Client isolation with XV2-21X & cnMaestro 4.1.0-r18

Hi all,

Client isolation feature does not seem to work. I have a customer with four XV2-21X access points running version 6.5.3-r8, managed by cnMaestro (free cloud) version 4.1.0-r18. I did not configure any VLANs, other than the default VLAN1 and configured two WLANs, one for corporate network and another for Guests. There is only a single DHCP pool for all wired and wireless devices (corporate and Guests).

The customer does not want anyone connected in the Guest WLAN to access anything in the corporate WLAN. Guest WLAN should only be able to access the internet, a wireless printer and a wired printer. I enabled Client Isolation “Network Wide” without success. Guest WLAN clients can still access everything in Guest WLAN, corporate WLAN and wired devices. I also tried Client Isolation “Local” but still no success. I did not try Client Isolation “Static” as I figured this eventually might become a headache for an administrator.

I have a similar setup at another customer that worked just fine with previous cnMaestro versions. I honestly do not know if that one still works after cnMaestro latest upgrades. The only difference between the two setups is the switch in use. At the setup that works I have a Unifi switch. The setup that does not work uses a Cambium switch.

Any help is appreciated.

Please set specyfic rules on firewall. Client isiolation is not firewall.
Setting separate VLAN for guest is a first step !

Thank you Pshemo. I know I can do this using a firewall, I already have one in place. Per customer’s request however, I am trying to avoid trunks and sub-interfaces on the firewall as the customer considers this a complex setup. I know the client isolation feature worked in the past and it is a simple workaround for company IT admins that have limited networking skills. Client isolation can be enabled/disabled with a plain click.

No, that’s not how Client Isolation works. @PFR is right, you HAVE to do this with firewall/routing roules.

Client Isolation blocks access between wireless devices connected to the same Access Point

Firewall 7 rules, VLAN 2 minutes of work, dhcp on hotspots 1 minute of work.
A total of 10 minutes of work and you have a secured network.
It doesn’t complicate anything, it doesn’t clog the network, and it doesn’t even allow for broadcasting over the network, which results in one not being able to see the other.

Client isolatnion not working on local LAN only on hotspot !

WLAN Groups Overrides:

wireless wlan 2
filter-list 1
exit
filter filter-list 1
filter precedence 1
layer2-filter permit mac (put the MAC of the Gateway here) any out //any-gw-allow
exit
filter precedence 2
layer2-filter deny mac any any out //any-net-deny
exit

Did you get a chance to try the override I posted?

Hi and sorry for taking me forever to reply! I have no reason to doubt what you guys are saying. However, while navigating cnMaestro WLAN configuration, the client isolation gives me three options (not counting “Disable”):

1. “Local” with the description “When selected, it prevents wireless clients connected to the same AP from communicating with each other in the same VLAN”
2. “Network Wide” with the description “When selected, it prevents wireless clients connected to the same AP or different APs from communicating with each other which are in the same VLAN, Clients are allowed to communicate to gateway mac address automatically and also mac addresses listed in below MAC address table”
3. “Network Wide Static” described as “When selected, clients are allowed to communicate only to list of mac addresses listed in below client isolation mac table”

According to the above options and descriptions given by cnMaestro, option 1 is the case you are refering. I refer to option 2, which is supposed to do what I need to do.

Sorry, no I did not try it yet as I was tight up with another project. Where do I insert this override? Do I do it per access point or do I put it in cnMaestro somewhere?

cnmaestro
AP Groups
(Your Group)
Configuration
User-Defined Overrides

wlan2 was my guess that you said the SECOND SSID was the “guest Network”
Then (your gateway’s mac) is where you have to enter the MAC address of devices THAT SHOULD BE REACHED.

Thank you! It is better to do it when I am at the customer. I will be visiting the customer’s premises next week and I will give it a shot. I will let you know of the outcome.

@GaryHansen Sent that to me a while ago and I have been rolling it out where I can.

We still have a lot of bids that specifically had Unleashed on them… so been putting in a ton of those since the “Rush Promo”.

Hi @Wireland_ltd
Can you try the below?

1. Enable Network Wide (cnMaestro - WLANs - WLAN - Client Isolation - choose “Network Wide” option from the drop-down menu - Save.)

2. Select the AP in cnMaestro - Configuration - AP Group - Edit - User Defined Overrides - copy and paste the below -

   !
   wireless wlan 1
   client-isolation dynamic 
   client-isolation dynamic drop-arp
   !
   

   Save - Apply Configuration.

Note: wireless wlan 1 (if you have only one SSID configured, then it is wlan 1 by default; if you have multiple SSIDs, check Device Configuration or run the “show wireless wlans” command in the Remote CLI to find the respective WLAN number.

Now, can you run the scanning on a client that is connected to wlan 1 and check if it is able to discover the other clients connected to the same wlan 1?

Does it works for e600 too?

@Irakli Yes, it works in e600 AP.
The Client Isolation feature is available on all Cambium APs, regardless of hardware specifications.
It’s a standard policy across the entire Cambium AP product line.