I've been looking for an AP that will allow me to separate wired from wireless in no uncertain terms. What I mean is no wireless client can access a wired client period. every time I've asked about this I've a ton of stupid bullshit that really has nothing to do with what I'm looking for and that is unconditional separation of wireless from wired.Most of the stuff on the market pushes the controller idea but, in reality they all have local admin ability. For instance I'm using a Zyxel NWA210AX and they push the whole cloud controller idea with everything they sell but, not needed. Now, if you're messing with more than a handful of APs it does make it easier but, for most of the home uses though you really only need 2-3 depending on the size / construction.
What are your goals? Speed? Capacity? Buy now and run it until it dies?
Right now I'm playing around with an M2 card as an AP to get 802.11BE for under $40 but, it's still a WIP from the driver side. The card I went with wasn't an "AP" model and they just released some firmware to enable the option this week and it's been stumbling to remain stable even with updated firmware. I expect things to firm up a bit as time passes though and hopefully unlock ~5gbps speeds from it.
For a more reliable setup you could DIY AX/E options if you find the right cards. Personally I aim for Qualcomm based cards since they tend to be more stable and less flakey than RTL / MTK and Intel doesn't do AP mode very well w/o some hacking to make it work.
Thanks. Tell me, how is it that a wireless client with an ip address of 192.168.40.xxx can access a wired client with an ip address of 192.168.10.xxx. This is my present dilemma.It sounds like I'm in the "You're doing it wrong" camp, but I'm going to say it anyway. This is not a function of the AP. The AP does not function at layer 3 (which is where you need to control IP connections) it's a layer 2 device. That means it manages at the MAC address layer, like a switch.
You need to configure that access control into the firewall, not the AP. You can't do complete isolation of *all* wireless clients from *all* wired devices, because your Internet router / firewall is a wired device. If you were able to block all wired access, you'd end up not having Internet access (because the packets sent from wireless devices to the Internet have a "next hop" of the MAC address of the firewall or router, and the MAC is obtained using ARP - which is broadcast to everything on the same layer 2 network).
To achieve what I think you want, you have the wireless devices on a separate VLAN from wired. Let's say wired is VLAN 10, with IP subnet 192.168.10.0/24, you might make wireless VLAN 20, with IP subnet 192.168.20.0/24.
You have two interfaces on your firewall (either different physical interfaces, or VLAN interfaces) and you create firewall policies that block access between the two VLANs.
And pretty much all APs can handle that, you put your management for the AP on your management VLAN, and your SSD is matched up with a specific client VLAN (VLAN 20 above).
Either you have the subnet mask set larger than the typical /24 for the 192.168 network or your router is forwarding packets between subnets. As others have mentioned, VLANs are a cleaner way to separate networks, though that won't solve router forwarding.Tell me, how is it that a wireless client with an ip address of 192.168.40.xxx can access a wired client with an ip address of 192.168.10.xxx. This is my present dilemma.
Can you show your current network configuration / layout? You can draw a simple diagram with Draw.IO (you can take your fancy link investigation and correction, and shove it thanks XenForo!) if you don't have a preferred tool. We'd need to see the following (you can exclude any cases that are "obvious" or that don't exist):Thanks. Tell me, how is it that a wireless client with an ip address of 192.168.40.xxx can access a wired client with an ip address of 192.168.10.xxx. This is my present dilemma.
Chain INPUT (policy DROP 31850 packets, 6882623 bytes)
pkts bytes target prot opt in out source destination
36060007 33097593805 PERMIT-IN 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP 70 packets, 3712 bytes)
pkts bytes target prot opt in out source destination
3521360 3490087170 PERMIT-FWD 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy DROP 97 packets, 5044 bytes)
pkts bytes target prot opt in out source destination
14286524 37808038655 PERMIT-OUT 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain PERMIT-FWD (1 references)
pkts bytes target prot opt in out source destination
3502128 3479806907 ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
19162 10276551 ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW
Chain PERMIT-IN (1 references)
pkts bytes target prot opt in out source destination
2551724 11364319419 ACCEPT 0 -- lo * 0.0.0.0/0 0.0.0.0/0
3430107 282397811 ACCEPT 0 -- br0 * 0.0.0.0/0 0.0.0.0/0
30046326 21443993952 ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
Chain PERMIT-OUT (1 references)
pkts bytes target prot opt in out source destination
2551724 11364319419 ACCEPT 0 -- * lo 0.0.0.0/0 0.0.0.0/0
2120769 24175335860 ACCEPT 0 -- * br0 0.0.0.0/0 0.0.0.0/0
9183529 2226842662 ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
430405 41535670 ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW
I use coloring schemes :Cable labeling - I've yet to find a way to label network cables. All the solutions I've tried aren't permanent or are too clutsy to consider (like those tywraps with the little pads you write on which are way too small to be useful). Without labeled cables VLANs are impracticable