Isolating guest traffic

  • 1
  • Question
  • Updated 3 years ago
I have enabled a guest SSID on my network and I have selected isolated wireless client traffic from other clients on the same AP and isolated wireless client traffic from all hosts on the same VLAN/subnet. I added my printer to the white list, however guests trying to connect do not get an IP address and cannot connect to internet. So what I tried was adding the IP and MAC addresses of my AP's and router to the whitelist, and traffic is isolated from all other users, except they can see the access points and router. Is this normal behavior? Is full client isolation not possible?

My current software version is 9.7.0.0 build 220

Photo of MLG

MLG

  • 75 Posts
  • 27 Reply Likes

Posted 3 years ago

  • 1
Photo of Com1 NL - Bas Sanders

Com1 NL - Bas Sanders

  • 32 Posts
  • 9 Reply Likes
Hi,

In my opinion you shouldn't need to whitelist the addresses of your AP's assuming that your router is also DHCP server or forwarder.

If you want to allow guests to use the WLAN it is strongly advised to put them in a separate VLAN. If your printer supports bonjour, you could then allow your guests to use the printer by configuring a bonjour gateway.

Regards,

Bas
Photo of MLG

MLG

  • 75 Posts
  • 27 Reply Likes
Thanks for the reply. I've tried tagging the guest network with a different VLAN tag id, which does not seem to work. I am not well versed on VLAN. Do you have instructions?
Photo of ThX

ThX

  • 128 Posts
  • 2 Reply Likes
Did you ever resolve guest printing? If so, how?
Photo of Com1 NL - Bas Sanders

Com1 NL - Bas Sanders

  • 32 Posts
  • 9 Reply Likes
If you can provide me more info on your setup i could try to point you in the right direction.

Is your network vlan-aware?
What kind of equipment are you using? (brand and type of switch)

What kind of firewall/router are you using?

Before you want to set up a new VLAN you (at least) need:
- the VLAN to be configured on all switch ports where AP's are connected UNLESS you are tunnelling all traffic to the ZD. The latter is probably easier to configure and maintain as then you only need to configure the VLAN on the ZD interface.
- The VLAN to be terminated on a firewall/router
- A DHCP scope to be active on the VLAN