Hotel and wifi isolation question
- 
 @scottalanmiller I'm not sure I understand your last post. Are you saying that on a Unifi setup with L2 isolation activated that clients can or can't talk to other clients on different APs even on the same SSID? Edit: So just playing with a spare Unifi AP, enabling "guest network" for a SSID fully isolates clients not only connected to the AP, but also all clients in the subnet even if those clients are plugged into a physical port on the switch. So the AP must drop all unicast destined frames which is nice. So my brainstorming becomes a rather trivial setup of placing all the APs onto one VLAN and make sure all APs are broadcasting the same SSID with guest network checked in the controller (for Unifi). Then downstream at the router, prevent the wifi guest VLAN from accessing any other VLAN internally. Next time I check into a hotel I'm going to fire up nmap and see how locked down they are. 
- 
 @biggen said in Hotel and wifi isolation question: I'm not sure I understand your last post. Are you saying that on a Unifi setup with L2 isolation activated that clients can or can't talk to other clients on different APs even on the same SSID? I'm saying that the default private isolation let's them talk to the gateway and nothing on the LAN whatsoever. 
- 
 @biggen said in Hotel and wifi isolation question: So my brainstorming becomes a rather trivial setup of placing all the APs onto one VLAN and make sure all APs are broadcasting the same SSID with guest network checked in the controller (for Unifi). Then downstream at the router, prevent the wifi guest VLAN from accessing any other VLAN internally. The point of the system is to remove the need for VLANs. 
- 
 @scottalanmiller said in Hotel and wifi isolation question: @biggen said in Hotel and wifi isolation question: So my brainstorming becomes a rather trivial setup of placing all the APs onto one VLAN and make sure all APs are broadcasting the same SSID with guest network checked in the controller (for Unifi). Then downstream at the router, prevent the wifi guest VLAN from accessing any other VLAN internally. The point of the system is to remove the need for VLANs. Iโd still like a separate network for guest wifi and separate network for corporate trusted wifi. So, no, a vlan isnโt needed I suppose. The two networks just need different subnets. 
- 
 @biggen said in Hotel and wifi isolation question: @scottalanmiller said in Hotel and wifi isolation question: @biggen said in Hotel and wifi isolation question: So my brainstorming becomes a rather trivial setup of placing all the APs onto one VLAN and make sure all APs are broadcasting the same SSID with guest network checked in the controller (for Unifi). Then downstream at the router, prevent the wifi guest VLAN from accessing any other VLAN internally. The point of the system is to remove the need for VLANs. Iโd still like a separate network for guest wifi and separate network for corporate trusted wifi. So, no, a vlan isnโt needed I suppose. The two networks just need different subnets. The guest traffic, in this case, is never on the network at all. It is end to end isolated to the firewall. Or you can think of it as automatic VLANs. But you don't need to deal with VLANs whatsoever if you don't want to. 
- 
 @scottalanmiller Yup I understand. But my brain would have a hard to dumping wifi guests and corporate services all in the same subnet even if it knew the guests were already isolated. Personally, I'd rather do two VLANs in this case. Would be easy to remember that wifi guests are on 10.100.100.0/24 and corporate is on 10.200.200.0/24.  
- 
 @biggen said in Hotel and wifi isolation question: @scottalanmiller Yup I understand. But my brain would have a hard to dumping wifi guests and corporate services all in the same subnet even if it knew the guests were already isolated. Personally, I'd rather do two VLANs in this case. Would be easy to remember that wifi guests are on 10.100.100.0/24 and corporate is on 10.200.200.0/24.  Personally, I'd do a /23 or /22, it's just not worth the headache of growth in the future... 
- 
 @dashrender said in Hotel and wifi isolation question: @biggen said in Hotel and wifi isolation question: @scottalanmiller Yup I understand. But my brain would have a hard to dumping wifi guests and corporate services all in the same subnet even if it knew the guests were already isolated. Personally, I'd rather do two VLANs in this case. Would be easy to remember that wifi guests are on 10.100.100.0/24 and corporate is on 10.200.200.0/24.  Personally, I'd do a /23 or /22, it's just not worth the headache of growth in the future... Especially on the guest network. That can get a lot of devices really quickly. Any given guest room could easily hook up eight devices! 
- 
 @scottalanmiller Or more if @scottalanmiller's family visits. 
- 
 @dafyre said in Hotel and wifi isolation question: @scottalanmiller Or more if @scottalanmiller's family visits. Fo sho! My kids each hook up a laptop, phone, Nintendo Switch, Amazon Tablet, iPad, and possibly more like instantly. 
- 
 @scottalanmiller said in Hotel and wifi isolation question: @dafyre said in Hotel and wifi isolation question: @scottalanmiller Or more if @scottalanmiller's family visits. Fo sho! My kids each hook up a laptop, phone, Nintendo Switch, Amazon Tablet, iPad, and possibly more like instantly. Well I mean the iPads are going bye-bye with this recent announcement from Apple, no? 
- 
 @dustinb3403 said in Hotel and wifi isolation question: @scottalanmiller said in Hotel and wifi isolation question: @dafyre said in Hotel and wifi isolation question: @scottalanmiller Or more if @scottalanmiller's family visits. Fo sho! My kids each hook up a laptop, phone, Nintendo Switch, Amazon Tablet, iPad, and possibly more like instantly. Well I mean the iPads are going bye-bye with this recent announcement from Apple, no? Yup. Xiaomi has a new tablet being announced THIS WEEK. I'm pretty excited. I hope that it is available quickly as I was about to buy an iPad for myself and this looks like a way better option. However, rumor is that no "mini" size is coming in the announcement this week  



