Energy consumption is essentially the same, as it’s using the same radios.
For what it’s worth, I have several SSIDs, each on a separate VLAN:
my main one
Guest. Has internet access but is otherwise isolated - Guest devices can’t communicate with other guest devices or with any other VLANs.
IoT Internet: IoT and home automation devices that need internet access. Things like Ecobee thermostat, Google speakers, etc
IoT No Internet: Home automation stuff that does not need internet access. Security cameras, Zigbee PoE dongle (SLZB-06), garage door opener, ESPHome devices, etc
(to remotely access home automation stuff, I use Home Assistant via a Tailscale VPN)
Most of these have both 2.4Ghz and 5Ghz enabled, with band steering enabled to (hopefully) convince devices to use 5Ghz when possible.
This is on a TP-Link Omada setup with 2 x EAP670 ceiling-mounted access points. You can create up to 16 SSIDs I think.
A lot of access points, even consumer-grade ones, have this option. It’s usually accomplished via predefined firewall rules on the access points themselves.
Consumer-grade access points usually let you have just one isolated guest network, whereas fancier ones (Omada, Unifi, Ruckus, Aruba, etc) usually let you enable isolation for any SSID (ie the “guest network” is no different from any other SSID)
I’m not seeing anything there that says guests can’t see other guests - quite the opposite.
guests connected to your Hotspot Portal will be isolated from all other networks except the one they are assigned to.
Guests on this network are able to access the internet, and communicate with the UniFi gateway to obtain a DHCP lease and resolve names using DNS
I suppose a switch could be configured to prevent traffic going to other ports, which is how I would assume this would have to be done. This functionality would have to exist in the access point, I guess?
Does UniFi have a feature to isolate devices from each other on the same subnet? Seems like it would require some kind of Layer 2 routing?
What do you say is the use case for separating guest Wi-Fi with the more “private” stuff on your network?
As far as I understand… Basically all communications, even inside a network, are encrypted… So I guess you do that to avoid someone trying to exploit some vulnerability?
Energy consumption is essentially the same, as it’s using the same radios.
For what it’s worth, I have several SSIDs, each on a separate VLAN:
(to remotely access home automation stuff, I use Home Assistant via a Tailscale VPN)
Most of these have both 2.4Ghz and 5Ghz enabled, with band steering enabled to (hopefully) convince devices to use 5Ghz when possible.
This is on a TP-Link Omada setup with 2 x EAP670 ceiling-mounted access points. You can create up to 16 SSIDs I think.
How do you accomplish this isolation since they’re on the same subnet/broadcast domain? Is it a feature of the hardware you’re using?
A lot of access points, even consumer-grade ones, have this option. It’s usually accomplished via predefined firewall rules on the access points themselves.
Consumer-grade access points usually let you have just one isolated guest network, whereas fancier ones (Omada, Unifi, Ruckus, Aruba, etc) usually let you enable isolation for any SSID (ie the “guest network” is no different from any other SSID)
Isolated guest networks I get, but isolating guests from other guests on the same subnet/isolated net is what I haven’t seen.
For Unifi devices you setup a Virtual Network then assign the guests to that. https://help.ui.com/hc/en-us/articles/115000166827-UniFi-Hotspot-Portal-and-Guest-WiFi
I’m not seeing anything there that says guests can’t see other guests - quite the opposite.
I suppose a switch could be configured to prevent traffic going to other ports, which is how I would assume this would have to be done. This functionality would have to exist in the access point, I guess?
Does UniFi have a feature to isolate devices from each other on the same subnet? Seems like it would require some kind of Layer 2 routing?
It does. I have it enabled and tested. “Client Device Isolation.” It’s enabled per SSID.
Oh, neat. I’ll have to look into it.
Thanks!
That was an amazing read. Thank you.
What do you say is the use case for separating guest Wi-Fi with the more “private” stuff on your network?
As far as I understand… Basically all communications, even inside a network, are encrypted… So I guess you do that to avoid someone trying to exploit some vulnerability?
LOL, oh no.
Even internet traffic isn’t encrypted by default.
Sadly TCP/IP isn’t encrypted.