I have a CRS125-24G-1S-2HnD-IN wireless router and I’m looking to do some VLAN separation but if I can do client isolation I can narrow it down from four VLAN’s to three. (One is my main where my PC’s/tablets/phones reside, another is for guests, then IoT and lastly a separate VLAN for a couple of wireless security cameras that need no internet access.)
What I’d like to do is have guests and IoT devices on one VLAN but where they can’t talk to each other, but can talk to the internet. Ideally I’d be able to figure out exactly where the IoT needs to talk and limit them to just that, but the main idea is to keep them from scouring my network.
I’m also going to be putting up a couple of 2.4ghz/5ghz wireless AP’s in my house for better coverage and they support VLAN’s as well, so I’m not sure it’s possible to do through them; at least not without making multiple VLAN’s and SSID’s.
Thanks Sash, I found that my two WAP’s (EnGenius) both have “station separation” or “client isolation” at the wireless level, which is what I was looking for in the first place - however once they hit the wired network all bets are off. What I’ll probably end up doing is making separate VLAN’s for each one so there can’t be any cross-talk; they’ll all be pointed out to the internet but not have any access to each other. Also allows me to put in firewall rules that only allow devices to communicate with their cloud providers. (This is to isolate IoT devices on my network.)
The client isolation at the WiFi level is governed by the “default forward” checkmark in the (virtual) AP.
When you leave that off, there is no forwarding between clients but they can still connect to outside.
Indeed, once they are in the router they can route anywhere so you need to have firewall rules to prevent
that as well.