Legacy Open Mesh: Why are Client Isolation and Roaming VLANs Not Compatible With Each Other?

Question

Why are4 Client Isolation and Roaming VLANs not compatible with each other?

Environment

• Datto Networking

Answer

When Roaming VLAN and Client Isolation are enabled, and the network has repeaters, a banner will display advising that Roaming VLANs and Client Isolation are not compatible.

This is due to how traffic is handled when it is isolated, routed over Roaming VLANs and then sent over the wireless mesh. This will eventually result in client traffic becoming blocked in one direction. Most frequently this results in a client device failing to receive an IP address when connecting to a repeater.

Since this behavior is not related to an actual bug, but is instead inherent to each features design, the only workaround at this time is to ensure both features are not enabled at the same time.

For most networks turning off Roaming VLANs is recommended, as typically roaming is less of a concern compared to security concerns that might arise from turning off Client Isolation. It can be easily turned off under Configure -> Advanced -> Roaming VLANs.

Client Isolation is a per-SSID setting. If turning off Client Isolation, ensure it is turned off on all SSIDs.

We are investigating alternative roaming solutions that would be compatible with Client Isolation, but there is no current estimate as to when those solutions may become available.

Note: Networks running versions of the 6.2 firmware may not notice this issue. However, this is due to a bug with Client Isolation not functioning correctly. Client Isolation was fixed in 6.3.13+ firmware, which then resulted in finding this compatibility issue.

Note 2: Disabling Roaming VLANs while running 6.1 or 6.2 firmware or earlier will disable the splash page due to a bug. This bug will not be fixed in 6.1 or 6.2 firmware. Please upgrade the network to 6.3+ firmware to avoid this bug.

Example of turning off Roaming VLANs under Configure -> Advanced.