Some WiFi routers incorporate functions to isolate wireless and wired clients, this is ideal to provide security to the network and also to the WiFi and wired clients themselves, as it will prevent some of the main attacks on data networks, such as popular ARP Spoofing. In some routers we only have the AP Isolation option, which only affects the WiFi network so that wireless clients do not communicate with each other. However, other routers also allow you to isolate the wired network into a new subnet. Do you want to know everything about AP Isolation and Net Isolation ? Today we are going to explain both concepts in detail.
AP Isolation: isolation in WiFi network
AP Isolation is a feature of routers that allows you to isolate wireless clients from each other. If a WiFi client tries to connect to the Internet, with a wired computer or with a local NAS server that is connected via cable, it will be able to communicate without any problem, everything will work. If this same WiFi client tries to communicate with another wireless device within the same WiFi network, the communication will be denied, the communication is not allowed because AP Isolation what it does is isolate the wireless clients from each other , in order not to can communicate with each other.
Although this function is usually available and configured by default in the guest WiFi network of the routers, there are some manufacturers that in their firmware also allow this very interesting functionality to isolate the wireless clients from each other. For example, if we have an ASUS router, we should go to the ” Advanced / Wireless / Professional Configuration ” section, and we can enable the AP Isolation for the main WiFi network, either in 2.4GHz or 5GHz, since ASUS will allow us to configure it individually per frequency band.
In the case of other highly advanced and recommended routers, such as the AVM FRITZ! Box, we also have this configuration option available for the main network. In this case, if we activate AP isolation, it will affect both frequency bands (which would be normal, we are interested in making this option available in both bands). The configuration in this router is very simple, we activate the advanced configuration of the router in the upper right part, and we go to the “Wi-Fi / Security” section and we can see the option of “The active wireless devices displayed here will be able to communicate with each other “, if we disable this option then we will be enabling AP Isolation.
The most normal thing is that the router does not have the AP Isolation by default in the main network, so that the wireless clients can communicate with each other.
This same configuration option is also available in professional access points and WiFi controllers, usually this is called “Guest WiFi” when configuring an SSID.
By default, when we enable a guest WiFi network on our router, we will always have AP Isolation enabled, in fact, we may not even have the option to allow their communication between them, but this will depend on the firmware of the router in question.
Net Isolation: isolation in wired and WiFi network
The Net Isolation is a characteristic of the routers that allows to isolate the wireless and wired clients so that they cannot communicate with each other. If a WiFi client tries to communicate with a NAS server located in the main LAN, it will not be able to communicate because it will be isolated, the same happens if we have a wired client configured in a wired guest network, it will not be able to communicate with the main network.
Depending on the firmware of the router, we have mainly two policies:
- Communication using ebtables / iptables is denied between connected computers.
- A new subnet is created isolated from the main subnet, this method is the most elegant, to have all the clients “guests” in a new subnet.
For example, in the case of ASUS routers, the first option is used, ebtables / iptables are used to limit the communication of the different computers of the guest WiFi network with the main network. In the event that we are interested in having them access the LAN, we can always configure ” Intranet Access ” in the ” General / Guest Network ” section.
In the case of the AVM FRITZ! Box routers, the configuration of the WiFi and wired guest network is much more elegant and gives us more possibilities. For example, we can configure a private guest WiFi network, or create a public (open) WiFi network with authentication in a captive portal.
In this guest WiFi network, we can also enable or not the AP Isolation. We must bear in mind that AVM FRITZ! create a new subnet separate from the main one to accommodate all guests, and we could allow communication between them without problems. By default we have the best security, that is, we have AP Isolation enabled. If we want to disable it, we must click on the option “WiFi devices can communicate with each other.”
This AVM FRITZ! It also allows us to configure the LAN4 port for the guest network, it will have access to the Internet but not to the main local network. This is ideal for connecting one or more computers (using a switch) to the guest network and being completely separated from the main network. In the section “Local network / Network / Network configuration” you can see this very interesting configuration.
In the same section as the previous one, but at the bottom, we can click on «IPv4 addresses». Here we can change the subnet range of the main local network, and also of the secondary one that we have discussed previously. As you can see, the current network configuration is as follows:
- Primary local network: 192.168.188.0/24
- Guest network: 192.168.189.0/24
And between them the routing is not activated, therefore, from the guest WiFi network we will not be able to communicate with the main network, we will have fully isolated wireless and wired clients.
As you have seen, depending on the router used and its firmware, we will have more or less configuration options regarding AP Isolation and Net Isolation. Here is a short summary of both terms:
- AP Isolation activated + Net Isolation activated: there is isolation between the WiFi clients (they cannot communicate) and access to the main network is not allowed.
- AP Isolation enabled + Net Isolation disabled: there is isolation between WiFi clients (they cannot communicate) and access to the main network is allowed.
- AP Isolation disabled + Net Isolation enabled: WiFi clients can communicate with each other, but access to the main network is not allowed.
- AP Isolation disabled + Net Isolation disabled: WiFi clients can communicate with each other and access to the main network is allowed.
Depending on what interests us, in some routers we can make all these configurations. We hope that this guide has helped you and you have clarified the concepts of AP Isolation and Net Isolation as well.