cancel
Showing results for 
Search instead for 
Did you mean: 

Guest Wi-Fi: Client Isolation vs IoT, Chromecast, Google Home, and Printers

it_admin_452
New Contributor
I manage the Wi-Fi for a nursing home. We have a guest Wi-Fi which uses client isolation (with the gateway in the whitelist). The problem is we have more and more devices that don't work well (or at all) with client isolation. Devices like printers, Chromecast, Google Home, and now some of the smart home devices. I'd like to have a guest Wi-Fi that anyone can, still supports client isolation when possible, but lets these new devices still work without IT involvement for every single new device.

I'd like to know how others are managing this problem. How would you deal with this issue? One idea I have is if I can forward all my guest traffic to the gateway (which is my firewall) I can let it manage network traffic. I can then open certain ports used by these devices. I know I can forward traffic to my ZD, but this won't help me. I use a single ZD to manage APs in three different cities, so the latency would become an issue. I use a ZD3025 on 9.13.13.0 built 164 with R500 and R510 APs.

3 REPLIES 3

diego_garcia_de
Contributor III
Hi! I have a similar issue. The main problem is that the client isolation will block the multicast-based discovery. Your gateway would have to implement some sort of mdns gateway or some way to reflect the mdns messages back. But then, you have the issue of which chromecast your guest can see (im sure you don't want ALL of them to appear ).. you could use the DPSK feature with "group DPSK" and assign a vlan per DPSK .. so that you have a single SSID but your wifi key becomes your vlan identifier and thus a single tenant can have all of their devices in a single vlan

(not sure if its supported on ZD or only on vSZ)

alex_shalima
Contributor
Hi IT Admin,

A possible solution here is Dynamic VLANs.

That means VLANs get assigned for each individual unit. This means no more wireless client isolation, all clients that belong together end up on the same L2 (same VLAN). Technology implies some sort of authentication server, in many cases RADIUS does great.

There are several solutions out there you can implement including freeRADIUS. If you are looking for a turn key commercial solution, look into Fusion Gateway. 


Cheers,
Alex

diego_garcia_de
Contributor III
On vSZ group DPSK provides the dynamic vlan with the PSK being the "authentication" mechanism. No need for radius and easy support for headless devices.