Why are Client Isolation and Roaming VLANs not compatible with each other?

Question

Datto Networking: Why are Client Isolation and Roaming VLANs not compatible with each other?

Environment

Datto Networking

Answer

When Roaming VLAN and Client Isolation are enabled, and the network has repeaters, a banner will display advising that Roaming VLANs and Client Isolation are not compatible.

This is due to how traffic is handled when it is isolated, routed over Roaming VLANs and then sent over the wireless mesh. This will eventually result in client traffic becoming blocked in one direction. Most frequently this results in a client device failing to receive an IP address when connecting to a repeater.

Since this behavior is not related to an actual bug, but is instead inherent to each features design, the only workaround at this time is to ensure both features are not enabled at the same time.

For most networks turning off Roaming VLANs is recommended, as typically roaming is less of a concern compared to security concerns that might arise from turning off Client Isolation. It can be easily turned off under Configure -> Advanced -> Roaming VLANs.

Client Isolation is a per-SSID setting. If turning off Client Isolation, ensure it is turned off on all SSIDs.

We are investigating alternative roaming solutions that would be compatible with Client Isolation, but there is no current estimate as to when those solutions may become available.

Example of turning off Roaming VLANs under Configure -> Advanced.

	Need troubleshooting help? Open the Kaseya Helpdesk.
	Want to talk about it? Head on over to the Community!
	Have an idea for a new feature? Want to learn about upcoming enhancements? Visit the Ideas forum!
	Provide feedback for the Documentation team.