LAN isolation with Balance30 and AP One AC mini... help needed

Hi there.

I have an AP One AC mini being controlled from a Balance 30. I can’t seem to create an SSID that will enable me to isolate connected Wireless Clients from the LAN.
LAN is
I have checked the “Layer 2 Isolation” checkbox on the Balance30, but I still can connect to local computers on the LAN from the AP (i.e.

As a side-note…
The only way I have managed isolation is by (on the AP interface, not the balance 30) checking the Layer 2 isolation checkbox AND entering on the “Guest Protect / Subnet” textbox. But I need to have the AP controlled by the Balance30 and as soon as set the Balance30 as the controller, all SSID settings on the AP get (obviously) overridden by the Balance30, and the Balance30 does not have the “Guest Protect” options.

I know that I am not trying to do anything new here, so any help would be greatly appreciated.


Hi Cris,

Guest Protect is a feature that meet your requirement. However this is available for Balance 305 and above. Please consider mid range model. You may find our product comparison here.

Thank you so much for the prompt reply. Tough luck that this option is not available in lower-models.

What I wanted to confirm is that I’ve read in many threads that lower-level Balances (i.e. balance One or Balance20) can do this with the layer 2 isolation option.

Can you confirm that on the balance 20 it is not possible to isolate Wireless Clients from the LAN, enabling them ONLY to use the internet, but not the local network?

thank you,


Hi Cris,

Please find the attached. X (red cross) represents blocking for L2 Isolation and X green cross represents blocking for Guest Protect (Block All Private IP). Balance 20 only support L2 Isolation.

Hope this help.


Yes, this clarifies things more.

Thank you!


Potential customer here: Please link to documentation showing that the Peplink Balance One router has this “Guest Protect” option. Or if it doesn’t at all.

I’ve been unable to find out either way.



We don’t support Guest Protect on Balance One. Please find my suggestion here.

1 Like

The solution proposed by TK is not really an alternative. Layer 2 isolation (which is the only one you have on the Balance 30) is not the same as the guest protect. At least from what I could find out, and is explained in his own graph, it only stops clients to talk top each other, not accessing the rest of the LAN.
The Balance 30 does not support guest protect, this is not clear in the documentation and was a bummer for me. Peplink needs to clarify this much better. But I have been able to solve the issue by creating two different SSIDs on two different VLans, and then using one VLAN as guest and another as private. You need to configure the Balance accordingly.


Thanks Cristian for explaining this in a way that makes sense to me.

I agree that Peplink needs to be much clearer on the fact that Guest Protect (and assume other unstated AP management features) are not supported on units below 305. Better yet, don’t nickel and dime us on such silly limitations. Not a happy customer from this point of view, as I bought multiple Peplink APs expecting them to work with (i.e. controlled centrally from) our already installed Peplink routers (all below 305).

Not exactly a solution, a workaround, however … you can get Guest Protect functionality below 305. You have to give up management by the controller and manage the AP directly. In that case, Guest Protect is available and works. Not ideal, but something.

Also faced with the same dilema of needing Guest Protect on my network. I have a Balance 30 and love the ability of purchasing APs (currently have 4) and just connecting them to my network and having them auto configure themself.

Ransomware is a real threat these days and when u have friends over connecting to your network really exposes you to this stuff.

I am fully aware that I can have the APs manage themself and I have the option to turn on Guest Protect that way, but that seems really redundant when simply including the option for the controller to enable a feature thats already available on my APs. I just cant justify spending $2000 to purchase a Balance 305 for a feature I have already on my APs, all I am asking for is the option to allow my Balance 30 to continue controlling my APs while allowing me to enable Guest Protect on my APs.

I have always been loyal to Peplink. All my customers I basically demand they buy Peplink products due to the awesome support and just great overall reliability.

Spent the past week trying to setup Vlan to get around this issue but its overwhelming me… Reading about how to do it on the peplink device and how to get it configured on my Cisco 200 Series Smart Switch etc… trial and error etc etc etc… PEPLINK, PLEASE TAKE MY PAIN AWAY !!!

Hi all,

We target to support Guest Protect on AP Controller Lite on v7.1.0. No ETA for v7.1.0 at the moment since we are focusing on v7.0.1 now. Stay tuned!

1 Like

The Lite version of the AP Controller now supports SSID Guest Protect for both local AP’s and external AP’s.
This is introduced in firmware version 7.0.2 (which is in Beta at the time of writing this).