I have four Archer C7's configured as AP's. They are all similarly configured and wired to my x86 router (through manageable switch). It works great ... no issues whatsoever. AP's also double as edge switches for stuff that is connected by cable. Guest WiFi is handled by router itself for simplicity. Guest WLAN works from security perspective, but coverage is bad as my router radio is nowhere near as good as four Archer C7's...
So I would like to configure guest WiFi SSID's on AP's instead.Currently, all my LAN/WLAN traffic between AP<->switch<->router is untagged and trusted devices (whether they are originating from WLAN or cadled LAN) go into router through br-lan.
My first question would be: can I do this while still keep my LAN traffic untagged or do I have to start by reconfiguring my router and tagging all LAN traffic to begin with?
Second question: is it technically possible to achieve client isolation the same way as I have now (using only one WLAN interface in router) using four different AP's?
"client isolation" is a wireless term... yes, within the AP this operates in the exact same manner....
"guest vlan5 host isolation" assuming your distributing and aggregating VLAN5 across all AP's would come down to the L3 handling ( router )... in other words, once they hit the VLAN they are "isolated" from the other VLANs ( assuming firewall is in place ), not each other... @jeff posted something about blackholing the native vlan that you might find relevant to your setup...
Depending on the switch, it either has a "blackhole" VLAN already (Cisco, for example, uses 4095), or you can create one yourself by not assigning it to untagged or tagged for any port. If you set the PVID to that blackhole VLAN, any untagged traffic that arrives will have nowhere to go.
While enterprise-grade switches and perhaps the switch chips in these all-in-one routers can be configured to reject incoming VLANs that aren't configured and/or untagged traffic, I've never looked into the driver used by OpenWrt to confirm how the switch chip is configured relative to those features.
Thanks for reply. So basically, I can prevent devices from talking to each other by "client isolation" but only as long they are connected to same AP? If I have two devices on two different AP's being traposrted to router as VLAN5, they will be able to chat to each other already in my 24-p switch, correct?
Is there a way to prevent this? Perhaps I could create a specific VLAN for each AP and then aggregate them in router? That way, they will not be able to chat to each other in switch?
It seems that this might be doable by tagging each guest AP with its own VLAN, then bridging them in router through package "kmod-br-netfilter" which add netfilter support for bridges. And then setting
echo 1 > /sys/class/net/br-guestlan/bridge/nf_call_iptables
Good news is that you can actually mix tagged and untagged traffic. I have successfully created guest WLAN on two of my AP's, tagged them both as VLAN5, got it to go through router through my switch, to be taken care of "Guest" zone/Interface. So "guest WLAN via AP" works!
Unfortunately, my clients can ping each other if they happen to be on different AP's.
I need some guidance on how to keep clients from reaching each other while on Guest WiFi.
Should I create one VLAN for each AP and then try to do some magic in router? (like using "kmod-br-netfilter" or is there easier way? I would prefer a solution where device can "roam" between AP's with same IP number.