Hi,
Not sure if this is more of a wireless or a routing question, thought I'd start here. I have virtual APs for the guest network, and devices I don't fully trust - IoT gadgets etc. Each AP has its own interface, IP range and DHCP server, but devices on different APs can still access each other. What's the best way to completely isolate the virtual APs?
- Routing rules
- VLANs
- Firewall rules
- something else?
In WebFig, under IP >> Routes, each Virtual AP interface appears to have some sort of default route associated with it, the status is 'dynamic, active, connected.' Can I disable those, and would it have the desired effect?
Re: best way to isolate virtual APs
Best way: VLANs combined with firewall rules.
The DE FACTO guide around here:
viewtopic.php?t=143620
The DE FACTO guide around here:
viewtopic.php?t=143620
Re: best way to isolate virtual APs
You can add "setting same bridge port horizon" to that list, if interfaces are connected to a bridgesomething else?
With HW offloading on the bridge, switch port isolation is the way to do it.
Last edited by bpwl on Tue Sep 03, 2024 5:54 pm, edited 2 times in total.
-
-
victorbayas
newbie
- Posts: 26
- Joined:
- Location: Ecuador
- Contact:
Re: best way to isolate virtual APs
Attach each VAP to a VLAN and use Firewall rules to isolate the networks, also enable client isolation in the WiFi interfaces
Re: best way to isolate virtual APs
Also add CAPsMAN central delivery (creates a CAPWAP tunnel to each wireless interface) to your list with options.something else?
Or other tunnel and VXLAN, can replace VLAN as separator. Something like this ... https://www.youtube.com/watch?v=9JYv2nsaL4w&t=9s ... MikroTik PPPoE and Hotspot over VXLAN
Re: best way to isolate virtual APs
Hey, thanks for all the replies!
@holvoetn, that guide certainly is impressive! I'm digging in now
@bpwl, I appreciate your suggestions, if I'm being honest they all went over my head
I would like to learn about bridge port horizons, switch port isolation, HW offloading, CAPWAP tunnels, and especially VXLANs in the future!
@victorbayas, another vote for VLANs + Firewall, thanks! I am curious about 'client isolation in the WiFi interfaces,' any resources to share? I did some googling and so far only found viewtopic.php?t=173693
One more question, if anyone's up for it. VLANs are a layer 2 thing - what about layer 3? Each vAP has its own subnet, why couldn't I simply prevent the router from routing between them?
@holvoetn, that guide certainly is impressive! I'm digging in now
@bpwl, I appreciate your suggestions, if I'm being honest they all went over my head
I would like to learn about bridge port horizons, switch port isolation, HW offloading, CAPWAP tunnels, and especially VXLANs in the future! @victorbayas, another vote for VLANs + Firewall, thanks! I am curious about 'client isolation in the WiFi interfaces,' any resources to share? I did some googling and so far only found viewtopic.php?t=173693
One more question, if anyone's up for it. VLANs are a layer 2 thing - what about layer 3? Each vAP has its own subnet, why couldn't I simply prevent the router from routing between them?
Re: best way to isolate virtual APs
if you will be using capsman, virtual APs will isolated themselves by nature of capsman... this is how this whole thing works 
Re: best way to isolate virtual APs
I thought CAPsMAN was a tool for managing multiple physical APs in a centralized fashion.. are there any advantages to using it to manage multiple virtual APs on a single router?if you will be using capsman, virtual APs will isolated themselves by nature of capsman... this is how this whole thing works