Is client isolation worth it? How much does it increase security?

I’m wondering, how much client isolation does increase the security. What attacks does it prevent? Assuming client devices of guests are secured, because, well, they connect to many not trusted networks anyway. And, under which circumstances it’s worth the hassle to set client isolation up for multiple access points.

Setting up client isolation for single access point, i.e. guest SSID on single access point, is easy in RouterOS and WifiWave2. The only question is, whether forbidden client to client communication is of added net value. Does security increase more, than possible inconveniences for guest users?

Setting up client isolation for multiple access points is not so easy. Especially, if one wants to support 802.11r/k/v roaming, which requires clients to stay in the same subnet, otherwise connection get broken on L3 layer, because of changed IP, and this makes roaming / fast BSS transition useless.

I’ve found two options, on how to achieve client isolation for multiple APs connected via switches to router, where all access points are on the same subnet:

• Private VLAN - force clients to communicate only with uplink in switches,
• bridging without forwarding different VLANs, one for each AP, on router - separate VLANs in switches.

The Private VLAN approach requires switches to be able to do it. I currently got cheap Zyxel switch in the path between router and AP, which can’t do ACL to force VLAN forwarding only to/from uplink, and therefore it makes it impossible to use private vlans. I could replace it with RB260GSP and use ACL with Redirect To Ports to achieve this. However, SwOS doesn’t support configuration export, which is quite discouraging me - I love to backup human readable config to git.

The approach with dedicated VLAN for access point doesn’t require ACL or else advanced setup in switches. It is just a more hassle to setup on router device, and one should be cautious to not break L2 (Layer2 misconfiguration example). However, without forwarding between bridged VLANs, it should be fine. There’s also existing solution in MikroTik forum topic - multiple VLANS in the same subnet.

For home and SOHO networks, it’s probably not worth it. Though, I’m also educating myself with these experiments and setups, and wondering whether it’s somewhere heavily recommended or even a mandatory requirement to comply with something?

The third one is “split horizon” for ports, connecting APs. Traffic can not pass between ports with same horizon value … and thus APs (and their clients) can not talk to each other. And that’s true for bridged ports which are otherwise part of same L2 network.
I’m not sure, but I guess not all switches support such functionality. So whatever you want to do about user separation, you’ll have to use LAN infrastructure gear which supports functionality required for that. Which rules out dumb switches and some managed switches as well.

For SOHO/Home? I think having VLAN Segregation is sufficient, because each VLAN will have a unique IPv4 and IPv6 subnet, which helps with firewall ACLs, custom policy routing, NAT logging etc.

I don’t do anything special personally for SOHO/Home, plain VLANs and segregated IPv4/IPv6 subnets and I’m good to go.

But for Telecom and ISP use-case? Client isolation either on PON or wireless is generally mandated by law in most countries and even if not, you still want to have client isolation on layer 2 to prevent CPEs/Routers from talking to each other directly.

I have never seen “Private VLAN” in any organsation.