I have my primary home WiFi network set for ‘AP Isolation’ (the checkmark on the admin GUI) in my G36. Why then is my PC seeing UDP [broadcast] packets from other IP addresses connected to that network? By that I’m not asking why other hosts are sending this stuff; why is the router forwarding them? I thought the idea of isolation technology was the router would refuse to forward virtually everything between hosts on such an ‘isolated’ network. Perhaps the response could summarize what is expected to be blocked by the gateway. Thanks.
Answer
AP Isolation ... not really?
Best answer by SURFboard Moderator
You're absolutely right to expect that AP Isolation (also called Client Isolation) should prevent devices on the same WiFi network from communicating directly with each other.
When enabled, AP Isolation is supposed to Block direct unicast traffic between devices on the same SSID. Prevent devices from discovering or accessing each other (e.g., file sharing, casting, etc.).
Even with AP Isolation the Broadcast and multicast traffic is often not blocked. These packets are sent to all devices on the subnet, and some routers forward them regardless of isolation settings
Even though your G36 modem-router combo has AP Isolation enabled, it likely does not treat multicast or broadcast traffic as peer-to-peer, so it still forwards those packets to all devices on the same subnet.
G36 may intentionally allow multicast traffic even when AP Isolation is turned on. This is because smart features like:
- Chromecast / Google Cast
- AirPlay / Apple Bonjour
- Smart TV discovery
- Printer and file sharing
depend on multicast protocols like mDNS to find and connect to other devices. So, the router forwards these packets to support those features — even if it means devices can still “see” each other.
This topic has been closed for replies.
Unfortunate that I didn’t add this in the initial question, but one of the most frequent such packets is multicast DNS (UDP to reserved address 224.0.0.251). For me, these messages are almost the definition of what I’d want blocked by the router if I enable isolation. They come from nosy hosts on the LAN who want to know what else is connected, often with no functional justification for having that information. Without isolation working, each other host on the LAN has to be in some way ‘hardened’ to reject/refuse these messages. My PC rejects them with Windows Firewall, but I doubt my phone has any provisions for similar rejection. Unsurprisingly, my worse offender is a “smart” TV.
- Wi-Fi Warriors
- Answer
You're absolutely right to expect that AP Isolation (also called Client Isolation) should prevent devices on the same WiFi network from communicating directly with each other.
When enabled, AP Isolation is supposed to Block direct unicast traffic between devices on the same SSID. Prevent devices from discovering or accessing each other (e.g., file sharing, casting, etc.).
Even with AP Isolation the Broadcast and multicast traffic is often not blocked. These packets are sent to all devices on the subnet, and some routers forward them regardless of isolation settings
Even though your G36 modem-router combo has AP Isolation enabled, it likely does not treat multicast or broadcast traffic as peer-to-peer, so it still forwards those packets to all devices on the same subnet.
G36 may intentionally allow multicast traffic even when AP Isolation is turned on. This is because smart features like:
- Chromecast / Google Cast
- AirPlay / Apple Bonjour
- Smart TV discovery
- Printer and file sharing
depend on multicast protocols like mDNS to find and connect to other devices. So, the router forwards these packets to support those features — even if it means devices can still “see” each other.
Login to the community
No account yet? Create an account
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.