Hi
We have a guest vlan SSId on our network and currently every guest can ping/see each other.
How do adjust/program the vlan/ssid/ap so that there is client isolation and they cant see each other ?
CLIENT ISOLATION ON VLAN
CLIENT ISOLATION ON VLAN
We have a guest vlan SSId on our network and currently every guest can ping/see each other.
How do adjust/program the vlan/ssid/ap so that there is client isolation and they cant see each other ?
How do adjust/program the vlan/ssid/ap so that there is client isolation and they cant see each other ?
Re: CLIENT ISOLATION ON VLAN
It is an express (cluster) or enterprise (omnivista) installation?
Re: CLIENT ISOLATION ON VLAN
Assuming Express Mode and also your gateway being 192.168.1.254, this is quite easy to do:
Go into the Access menu in the Stellar cluster and add 3 rules:
- allow everything from 192.168.1.0/24 to 192.168.1.254 (lan to gateway)
- allow everything from 192.168.1.254 to 192.168.1.0/24 (gateway to lan)
- block everything from 192.168.1.0/24 to 192.168.1.0/24 (everything else internally)
If your DNS or anything else important is also in the same LAN, add 2 more rules but replace 192.168.1.254 with your DNS server. Adjust as needed!
Image as an example: https://ibb.co/zhbgtCcN
If you have no control over the wifi, and since you posted this in the LAN section and not wifi, you can create a policy on the switch that does the same:
But please note that with this, you still need the APs to do some form of Guest Isolation, or else hosts within the same AP can still see each other
Go into the Access menu in the Stellar cluster and add 3 rules:
- allow everything from 192.168.1.0/24 to 192.168.1.254 (lan to gateway)
- allow everything from 192.168.1.254 to 192.168.1.0/24 (gateway to lan)
- block everything from 192.168.1.0/24 to 192.168.1.0/24 (everything else internally)
If your DNS or anything else important is also in the same LAN, add 2 more rules but replace 192.168.1.254 with your DNS server. Adjust as needed!
Image as an example: https://ibb.co/zhbgtCcN
If you have no control over the wifi, and since you posted this in the LAN section and not wifi, you can create a policy on the switch that does the same:
Code: Select all
policy condition "to gateway" source ip 192.168.1.0 mask 255.255.255.0 destination ip 192.168.1.254
policy condition "from gateway" source ip 192.168.1.254 destination ip 192.168.1.0 mask 255.255.255.0
policy condition "lan to lan" source ip 192.168.1.0 mask 255.255.255.0 destination ip 192.168.1.0 mask 255.255.255.0
policy action "allow"
policy action "deny" disposition deny
policy rule "to gateway" precedence 100 condition "to gateway" action "allow"
policy rule "from gateway" precedence 100 condition "from gateway" action "allow"
policy rule "lan to lan" precedence 90 condition "lan to lan" action "deny"
qos apply
