Clarification about client isolation and subnets

[Lsut142]

This is a very basic beginner question as it relates to subnetting and client isolation.

I'm trying to use home automation on a subnet. I suspect that by turning on client isolation my smart light bulbs can't communicate with my Alexa hub properly even though the hub and the bulbs are on the same subnet.

Concern and question is, if I turn off client isolation I'm sure that it will probably work properly however, by doing that I defeat the purpose of a subnet. Is this correct?

I want all devices on the subnet, light bulbs and Alexa devices etc to communicate but I don't want to inadvertently open a path outside of the subnet to other devices on the main lan by turning off client isolation.

Without spending money on additional hardware, just using the ISP provided gateway router, is there a way to do this? Or is my best option to set up a Pfsense or hardware firewall so that I can create specific block rules?

The devices I am trying to isolate from the main lan are all iot Wi-Fi devices.

I doubt ISP tech support is going to assist with this so I am posting here. The ISP is CenturyLink.

Thanks

 

[CaptainSTX]

This is a very basic beginner question as it relates to subnetting and client isolation.

I'm trying to use home automation on a subnet. I suspect that by turning on client isolation my smart light bulbs can't communicate with my Alexa hub properly even though the hub and the bulbs are on the same subnet.

Concern and question is, if I turn off client isolation I'm sure that it will probably work properly however, by doing that I defeat the purpose of a subnet. Is this correct?

I want all devices on the subnet, light bulbs and Alexa devices etc to communicate but I don't want to inadvertently open a path outside of the subnet to other devices on the main lan by turning off client isolation.

Without spending money on additional hardware, just using the ISP provided gateway router, is there a way to do this? Or is my best option to set up a Pfsense or hardware firewall so that I can create specific block rules?

The devices I am trying to isolate from the main lan are all iot Wi-Fi devices.

I doubt ISP tech support is going to assist with this so I am posting here. The ISP is CenturyLink.

Thanks

I had problems getting my Alexa/Amazon devices to connect to my ASUS AX86 and AX88Pro. After dumbing down all the WiFi settings (smart connect, beam forming, WPA2 Only , fixed WiFi channel, intranet yes/no ) nothing seemed to help until I determined that DNS security seemed to be the root of my problem. Try either setting DNS security to None or use the DNS Director and set each Alexa/Amazon Iot device to use a specific DNS such as 8.8.8.8 or 8.8.4.4.

 

[ColinTaylor]

Without spending money on additional hardware, just using the ISP provided gateway router, is there a way to do this?

Subnetting and client isolation are two different things, although sometimes they can be configured so that there's a 1:1 relationship.

Even with that said "client isolation" can be implemented in multiple ways, e.g. at a hardware level on a Wi-Fi access point, or at a router/firewall level. I think you'll have to wait until someone familiar with CenturyLink's router's implementation can comment further.

Try either setting DNS security to None or use the DNS Director ...

I doubt those options exist in the OP's CenturyLink router.

 

[bbunge]

I was on Centurylink until they sold off about half of their network to Brightspeed. Policies have not changed with the new company.

Centurylink provides a basic modem/router for DSL or ONT and router for FIOS. The call the router a modem but that is another complaint. Their basic routers will provide one subnet, likely 192.168.0.0/24, and will be set to get DNS from Level3 servers. The routers have a basic firewall and not much else. They have a way to get IPV6 through 6RD which works but is not ideal.
As for subnetting your IoT devices, it can be done but without a way to assign a gateway via the Centurylink router those clients on the subnet will not have access to the internet. We have done this on a system to isolate IP cameras from snoopy users and it worked but the cams never had the corrrect time as they were isolated from the internet.
F.W.I.W. - I have my cams and other IoT devices on the same subnet as the rest of my clients. I don't feel they are that much of a risk and it sure is easier to manage. I do use static IP addresses on those clients and set the router DHCP to start assigning addresses at 192.168.xx.30
I also use a filtering DNS service (Cloudflare Security 1.1.1.2 1.0.0.2). Both of these functions can be set on your Centurylink router.
You can also invest in a better router and replace the Centurylink router if you have FIOS. If you are on DSL you can put the modem/router in bridge mode, turn off the WIFI and use a router of your choice (I did this when on DSL but now have FIOS).
The Asus Pro series of routers do have the ability to do guest WIFI with VLAN which can be set up for Ethernet connected clients as well.

 

[Digilog]

This is a very basic beginner question as it relates to subnetting and client isolation.

I'm trying to use home automation on a subnet. I suspect that by turning on client isolation my smart light bulbs can't communicate with my Alexa hub properly even though the hub and the bulbs are on the same subnet.

Concern and question is, if I turn off client isolation I'm sure that it will probably work properly however, by doing that I defeat the purpose of a subnet. Is this correct?

I want all devices on the subnet, light bulbs and Alexa devices etc to communicate but I don't want to inadvertently open a path outside of the subnet to other devices on the main lan by turning off client isolation.

Without spending money on additional hardware, just using the ISP provided gateway router, is there a way to do this? Or is my best option to set up a Pfsense or hardware firewall so that I can create specific block rules?

The devices I am trying to isolate from the main lan are all iot Wi-Fi devices.

I doubt ISP tech support is going to assist with this so I am posting here. The ISP is CenturyLink.

Thanks

The best approach is to buy a $30 wifi router from walmart and run all the IOt devices off of it and plug its wan connection into your local network. Even though you can set firewall rules, its still putting a load on the wifi that is used for other things.

 

[coxhaus]

The best approach is to buy a $30 wifi router from walmart and run all the IOt devices off of it and plug its wan connection into your local network. Even though you can set firewall rules, its still putting a load on the wifi that is used for other things.

This is assuming you live in a small house or an apartment.

 

[Digilog]

This is assuming you live in a small house or an apartment.

Size of the building doesn't matter on network topology. The key is good planning before deployment in installations.

 

[coxhaus]

Size of the building doesn't matter on network topology. The key is good planning before deployment in installations.

If your IOT devices are scattered across a large house like my house that can't be covered by 1 wireless device your plan will not work.

 

[Digilog]

If your IOT devices are scattered across a large house like my house that can't be covered by 1 wireless device your plan will not work.

Install requirements vary. So there is no real way one can predict without planning.

even if you have to make a small network of them, its still not a big deal. Other things like cameras, I prefer to use the network on the camera ip input side of a NVR. Even wireless devices by putting an access point on it too. Most IP camera only NVRs can run an access point and multiple cameras on one port, because they are just a POE switch connected to a network interface into an encoding server and don't have internet access unless you configure it to do so. I run a poe to 12v adapter so it frees up an outlet and makes the install cleaner. IOT like light bulbs, outlets, drapes, appliances don't care if its a 100M network.