The "
Isolate from LAN" feature prevents WiFi clients to reach hosts connected on the same network that connects the access point to the Internet, allowing only the network gateway, and of course any Internet destination.
To enable this feature, please access the desired SSID configuration, select "
Internet Connection" create / modifi any NAT group and ensure that the "
Isolate from LAN" option is enabled.
To better understand the feature check this example:
If the network is using a IP family configuration like this,
192.168.1.X/24
also displayed like this
192.168.1.0
255.255.255.0
the Gateway is configured with this IP address,
192.168.1.1
the Classic Hotspot access point has this configuration,
192.168.1.100
and there are these devices connected to the same network by Ethernet cables:
- HOST-A (e.g. a server), with IP address
192.168.1.101
- HOST-B (e.g. a printer), with IP address
192.168.1.102
- HOST-C (e.g. a POS), with IP address
192.18.1.103
The configuration of the Classic Hotpsot access point for the desired SSID will be similar to this:
If the "
Isolate from LAN" option is activated, the clients connected to the SSID will obtain an IP address within the 10.0.0.x range (from 10.0.0.2 to 10.0.0.254), and they will not be able to reach any of the HOSTs described above.
They will only be able to reach the Internet through the LAN gateway (in this case the device with IP address 192.168.1.1).
NOTE
The "Isolate from LAN" option basically creates an internal firewall rule that denies any connection to IPs other than the gateway, providing Layer-3 isolation among hosts.
CAUTION
This also means that traffic to other subnets (e.g. to/from an IP in the 192.168.123.X /24 range) will not be blocked, as not strictly related to the same LAN to which the AP is connected to.
