Found today two smartphones devices on a Sophos WiFi guest network (separate zone, guest isolation enabled) could see each other. Thought this was a little odd as expectation is that device to device communication would be prevented via guest isolation. Now I'm wondering under what conditions guest isolation is and is not working as expected, and if this behaviour is known and documented or erroneous. I have not found this documented as yet, at least nothing recent.
Setup is Sophos XG v18.x MR3 as FW, mixture of APX320/APX530 APs, two SSID one for business one for guests, the two devices that could communicate where smartphones on the guest network (one iphone, one android), both DHCP configured. On one device, while testing roaming behaviour, a WiFi scan was initiated, it listed the gateway IP, its own IP, and the IP of another guest device. I believe it was testing via ICMP. The other device was identified as an Android smartphone, and it was tested for and did respond to ICMP ping tests from a device on the guest network. Packet capture showed nothing on the XG for that same ICMP test (my guess is that the traffic is simply being passed between these two devices which at that time were on the same AP). Other devices were not contactable. I noticed this Android device that was, was using the 2.4GHz band, where all other devices were on the 5GHz band.
Again, I have not exhaustively tested further, to see what if any other protocols, ports, etc. can be communicated between the two devices, but if I had to guess, it would be that guest isolation is not working as expected in this scenario, that it relates to use of both 2.4GHz and 5GHz bands.
I can provide further details, firmware levels and configuration etc., however would first like to sanity check I am not missing anything obvious here and this is actually unexpected/undocumented behaviour.
Thank you for contacting the Sophos Community!
AP isolation works for users that connect to the same band. Are you testing users in the same band?
Is the SSID being broadcasted on only one band, or on both?
Are you only testing using ICMP?
When client isolation is enabled on a single AP that uses the same SSID as another AP, traffic can still pass between wireless clients that are connected to other APs. To effectively implement client isolation for an SSID that is used by more than one AP, you must also make sure that all traffic between your APs goes through the SFOS. For that, we recommend using Separate Zone SSID.