Is it possible to allow clients of the same VLAN to see each other even if they connect to different SSIDs with the same name?

1

My home wireless access point is a Buffalo AirStation Pro (WAPS-APG600H), which is a "Concurrent Dual Band Wireless Access Point". It has two bands, labelled 11g and 11a, with an ability to set up different SSIDs on each (up to four on each band).

Logically I want two VLANs (a "normal" one and a "dmz" one), and I want to keep both 11g and 11a bands up, so that devices that can benefit from 11a could do so.
So I created two SSIDs under each band, with identical names:

enter image description here

The idea was that the person sees two networks on their device, gserg-w and gserg-w-dmz, and then the device transparently selects the fastest network it's compatible with.

That works as intended, but clients connected to gserg-w on 11g cannot see clients connected to the same gserg-w, but on 11a.

I understand it's because of the "Wireless Client Isolation" setting which is currently set to "SSID Isolation," and even though both VLANs are named gserg-w and have the same VLAN ID, they are still considered different networks, so isolation applies.

I want logical isolation between VLANs with different numbers (1, 2), but I don't want any isolation between VLANs with the same number that come from different bands (11g, 11a).
That is, I want all clients of gserg-w to see each other, regardless of whether they connect to a or g, but neither of them should be able to see any clients of gserg-w-dmz, again, regardless of a or g.

Is it a common scenario/possible to set up by playing with VLAN IDs, modes (Untagged/Multiple) or something else?
Or is my only option to disable client isolation on the access point level, connect it to a router (the access point has two Ethernet ports, so the router will be able to tell them apart) and set up firewall rules in the router?

GSerg

Posted 2016-03-25T18:10:19.950

Reputation: 599

Answers

1

To answer the question in your title:

If two* APs are publishing two different SSIDs but still bridging client traffic onto the same VLAN in the standard, straightforward manner, then clients of those SSIDs will be able to see each other.

[*two: A single box that can publish multiple SSIDs, or the same SSID but on different channels/bands, is technically acting as multiple APs per the language of the IEEE 802.11 standard, even if it's all in one box.]

If that's not working with your particular brand/model of equipment, then that's a matter of figuring out what kind of proprietary filtering or other traffic-manipulation your vendor is doing to your traffic. Your question becomes: What exactly is my Buffalo AirStation Pro doing to my traffic when I have "Wireless Client Isolation: SSID Isolation" enabled, but with both SSIDs bridged to the same VLAN? But that's a different question than what you put in your title.

Spiff

Posted 2016-03-25T18:10:19.950

Reputation: 84 656

Ok, so the standard behaviour is what I expect (and do not get). How would I approach learning exactly what my Buffalo AirStation Pro is doing to my traffic, given that it's too late to monitor that as soon as the traffic leaves the Ethernet ports? Also, if I disable Wireless Client separation and move that function to the router, will the different clients still be able to see each other because the AP will let them before the router can interfere? – GSerg – 2016-03-25T20:26:33.437

Asked: 2016-03-25T18:10:19.950

Viewed: 167 times

Active: 2016-03-25T20:41:45.263