Click the blue ? in the upper right side of your 1st image. A message will be displayed “To set SSID advanced settings, please click here.” Click the link “here”. You can then enable Layer 2 Isolation locally on your Surf SOHO.
Please note the layer 2 isolation only applies to wireless devices on the same physical SSID radio. An iPhone and a Macbook connected to the same AP will not be able to see each other. However they will be able to see devices in the same subnet connected through an ethernet connection, including devices on other APs. If you require more isolation, you will need to configure additional rules in Advanced > Firewall > Internal Network Firewall Rules.
Thanks! I found it. (that does seem like a strange UI decision to put the advanced options under a “?” which generally denotes “help” or additional “info”.
Thanks for the info on the Layer 2 Isolation as well. I may need a bit more clarification.
I currently have 3 LANs set up (1 untagged and 2 VLANs). I have matching SSIDs for them. Both the VLANs have “Inter VLAN routing” turned off which I assumed would not let them see outside of their own VLAN and that the Layer 2 Isolation would not let them see other devices within the VLAN.
In my case all devices are wireless with the exception of a home server on the non-VLAN network.
The goal is that all the devices on a VLAN have complete isolation (they can’t see each other inside their own VLAN and can’t see outside of the VLAN) and that the home network can see everything inside its network.
(that does seem like a strange UI decision to put the advanced options under a “?” which generally denotes “help” or additional “info”.
You will get used to this pretty quick as you configure your network. The more interesting and/or advanced features are usually found through links in the ? bubbles. I find myself clicking them whenever I see one, looking for more features.
Both the VLANs have “Inter VLAN routing” turned off which I assumed would not let them see outside of their own VLAN
With Inter VLAN routing turned off for a given VLAN, any client devices on that network will only be able see other devices on that network and the gateway (aka internet).
and that the Layer 2 Isolation would not let them see other devices within the VLAN.
If the SOHO’s AP is the only physical AP on your network, then client devices on that SSID will not be able to see each other.
The goal is that all the devices on a VLAN have complete isolation (they can’t see each other inside their own VLAN and can’t see outside of the VLAN)
Again assuming the SOHO AP is the only physical AP on your network, your configuration should A) isolate wireless clients from each other and B) isolate clients on VLAN2 and VLAN3 from the other two networks (Untagged and VLANx).
the home network can see everything inside its network.
I also have the switch set up like this with the trunk being the home server.
You will probably need to set LAN Port 1 to Access and Untagged LAN rather than Trunk and Any. If your server’s IP is 192.168.0.x and you are not running VMs with IPs in VLAN2 or VLAN3, there really is no need to trunk traffic to that port. Moreso, the NIC may not even support 802.1Q tags and/or be configured for such, so you couldn’t even send tagged traffic if you wanted to. With an IP in the Untagged VLAN (192.168.0.x) and Inter VLAN routing enabled, you will be able to communicate with properly configured devices on VLAN2 and VLAN3 from the server.
Would you be able to shed further light on “However they will be able to see devices in the same subnet connected through an ethernet connection, including devices on other APs.”?
If I have understood you correctly, if devices are connected to an SSID with Layer 2 isolation, the devices would not be able to communicate. If the a device is connected to the ethernet port and is part of the same subnet as the devices connected to the SSID, both the devices on the SSID and ethernet port would be able to communicate. If yes, why is this?
Do you also mean to say that the device connected to the ethernet port would be able to communicate to devices on a different SSID and subnet?
This was based on my own testing from early 2016. I had a group of wireless clients and wired clients on the same VLAN. With the option enabled, the wireless clients could not see each other, as expected. However they could see the wired clients on the same VLAN. Moving those wired clients to a separate VLAN (with a firewall rule in place to prevent VLAN crosstalk) made the wired clients invisible to the wireless clients, independent of the Layer 2 Isolation setting.
I surmised that the Layer 2 Isolation was only applied “in” the wlan segment by the AP controller. Frames coming in from “any” wired segment did not appear to be evaluated for Layer 2 Isolation by the AP controller. This was not a critical configuration for my application, so I did not submit a ticket with Peplink to investigate. It’s possible I have a misconfiguration elsewhere on the network which allows wired clients to be visible to wireless clients regardless of the Layer 2 Isolation setting.
Thanks louisbohn. Out of curiosity, why did you need to enable firewall rules to prevent VLAN crosstalk if inter-VLAN communication is disabled (unchecked)?
Inter-VLAN communication can be disabled using either method. The checkmark option in the Peplink UI is the simplest and easiest. It is a complete bi-directional block.
Alternatively using the Internal Firewall method, you set a default rule to block everything but then poke holes for certain machines or services or direction with additional rules, as necessary.
Thanks louisbohn. I was not aware of that. I had assumed that inter-VLAN communication was Layer 2 and firewall rules were Layer 3. I assume that to block everything via the firewall rules, the internal firewall rules would have to be disabled since the device has it enabled by default. If this is blocked, does it prevent communication between clients on the same VLAN and subnet?
Are the reasons as well as benefits in using one method over another?
Can both methods be used at the same time? If yes, why and when? If no, why?
If internal firewall rules are used to block inter vlan traffic (Layer 3), devices on the same vlan can talk to each other fine (Layer2).
Its easier to tick a check box to block traffic to/from a VLAN. You wouldn’t use them at the same time. Firewall rules allow more routing logic granularity.
Thanks Martin. How are unchecking and checking the option to disable and enable inter-VLAN communication different if I can use firewall rules in both scenarios to permit communication?
If Layer 2 isolation is enabled, can there be a whitelist? For example, between a PC and another device on the network both of which are on Wi-Fi? Will the firewall rules support this? I take it no they wouldn’t, since it is layer 2.
