Pepwave AP - Block LAN Access

nkatts · May 12, 2021, 3:22pm

Hello! I am testing out a Pepwave AP One Mini, hoping to deploy these APs for a number of my clients. I do NOT have a Peplink router in place in this test scenario, just a single Pepwave AP One Mini connected to a simple non-Peplink router.

I trying to create a guest SSID that allows guests to access the internet but not access anything else on my LAN. I created a SSID via incontrol2 and selected both “Layer 2 Isolation” and “Block LAN Access”, but I can still ping other devices on my LAN when connected to that SSID. Perhaps I need to have a Peplink router in place for this feature to work? It doesn’t seem to mention anything about such a requirement in the Pepwave AP manual.

Thanks!

Jonathan_Pitts · May 12, 2021, 4:01pm

What device is handing our the dhcp addresses?
What is the ip range for the guest ssid?
What is the ip range for the lan ssid?

nkatts · May 12, 2021, 4:05pm

Hi Jonathan,

The router is handing out the IP addresses via DHCP, the Pepwave is just set as an AP. The router is just handing out 192.168.1.0/24 range IP addresses regardless of what SSID you connect to, I don’t have any VLANs set up.

Thanks

Jonathan_Pitts · May 12, 2021, 5:23pm

In your router ,you need to have different ranges for each ssid and pass the vlans to the ap for the feature to work as you expect.

Don_Ferrario · May 12, 2021, 7:24pm

This is easy, its built into your AP One. AP > Wireless SSID > SSID name

Slide down to the bottom of the SSID settings to Guest Protect. Click the box that says Block LAN access, activate changes, and you’re done.

nkatts · May 16, 2021, 5:03pm

Thanks Don_Ferrario that’s what I had been trying but it didn’t seem to be working. I have come back to it now and it does seem to indeed block access to other devices on the local network!

nkatts · May 18, 2021, 9:49am

So I’ve done some further testing and this is what I found.

SITUATION 1: Peplink Balance Router acting as DHCP (no VLANS set up) with AP One managed through AP Controller in the Balance Router

In this situation when I clicked “Block LAN Access” on the AP it worked even when I did no special setup on the Balance and it had no VLANS and a single IP range

SITUATION 2: ISP Provided Router acting as DHCP with AP managed through InControl

In this situation when I clicked “Block LAN Access” on the AP it didn’t seem to have any effect and I was able to access LAN ips

Any thoughts on this? Seems that maybe a Peplink router is required even though there is no special setup needed on the router? Is there no way to get block LAN access to work if the AP isn’t behind / being managed by a Peplink router?

Thanks

Jonathan_Pitts · June 9, 2021, 7:33am

You can try Block All Private IP

but I suspect what will happen is that the packet will still flow up to the isp router see that it’s on the same subnet and then direct access it.
Other options would be if the ISP router has a firewall to prevent traffic flowing between lan ip’s

Other option would be to put your AP in router mode instead of bridge mode, having the AP hand out a different ip range, then you may have more control on blocking.

nkatts · June 23, 2021, 1:22pm

I had the Block All Private IP working when I had the AP configured for local or AP controller management, it just wasn’t working for InControl management. I submitted a ticket to Peplink support and they applied a patch, so it is now working when AP is being managed by InControl as well!