WAX220 Guest Network/isolation not working properly

Hello VidBo 

 

Well, it does what is expected (one exception already discussed ref. L2 Isolation which appears to be disabled by default and does not offer a user control to enable it for now). Probably it does not what you might want...

 

---

VidBo wrote:

The wifi devices connected to a guest network, can't access the LAN ethernet.

Correct - and this is part of the design.

 

The wireless clients associated to a guest network get addresses from a private, reserved, pure local guest network.

 

Guests can reach the Internet only, and in absence of the said L2 Isolation also the intermediate subnet providing the Internet access.

 

---

VidBo wrote:

Client isolation works. When disabled, clients can reach each other. When enabled, they don't.

The client isolation exceptions work, too.

Correct. This is the Client Isolation feature.

 

---

VidBo wrote:

LAN ethernet connection never works, despite any isolation setting.

This is correct and intended. The guest network is never allowed to access the (main) LAN.

 

---

VidBo wrote:

I can't even ping the APs own guest network IP (Isolation settings, DHCP/manual IP, etc. doesn't matter), ...

The idea of the essential guest network is to provide simple Internet access for your guests, using mobile devices, phones, tablets, ... so this is what it does. 

 

---

VidBo wrote:

But if I do a traceroute to any IP outside it's own subnet, I get the AP with its given name and IP as the first hop. Nothing answers from behind though. Not even its own main IP.

1 <1 ms <1 ms <1 ms WAX220-1.lan [192.168.200.1]
2 1 ms 2 ms 3 ms [[my.usual.LAN.gw ]] ...nothing else from the WAX220...
3 3 ms 2 ms 2 ms [[my.internet.WAN.gw]] ...nothing else from the WAX220... 
...

7 11 ms 3 ms 4 ms 72.14.223.0
8 8 ms 4 ms 4 ms 172.253.50.233
9 4 ms 4 ms 4 ms 172.253.50.5
10 3 ms 3 ms 3 ms dns.google [8.8.8.8] ...goes through...

 

---

VidBo wrote:

How is it supposed to work anyway? Is it meant as a gateway? Does the LAN Ethernet need a different subnet or the same, given by the guest networks dhcp?

The guest network does make up an isolated, dedicated private IP subnet.

 

Start from this p.40

 

Set up or change a guest WiFi network
The AP supports a total of four user WiFi networks. Each user WiFi network can function
either as regular user WiFi network or a guest user WiFi network. The essential difference
between a regular WiFi network and a guest network is the pool of IP addresses that
the network assigns to its WiFi clients.
By default, and irrespective of which user WiFi network functions as a guest network,
guest WiFi devices are assigned an IP address in the range from 192.168.200.100 to
192.168.200.200. You can change these automatically assigned IP addresses by changing
the DHCP server settings for the guest networks. For more information, see Change the
DHCP server settings for guest WiFi networks on page 62.

 

...resp. p.62

 

Change the DHCP server settings for guest WiFi networks
A WiFi client that connects to a guest network (see Set up or change a guest WiFi network
on page 40) is assigned an IP address in a different address range than a regular WiFi
client. By default, the address range for guest WiFi clients is derived from the address
range of the DHCP server (or router) in your network. For example, if the DHCP address
range in your network is 192.168.100.2 to 192.168.100.254, the default address range
for a guest WiFi network is 192.168.200.100 to 192.168.200.199. You can change this
address range, which then applies to all WiFi guest networks on the AP.
You can change the DHCP server settings for a guest network only if you enable at least
one guest network on a user WiFi network (see Set up or change a guest WiFi network
on page 40).

More confusion now?