I'm working to setup a dual SSID configuration for the R200. The first SSID is for private access. The second SSID is intended for restricted guest access, that can only send and receive traffic out the gateway (not on the local network).
How are others achieving this?
Choosing "Isolated" on the Guest SSID [as shown below] only isolates clients on the same SSID from each other. Clients on the Guest SSID can still see LAN connected devices and Private WiFi connected devices.
I need some additional help here. So far, I have not found a reliable method to setup a guest SSID without separately binding that SSID to a different external VLAN, which is not a reasonable option.
Using pings to determine connectivity, I ran several tests of the AP Isolation feature.
First, this is how I would like a guest WLAN connection to behave:
With AP Isolation disabled, all communications between clients are successful:
At this time, AP Isolation only limits communication within a specific WLAN. I have not found any method for limiting a guest account to only have access to WAN communications. To more clearly understand the AP Isolation function (since various manufacturers have various methods of implementation and function), I tested each combination of isolation settings. When using AP Isolation with two WLANs, here are the three combinations I tested:
On other systems, it is common to have multiple DHCP servers and firewall rules to control communications between the various networks. Some APs have the ability to block traffic to specific IP addresses (including local ranges). Is there any current function that limits traffic for a "guest" network?
Right Now WiFi Guest Access feature is not available in R200 device. This feature is on our roadmap of R–Series Platforms.
Thank you for the update. This is an important feature that is fairly standard on consumer level routers. When providing a managed solution for a customer, they usually expect at least the level of performance they would get from a consumer grade unit.
Also, I couldn't find any clarification as to why there are two separate isolation options. What is the difference between Client Isolation and AP isolation? They mean the exact same thing for every other network vendor out there, why must Cambium complicate things?
I am always in favor of replying to a related thread / issue. I think it is silly to insist on starting a new thread when an old one regarding the same issue was never resolved.
I did not ever hear back about this, but I also never put any further effort into it - so I am not sure if it was ever actually resolved and just not noted here.
