Alcatel Unleashed

The #1 Worldwide board for technical support on Alcatel-Lucent Voice & Data gear.
https://www.alcatelunleashed.com:443/

CLIENT ISOLATION ON VLAN

https://www.alcatelunleashed.com:443/viewtopic.php?t=33842

Page 1 of 1

CLIENT ISOLATION ON VLAN

Posted: 13 May 2025 06:38
by selectt
Hi

We have a guest vlan SSId on our network and currently every guest can ping/see each other.

How do adjust/program the vlan/ssid/ap so that there is client isolation and they cant see each other ?

CLIENT ISOLATION ON VLAN

Posted: 13 May 2025 06:39
by selectt
We have a guest vlan SSId on our network and currently every guest can ping/see each other.

How do adjust/program the vlan/ssid/ap so that there is client isolation and they cant see each other ?

Re: CLIENT ISOLATION ON VLAN

Posted: 15 May 2025 13:26
by silvio
It is an express (cluster) or enterprise (omnivista) installation?

Re: CLIENT ISOLATION ON VLAN

Posted: 16 May 2025 12:10
by Cristek
Assuming Express Mode and also your gateway being 192.168.1.254, this is quite easy to do:
Go into the Access menu in the Stellar cluster and add 3 rules:
- allow everything from 192.168.1.0/24 to 192.168.1.254 (lan to gateway)
- allow everything from 192.168.1.254 to 192.168.1.0/24 (gateway to lan)
- block everything from 192.168.1.0/24 to 192.168.1.0/24 (everything else internally)
If your DNS or anything else important is also in the same LAN, add 2 more rules but replace 192.168.1.254 with your DNS server. Adjust as needed!
Image as an example: https://ibb.co/zhbgtCcN

If you have no control over the wifi, and since you posted this in the LAN section and not wifi, you can create a policy on the switch that does the same:

Code: Select all

policy condition "to gateway" source ip 192.168.1.0 mask 255.255.255.0 destination ip 192.168.1.254
policy condition "from gateway" source ip 192.168.1.254 destination ip 192.168.1.0 mask 255.255.255.0
policy condition "lan to lan" source ip 192.168.1.0 mask 255.255.255.0 destination ip 192.168.1.0 mask 255.255.255.0
policy action "allow"
policy action "deny" disposition deny
policy rule "to gateway" precedence 100 condition "to gateway" action "allow"
policy rule "from gateway" precedence 100 condition "from gateway" action "allow"
policy rule "lan to lan" precedence 90 condition "lan to lan" action "deny"
qos apply
But please note that with this, you still need the APs to do some form of Guest Isolation, or else hosts within the same AP can still see each other
All times are UTC-04:00
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited