Client Isolation and Bonjour Whitelists?

  • 4
  • Question
  • Updated 2 years ago
Is it possible to restrict clients to see all other clients on the WLAN but still allow an Apple TV or Chromecast by exception rule?
Photo of Timothy Kamps

Timothy Kamps

  • 2 Posts
  • 0 Reply Likes

Posted 2 years ago

  • 4
Photo of Bill Burns

Bill Burns, AlphaDog

  • 203 Posts
  • 38 Reply Likes
I would suggest creating a hidden wlan+ssid (possibly called "Apple-TV" or "bonjour" or "horrible-name-service") that does not have "clients on the same AP" isolation configured.
Then you can configure your Apple TV to associate w/ the hidden SSID.

It's not a seamless or end-user transparent solution but it should work.

AFAIK: the "whitelist" feature that exists for un-isolating "hosts on the same VLAN" does not apply to "clients on the same AP".
..which is unfortunate, but at least there's some kind of workaround for you.

Alternatively, you could create a new "WLAN" w/ the same (not hidden) SSID that you use on your other APs.
That way, clients that associate w/ that one AP will be able to see each other but clients that associate to some other AP still won't be able to see each other.

(the benefit to using the same ssid is that clients could still roam seamlessly between this AP and other APs)

If you think you're getting a security win by using the local isolation feature, you're "only" losing that feature for clients on the one AP w/ the Apple TV on it.
if you're not also using "hosts on the same VLAN" isolation, you're not getting much of a security benefit anyway, unless you've only got one AP per VLAN/subnet.

..and if you *do* use "hosts on the same VLAN" isolation, you had better configure your whitelist to allow communication to your wifi default gateway otherwise you'll break all your wifi connectivity.


Of course, the bonjour problem you're describing is the "simple" one.
If what you really want is to get bonjour/Apple-TV, etc. working *across* subnets, then things just got way more complicated.