Is total isolation for a guest network client possible?


Is it possible to totally isolate a WiFi client such that they can see the Internet and nothing else?

In another posting here, user sitloongs was kind enough to help me setup an SSID on its own VLAN. That worked great. But each WiFi user on that VLAN-isolated SSID can see other devices on the same SSID.

Is there a way to prevent that?

By way of comparison, TRENDNET calls it “Wireless Client Isolation”

TP-LINK calls it “Allow Guests to See Each Other”

Layer2 Isolation is not the answer. While it is not clear to me what Layer2 isolation does, it definitely does not do this type of isolation.

I realize there may be multiple answers to this, one for low end models like SurfOnTheGo and Surf SOHO, another for higher end models and yet another for Peplink APs.
Thank you.

Isolate WLAN from LAN - Surf SoHo


So essentially you do not want guests from seeing each other (from the same LAN network). I am not 100% convinced that we do, but I will forward to engineering to get there thoughts.


Yes, correct. The question is whether a WiFi client can be isolated to the point that it can’t even see other devices on the same SSID.


Hi Michael,

Layer 2 Isolation is a right feature for you. You may find here for details explanation. If APs are managed by Balance router, you may enable to via AP > Wireless SSID > Select SSID > “?” of SSID Settings > Layer 2 Isolation = Checked.


I had tested this in the past and found that it didn’t work,but I just tested again on a Surf SOHO with firmware 6.2.2 and you are correct. With Layer 2 Isolation on an SSID, a client of that SSID only sees the router and itself.
Thank you.


I turns out this is more complicated than it seems at first. I had tested Layer 2 isolation multiple times and found that it did not isolate anything. Then, when you suggested again, I tested again and found it worked.

I turns out that it works on an SSID in its own VLAN but that it does not work on an SSID that is not part of a VLAN.
It may be that the isolation is within the SSID, but it certainly does not extend to Ethernet connected devices.
Again, I tested on Surf SOHO with firmware 6.2.2 build 1790.
Is this by design?

Thanks in advance.


Hi Michael,

Yes this is the design. Layer 2 Isolation is blocking the Wifi users within a SSID. If you need to extend the blocking to Ethernet connection, please enable Guest Protect (AP > Wireless SSID > Select SSID > Guest Protect). I have provided explanation here.