How to Isolate WiFi Guests from the LAN?
WiFi is available everywhere, no matter we are in a coffee shop, on a bus or in a restaurant. It is common that the store owner provides free WiFi connection for their customers but what they can do to separate the WiFi Guests from their local network? In the past, we suggest the customers creating a separate LAN network for the WiFi Guests but now, we can provide an easier way by using the Isolate LAN and the new Device Object function on VigorAP903.
Configurations on VigorAP903
1. Create the SSID2 for Guests and select the Isolate LAN option.
2. Configure the WLAN Security Settings for SSID2.
3. Go to Objects Setting >> Device Object. Select Create from ARP Table.
4. Select the Gateway Router’s MAC then click OK.
If there is no ARP entry in AP903, please ensure the wired connection to the Gateway router is connected firmly or try to ping AP903’s IP from the Gateway Router.
5. The Gateway Router’s MAC has been created as a Device Object. Click index 1 to edit the profile.
6. Enable Attribute: Gateway MAC in this object and click OK.
Attribute: Gateway MAC option means this Device will have the ability to access any hosts in the Local Network.
After finishing the settings above, WiFi clients connected to the Guest SSID which enables the Isolate LAN option can only access the Internet and cannot access the other local computers even they are in the same LAN network.
If we want the guests to be able to access one Local Server, e.g. a Printer server, we may add the Printer server’s MAC into the Device Object and enable Attribute Gateway MAC.
To enhance network security, you can set up a dedicated guest network, separate from your main local network. This typically involves creating an additional LAN subnet using the tag-based VLAN feature on your gateway router.
In certain environments, another team manages the gateway router, and the network user may lack permission to modify VLAN settings. Starting with firmware version 5.1.0, the Isolate Client from Wired LAN feature allows guest Wi-Fi users to be separated from the local network without the need for a separate VLAN.
This article demonstrates how to use this feature on a DrayOS5 Access Point, such as the VigorAP 905.
Create a MAC Object for the Gateway Router
Go to Configuration / Objects. In the MAC Object menu, click +Add to create a gateway router object.
- Enter the object name.
- Select the router's MAC address.
If guests are allowed to access a local server, e.g., a printer server, we can also create an object for that server.
Click Apply to save the settings.
Then add those MAC objects to a MAC Group.
Go to Configuration / Objects. In the MAC Group menu, click on + Add to add objects to this group.
- Enter a group name
- Click on + Add
- Select the required MAC Objects
- Click Apply to save
Create a SSID for Guests
Go to Configuration / Wireless LAN. In the SSID menu, click on +Add to create a guest SSID.
Enable Isolate Client from Wired LAN and add the Router's MAC in the Exception List
Click Edit for the guest SSID, then scroll down to the SSID Settings section.
- Enable Isolate Client from Wired LAN.
- Select the MAC group that guests are allowed to access in the exception list. Ensure you choose the group that includes the MAC address of the gateway router, so Internet traffic can be forwarded correctly.
Click Apply to save the settings.
With this setup, a client on the guest Wi-Fi can only access the Internet and the local server included in the exception list.
Published On:2019-07-17
ShareWas this helpful?