What is "Smart Isolation"?
Smart isolation is a proprietary feature available on APs that allows you to restrict access to local resources for ephemeral Wi-Fi clients, such as Wi-Fi clients connected to a hotspot, a guest network, etc...
There are different levels of restriction, as explained below:
- Disabled (default):
Smart isolation is disabled. Clients are not restricted from accessing local resources, such as print servers. This is the correct option to choose if you trust the clients that will be connecting to your network.
- Internet access only:
Clients are only allowed to pass traffic to the network upstream from the AP's gateway. (This is generally "the internet"). This is the correct option to choose for hotspot users or users connecting to a guest network.
- LAN access only:
Clients can only reach other devices on the local network, but not beyond it. Note: This is not a commonly used option and used mainly in educational settings where you only want clients to access local resources.
- Internet-only (strict):
This is the same as "Internet access only", but with the additional restriction that users can not access resources or devices on any private network (192.168.0.0, 172.16.0.0, 10.0.0.0, etc...). This is useful if your AP is double NAT'ed and the network upstream from your AP's gateway is another private network.
How can I enable Smart Isolation?
You can enable Smart Isolation from the ecCLOUD site-level or device-level configuration pages.
If you want to enable it on one of your local subnets, go to the Local Networks tab:
If you want to enable it on your captive portal/hotspot, go to the Hotspot tab: