I have a mesh network with system default guest network activated. The problem is guests can connect to the ethernet port of any wifi point and be assigned an IP address from my main LAN so bypassing the guest network. Since SRM does not support 802.1x ethernet authentication (only wireless through radius server) I wonder if
I can deploy the mesh network on a separate VLAN so that my MR2200AC WIFI points broadcast only the VLAN SSID and connecting to the ethernet port of my MR2200AC WIFI points I get an IP address from the VLAN. Is this possible?

My set up: 1 RT2600AC and 3 MR2200AC with SRM 1.3

Thank you in advance for any suggestion.

Welcome to the forum.

From what I read you have your mesh setup and working. The question is: if people have physical access to any of the routers (primary or mesh AP) and plug an Ethernet cable from their device to one of the LAN ports (or WAN in the case of a mesh AP), is there a way to stop them getting assigned access to the primary network?

I don't think there is a way to configure the mesh AP LAN ports to use specific VLANs, or disable the LAN port completely. But I wonder if there are a couple of ways to do something.

1. Configure the primary network to be useless: use the SRM firewall to block access to the Internet and other VLANs. This will force wired devices to have to use VLAN tags when connecting and most (devices and people) won't be capable of doing this.
2. Use wired back haul from the mesh APs to a primary router's LAN port that has been specifically assigned to a different VLAN. Any devices connecting to the mesh AP's other LAN ports will get placed on this VLAN.

Something like that might work, I haven't tried it. But you have a good point about the need to have more configurability for the physical ports and have this stretch to the mesh APs, which are today treated as expensive, dumb devices.

Thank you. Yours are very good suggestions. I also thought of buying a second RT2600AC and have this manage the guest network as its primary network. And move all the mesh wifi points to this network. This second router would have an IP assigned by the primary network of the first router to its WAN. This seems to me th cleanest way to do it (albeit more expensive). I can have essentially two mesh networks (if I want).

If that’s all you want to do, why not reconfigure all the MR2200ac as a guest network. You’d use one of the MR2200ac as the primary router of this network. There’s no need to buy new primary router.

fredbert said:

If that’s all you want to do, why not reconfigure all the MR2200ac as a guest network. You’d use one of the MR2200ac as the primary router of this network. There’s no need to buy new primary router.

Click to expand...

Interesting. Had not thought about it. Thank you. I will try