Guest isolation: how is it achieved?


  • Hello,

    I am considering AmpliFi as wireless platform to achieve good coverage and seamless roaming, but also perfect isolation of guest WiFi. Network owner would like the UI/UX of AmpliFi as he's not really tech-savvy. Other AmpliFi capabilities aren't enough, so I'd use bridge mode with a more advanced device as a router, with Teleport for remote management 😉

    How exactly does guest isolation work under the hood, especially when main AmpliFi device is in bridge mode?

    So far I have collected the following information – is it true?:

    • (support chat) even in bridge mode guests are in separate subnet and the main AmpliFi device has a DHCP and PAT for them,
    • (quote from chat on other forum) mesh points, wired or wireless, do not rely on additional VLAN to connect guest WiFi to main device, but use GRE tunnel instead,

    Questions:

    • are all guests isolated from each other regardless of the AP and 2.4/5 band used?
    • is AmpliFi device dropping connections to LAN subnet before applying PAT?
    • (if yes to above) does it block access to other private subnets as well?
    • is PAT IP (the one visible to the router) different than main Amplifi's LAN IP?
    • (if no to above) what outbound ports/services must be allowed on router to let AmpliFi main device use all features, while still filtering guest access from PAT IP?