What is Guest Protect?

Somewhere in firmware 8 (I think) a new section was added to the SSID configuration (
AP tab → Wireless SSID → SSID ) called Guest Protect. This section is not in the Balance User Manual (as of Jan 2021 and fw 8.1.1).

What is “Block All Private IP”?
What is “Custom Subnet”?
What is “Block Exception”?

The came up before here

but I find it hard to believe that blocking Private IPs does something that can already be done with VLANs and/or firewall rules. And that item does not address the Custom Subnet feature or the Block Exception feature.
Thanks in advance.

I was under the impression that this further isolates wired from wireless clients on the same subnet.

That would be a new feature, as far as I know. But, if true, the name makes no sense. Where did your impression come from? Is there some doc on this?

^^^

From @Erik_deBie

“ As the name implies the “Guest protect” feature is often used when supplying WiFi access for guests in public places (hotels, airports, transport) to protect the guest from accessing other wired devices within the same VLAN and devices connected to other VLANs.

The “Guest protect” feature is often compared to “Layer 2” isolation .
While Layer 2 isolation blocks communication between WiFi clients within the same SSID, the “guest protect” feature will block communication between a WiFi client and wired clients within the same VLAN and clients from other VLANs.”

Guest Protect is not a new feature. I use it in all installations where users are not permitted access the internet but not the LAN. Easier than setting up VLANs, firewalls, etc. One click and you’re done.

Never thought of it that way… so no need to create a guest vlan etc… create a guest SSID and flip on the guest protect feature.

Unless you want to keep ip assignments separate… but for simple and quick guest network can’t get any simpler.

This is no such thing as Guest Protect. There is “Block All Private IP" and “Custom Subnet” and “Block Exception”. Guest Protect is just a name for this group. Talking about Guest Protect helps no one.

As for Block all private IP, the definition in the other Forum post is :“Check this box to deny all connection attempts by private IP addresses.”

I have no idea what this means. Connection attempt by who? By what? To where? Every router client has a private IP as all of us already know. Useless words.

Custom subnet seems to be a VLAN just for this one SSID. Fine.

Block Exception is a mystery to me. Blocking from which subnet? To where?

I dont see where these 3 features do anything for me that can’t be done with VLANs.

This should be simple, easy and trivial. The basic concepts are always simple.

@Michael234, let me explain the features under the Guest Protect.

Block All Private IP - The WIFI client who connects to the AP will not able to access to 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16 when this feature is enabled.

Custom Subnet - The WIFI client who connects to the AP will not able to access to the subnet defined here.

Block Exception - The WIFI client who connects to the AP will able to access to the IP subnet defined here even the subnet was blocked by Block All Private IP or Custom Subnet.

5 Likes