will help to prevent WIFI guests access to any private IP for the LAN network.

For Peplink router, basically you need to enable firewall rules to block Guest VLAN to access LAN networks.

Thank You


#7

Thank you. You’ve been very helpful.


#8

You can also restrict how much bandwidth your guest network is allowed to use if you don’t want your guests doing any illegal downloading.