How to isolate wireless from LAN ?

Deadjasper

2[H]4U
Joined
Oct 28, 2001
Messages
2,568
I'm using a TP-Link AP and can't find anything about doing this so maybe it's unpossible.

If I put the AP in the DMZ in the router will that isolate the wireless clients or is there a better way?

TIA :)
 
If you haven't updated it to the newest bios, that might add the option. Otherwise, what's the AP model number and I'll take a quick look.
 
If you haven't updated it to the newest bios, that might add the option. Otherwise, what's the AP model number and I'll take a quick look.

Thank you sir. It's a TP-Link EAP 225. I was unable to find a link to the BIOS. :(
 
So there's a feature called SSID Isolation that should do the trick. Try it.
 
I did and no joy. Apparently it only isolates SSID's from each other but not from the LAN. :(
Yeah, I was afraid it was going to be like that--kinda stupid too since if you don't want them talking to each other you sure don't want them talking to your lan.

The only other way I would know to do it would be using vlans or static routes.
 
Wireless IS part of your LAN. What kind of separation are you seeking here? Are you wanting all WiFi clients to not be able to access wired services/resources? You haven't mentioned your router, so it's difficult to help at all here.
 
Don't have a L3 switch. :(

But you do have a business class AP, so time to review your network needs and wants.

Just a basic question here. A VLAN on different subnet get to the Internet how?

This is beyond the original question which wasn't really clear to begin with, but is basic networking you can learn.

For the OP What is your goal, what equipment do you have, what is your budget for new gear if needed.

Wireless IS part of your LAN. What kind of separation are you seeking here? Are you wanting all WiFi clients to not be able to access wired services/resources? You haven't mentioned your router, so it's difficult to help at all here.

This
 
Just to be perfectly clear, I want to block ALL wireless clients from accessing the LAN. They can have Internet only. Seems like this would be easy to do and easy to understand. If it's possible at all no doubt big brother doesn't want people doing blocking of any kind. :(
 
Just to be perfectly clear, I want to block ALL wireless clients from accessing the LAN. They can have Internet only. Seems like this would be easy to do and easy to understand. If it's possible at all no doubt big brother doesn't want people doing blocking of any kind. :(
Again, WiFi is by very definition, LAN. Do you mean you don't want WiFi to talk to wired/ethernet?

I don't even know what the big brother rant is supposed to mean. You still haven't listed what gear you even have, so, no one's going to be able to help. If you want to block WiFi from accessing wired, that's pretty trivial to do (given the right gear and importantly, the right knowledge) and is done all day, every day.
 
Place the wireless AP and clients connected to it in a vlan and deny them access to your wired clients.... Easy Peasy
 
Just to be perfectly clear, I want to block ALL wireless clients from accessing the LAN. They can have Internet only. Seems like this would be easy to do and easy to understand. If it's possible at all no doubt big brother doesn't want people doing blocking of any kind. :(

First, as others have said, your LAN (local area network) includes your wifi. Now unfortunately MOST consumer class networking equipment stops right there and you get WAN and LAN with routing+NAT/PAT between. The wifi and the ethernet segments of the LAN are bridged together. Sadly this is the norm and many home networking features break when this is not the case. That said, using business or enterprise class gear with multiple LAN segments this is bridging is easily overcome. You simply hang your wireless AP off one interface of your routing device (router/firewall/layer 3 switch) and wired off another and route between or out as needs desire. Using a layer 2 switch with trunking and vlan you can do the same thing with a router on a stick. That's the high level explanation. the specifics will vary from device to device so absent very exact details of your network hardware no one can give you an exact how to.
 
Last edited:
I just ordered an Aruba AP. The TP-Link AP web interface doesn't have much in the way of options. Hopefully the Aruba will be a bit better since it is a business class device. I'm not really concerned about anything breaking because all I want to do is block wireless clients from the LAN and all of it's resources. I vaguely remember having a router years ago where this was a one click task and was labeled "Prevent wireless client's from accessing the LAN" or something like it.
 
He wants separate LANs for wifi and ethernet, and he wants both LANs to be able to access the internet.

I don't think you can do that with your current hardware. Need a separate switch or router to control routes and vlans.
 
I just ordered an Aruba AP. The TP-Link AP web interface doesn't have much in the way of options. Hopefully the Aruba will be a bit better since it is a business class device. I'm not really concerned about anything breaking because all I want to do is block wireless clients from the LAN and all of it's resources. I vaguely remember having a router years ago where this was a one click task and was labeled "Prevent wireless client's from accessing the LAN" or something like it.
I would read the owners manual of the Aruba now before you get it to see if it fits your needs. This was a feature more prevent before as I had this set on my Meraki networks back in their early days (I have no idea what they're like now after Cisco got a hold of them). But I haven't seen this feature too often since then. A lot of small business 'hotspot' routers have this feature, but they also have captive portals and whatnot for hotspot usage.
 
So how does public locations like coffee shops and Internet cafes deal with this. Do they use a separate wan ip for the public to use?
 
So how does public locations like coffee shops and Internet cafes deal with this. Do they use a separate wan ip for the public to use?
I used Meraki OD2 for our hotel's wifi back in the day--fully meshed with wired backbone and could handle multi-wan so automatic failover and load balancing, and all cloud managed. The new owners of the hotel were going to rip it all out and throw it away so I just took it with me. The main limitation was only 5Mbps via a/b/g, but was reliable from my end so no issues. You can also get dedicated 'hotspot' access points/routers that have a full 'captive portal', etc.

The cheapest way would be to just use a series of cascading routers--You use a single router to two other routers--one for each network. Neither of the other routers will be able to see each other and the traffic is even physically separated. You can do the same thing with vlans in a single switch/access point, but consumer routers are dirt cheap compared to more sophisticated ones that have these features.

I'm also pretty certain you could do it with a static route, but I'm not very good with these so couldn't tell you the exact config.
 
If you are going to buy one business ap to replace another business ap, instead of using the controller software to make changes for the one you have to set it up (assuming you have an existing router that can even support either ap, you haven't answered that), might as well just buy a consumer wifi router and put all your wireless devices on the guest wifi and call it a day.
 
Last edited:
Currently I'm using PFSense for my router. I have thought about replacing it with a consumer router. If the Aruba disappoints this is what I'll do. Problem with the TP-Link is an almost total lack of control. The mfg thinks it has the right to dictate how you use their product and I have a problem with this. The other side of the coin is PFSense, it's actually too much control. I won't live long enough to master it to any degree. I love pfBlockerNG, would really hate to give it up.
 
Problem with the TP-Link is an almost total lack of control. The mfg thinks it has the right to dictate how you use their product and I have a problem with this.

Wut?. Are you using the controller software?

Vlan tag the ssid, use pfsense to seperate the traffic, or maybe just turn the guest network on. All of your answers are a Google away at this point.
 
Last edited:
Currently I'm using PFSense for my router.

Full stop! Again the AP is absolutely not where you control what you want to do. An AP is a just a layer 2 bridge that bridges wifi to ethernet. To do what you want you need to be at the router. Add another interface to your PFSense router using a different subnet than your wired network. Plug your AP into that interface. On your PFSense box only allow that new subnet created for the AP access to the internet. Done!
 
If you are going to buy one business ap to replace another business ap, instead of using the controller software to make changes for the one you have to set it up (assuming you have an existing router that can even support either ap, you haven't answered that), might as well just buy a consumer wifi router and put all your wireless devices on the guest wifi and call it a day.
Oh yeah, easiest way for sure--consumer router with guest access point. In fact, you could just get one of these and use only the guest wifi and it's basically an AP doing what the OP wants.

But since the OP has pfsense, it's just a configuration away there--no need for anything else.
 
Oh yeah, easiest way for sure--consumer router with guest access point. In fact, you could just get one of these and use only the guest wifi and it's basically an AP doing what the OP wants.

But since the OP has pfsense, it's just a configuration away there--no need for anything else.


The op's existing AP has guest mode. The real problem is their unwillingness to help us help them by providing details. We've had to extract details along the way and guess and peck.

If they don't want to learn networking via the info on the internet to run a business/enterprise equipment at home, including pfsense, it is the best option for their purported but stil unclear not completely described need at this point imo.
 
Last edited:
Full stop! Again the AP is absolutely not where you control what you want to do. An AP is a just a layer 2 bridge that bridges wifi to ethernet. To do what you want you need to be at the router. Add another interface to your PFSense router using a different subnet than your wired network. Plug your AP into that interface. On your PFSense box only allow that new subnet created for the AP access to the internet. Done!

Ah, OK. I have a 4 port Intel Server NIC I can throw in the PFSense box. :)
 
Ah, OK. I have a 4 port Intel Server NIC I can throw in the PFSense box. :)
I'll add that if you have more than one AP you can plug a switch into the new PFSense interface and then plug APs into the switch. Also you said earlier in the thread you needed but didn't have an L3 switch for VLANs. Please note VLAN are layer 2 that require layer 3 routing. You can build a trunk, one or more layer interface with multiple VLAN, to a router and route between the vlan without a layer 3 switch. This is often called a "router on a stick." All of that said, I think you're on the easiest path with the the new interface in your router.
 
Just got shipping notice on the Aruba. Think I'll wait and drop the Intel Server NIC in the box when it arrives. The router is at the other end of the house so it won't hurt having 2 AP's at opposite ends.
 
The op's existing AP has guest mode. The real problem is their unwillingness to help us help them by providing details. We've had to extract details along the way and guess and peck.

If they don't want to learn networking via the info on the internet to run a business/enterprise equipment at home, including pfsense, it is the best option for their purported but stil unclear not completely described need at this point imo.
I've checked the owners manual--it has no such mode. It's really a pretty basic straight AP.
 
Just got shipping notice on the Aruba. Think I'll wait and drop the Intel Server NIC in the box when it arrives. The router is at the other end of the house so it won't hurt having 2 AP's at opposite ends.
I wouldn't wait for the Aruba as getting the tplink working will be teh same as the Aruba even though it probably has the isolation capability built-in.
 
I've checked the owners manual--it has no such mode. It's really a pretty basic straight AP.

Owners manual of what? Controller software enables guest mode,not the AP itself.

https://www.tp-link.com/us/support/faq/1060/

I wouldn't wait for the Aruba as getting the tplink working will be teh same as the Aruba even though it probably has the isolation capability built-in.

Aruba integrates controller into the first IAP booted in the network, so slight advantage. Omada controller software is free though so meh. It's one way to accomplish the goal. The other is outlined above by Niklebon and doable too. Pros and cons to both methods. Neither is better without info to the need or reason from the OP.
 
Last edited:
I went ahead and installed the 4 port NIC in the pfSense box and ran into an ass load of strangeness. ping time was over 2000ms and even tho it was pulling an ip address from my modem I had no internet. After struggling with it for awhile I decided to nuke it and do a reinstall. That seemed to fix it.

I'll be using both AP's so the Aruba isn't a waste.
 
didnt read thread...
change ip range in wifi and blacklist the range on the lan?
 
Owners manual of what? Controller software enables guest mode,not the AP itself.

https://www.tp-link.com/us/support/faq/1060/



Aruba integrates controller into the first IAP booted in the network, so slight advantage. Omada controller software is free though so meh. It's one way to accomplish the goal. The other is outlined above by Niklebon and doable too. Pros and cons to both methods. Neither is better without info to the need or reason from the OP.
TP-Link hardware and setup manual. I either must have glazed over the controller part or it wasn't in there. Do you have to leave the controller running or can you just config it and then shut the controller off? Any way to do it by another means like ssh/telnet?
 
TP-Link hardware and setup manual. I either must have glazed over the controller part or it wasn't in there. Do you have to leave the controller running or can you just config it and then shut the controller off? Any way to do it by another means like ssh/telnet?


You can config and shut off afaik, I don't because I run it in a docker on my server. You can run it on any computer on the LAN even a Windows box last I looked. Heck you can use the controller on APs not even in your LAN when setup correctly. Yes you can also do command line if you want.
 
I updated the firmware in the TP-Link AP and suddenly have the guest option and it explicitly states that it prevents wireless clients from accessing the LAN. And indeed it does. But it still allows wireless clients to see the LAN. I also installed the OMADA controller software but I'm not sure what it's purpose is.
 
What do you mean by 'see the lan'? If they can see devices but can't access them, then those land devices are cached locations from when the device did have access to the lan.
 
Back
Top