I made a “guest” network VLAN and have a WiFi connected to it. I have the WiFi set up to be “internet only” when I connect to the guest network, I can still access devices on my local network. How do you restrict traffic between VLAN’s?
Good morning! Would you mind sharing screenshots of your guest network and internet only WiFi settings?
Let me clarify, when you say you connect to the guest network and you can still see devices on your local network, are you connected with a WiFi device, or a wired device? Currently, the WiFi “internet only” setting only applies to devices that are connected via WiFi. Let me know and we can go from there!
I am connected on a WiFi device and can see a wired device. For Example, I connect to the guest VLAN via WiFi (192.168.63.xxx) and can ping a device wired to the default VLAN (192.168.1.xxx). If the VLANS are truly isolated, I shouldn’t be able to ping across VLAN’s, correct?
I am going to defer to the Alta team on this one. @Alta-Jeff can you help answer this one for us?
Ok. Thanks for the help!
@joelusi In this case, your client on guest WiFi will try to reach other subnets than its own via its default gateway, using the router’s MAC address. The guest filter on the APs is a layer-2 filter. You would need to disallow traffic explicitly on the router so that traffic between your guest VLAN and other VLANs is blocked. We’ll add an isolated VLAN feature in the near future to make this isolation easier.
Where do you restrict inter VLAN traffic in the router?
At this time it would be standard firewall rules of allowing your guest subnet access to the router, blocking your guest subnet from your other subnets(or RFC1918 subnets if you want to fully isolate it… this would be 3 rules currently), then a last rule allowing your guest subnet lan to wan access.
Make sure for Zone in and out, on the blocking rules, you choose Zone in “LAN”, Zone out “Any”.
There may be a more efficient way of doing it, but here is an example from my ruleset for my guest network:
It might be best then to have one of the Alta support team have a look at your site with you.
Please triple check they are set to Zone In: LAN, Zone out: *. If they are not set that way, the rules don’t apply and don’t work. That tripped me up for a while.
ok sounds good. Thank you for the help on Saturday! Ill give them a call on Monday