Allow only Home Smart Devices on Access Point?

[username0475]

I recently set up a TP-Link EAP225_v3 access point for the upstairs of my house to provide better coverage to my growing number of smart home WiFi light switches, doorbells, Amazon Echo's & robo vac.
Some of these smart home devices can only use the 2.4GHz band while others can use 5GHz also.

Upstairs access to this AP is - with any clients - thru a SSID & password.
Downstairs access is thru a Asus RT-AC68U - that serves as my main router & allows smart home devices thru a guest SSID & PW. It also powers the upstairs AP thru a PoE switch.

I'm fairly new to home network admin so you'll have to bear with me on these questions:

1) Is there a way to isolate these smart clients so their access to the AP cannot be manipulated to affect my main router where the AP is ultimately connected back to?

2) If yes to #1 - is that through a guest access (TP-L allows guest through a cumbersome portal setup using their controller software ) or through AP isolation?

3) Will AP isolation cause problems :

a. If I keep the SSID (for smart home devicesthe same for upstairs AP = my downstairs SSID for smart home devices (which is on the 68U's guest network) ?
b. For the Echo's to not to be able to see each other for concurrent multi-room music listening?​

Appreciate any feedback.

 

[Easy Rhino]

does the EAP225_v3 let you set up a guest network on it, as well? that would be the first thing I'd try (same SSID as your Asus's guest network).

AP isolation shouldn't cause a problem as long as the smart devices only need to talk to the internet and from the internet, and not chat amongst themselves.

I have only a few smart devices (car charger, vacuum, solar monitoring station, thermostat) and they all work fine on the guest network.

 

[username0475]

does the EAP225_v3 let you set up a guest network on it, as well? that would be the first thing I'd try (same SSID as your Asus's guest network).

AP isolation shouldn't cause a problem as long as the smart devices only need to talk to the internet and from the internet, and not chat amongst themselves.

I have only a few smart devices (car charger, vacuum, solar monitoring station, thermostat) and they all work fine on the guest network.

Hey thanks for the insight.
The only way I could figure out a guest SSID setup is via using a captive portal - which sounds a little too clunky to do smart devices on.
IP isolation appears would kill my multi-room music capabilities on my Amazon Echo's.

Then today I stumbled on this how-to from TP-L to show:
How to set up different SSIDs and Passwords for each EAP through EAP Controller: https://www.tp-link.com/us/faq-1261.html

 

[coxhaus]

If you use different SSIDs but you use the same network or VLAN how is that going to secure your network? I would think you would need to assign an SSID to a different VLAN. Then limit VLAN access.

 

[username0475]

If you use different SSIDs but you use the same network or VLAN how is that going to secure your network? I would think you would need to assign an SSID to a different VLAN. Then limit VLAN access.

I see how to enable VLAN on my AP's controller & put it into a WLAN group (Step 2 in here: https://www.tp-link.com/us/faq-1261.html) - which I think is what you are suggesting I do.

But does it involve tweaking the switch it's running off of too - which is what segregating VLAN's & their access control involves - true?

Don't think my unmanaged switch allows that.

 

[coxhaus]

You can't VLAN an unmanaged switch.

The only thing 2 SSIDs will give you without separate VLANs is 2 logons and 2 passwords to the same network.

 

[sfx2000]

You can't VLAN an unmanaged switch.

I'll add that an unmanaged switch will typically follow all traffic from an upstream managed port with regards to the VLAN.

Where is gets weird with unmanaged switches and 802.1q tags - some will discard that traffic (bad frames), and some might crash...

 

[coxhaus]

Old unmanaged switches will truncate tags. So you will end up with a lot of default traffic. Some of the newer unmanaged switches will pass the tags.

 

[username0475]

You can't VLAN an unmanaged switch.

The only thing 2 SSIDs will give you without separate VLANs is 2 logons and 2 passwords to the same network.

As stated above my EAP225 AP doesn't have a guest feature unless i use a captive portal (not good for smart home devices - since it would require occasional re-log-in) or as suggested in conjunction with a managed switch.

So I am trying to learn more about how to create a guest network on my AP.

I use Merlin's software on a AC-68U router -
How does a guest SSID work on a router ? Does it somehow create a VLAN on the router itself?

 

[coxhaus]

I think what you need is to create a VLAN and call it guest. Then you need a way to control the inter-VLAN routing. I use ACL to control inter-VLAN routing on my small business Cisco gear. This allows you to lock down access to your smart devices. Once you have the VLAN created then you can assign a separate SSID to your guest VLAN for wireless access. I have 3 wireless APs in my house and all three have 2 SSIDs on them one being guest which I have created a VLAN for. This allows guest to work through out my house with roaming for guests.

 

[ColinTaylor]

I use Merlin's software on a AC-68U router -
How does a guest SSID work on a router ? Does it somehow create a VLAN on the router itself?

Probably a question best asked in the Merlin forum; but no it doesn't use VLAN's. Asus' guest SSID's are created as separate virtual interfaces. The guest traffic is kept separate from the non-guest traffic by netfilter rules.

 

[CaptainSTX]

In many cases when you set up a guest network on an AP and the AP is behind the router all connections on either the main SSIDs or the guest SSID have connectivity to your intranet. The router has no way of telling which SSID a device is connected to.

Not knowing how the routers and APs in your network work I would suggest testing after you set it up to be sure that you have the isolation for the IoT devices that you want.

 

[username0475]

In many cases when you set up a guest network on an AP and the AP is behind the router all connections on either the main SSIDs or the guest SSID have connectivity to your intranet. The router has no way of telling which SSID a device is connected to.

Not knowing how the routers and APs in your network work I would suggest testing after you set it up to be sure that you have the isolation for the IoT devices that you want.

Thanks Captain for the feedback.
My setup is Router with Merlin > Unmanaged Switch > AP >Smart home clients.


ColinTaylor mentioned the Merlin thread & I did find some conversation seeking to do what I am trying to do also but comes down to scripting or using a managed switch it appears: https://www.snbforums.com/threads/how-to-setup-an-isolated-vlan-on-merlin.39860/#post-399994