Found today two smartphones devices on a Sophos WiFi guest network (separate zone, guest isolation enabled) could see each other. Thought this was a little odd as expectation is that device to device communication would be prevented via guest isolation. Now I'm wondering under what conditions guest isolation is and is not working as expected, and if this behaviour is known and documented or erroneous. I have not found this documented as yet, at least nothing recent.
Setup is Sophos XG v18.x MR3 as FW, mixture of APX320/APX530 APs, two SSID one for business one for guests, the two devices that could communicate where smartphones on the guest network (one iphone, one android), both DHCP configured. On one device, while testing roaming behaviour, a WiFi scan was initiated, it listed the gateway IP, its own IP, and the IP of another guest device. I believe it was testing via ICMP. The other device was identified as an Android smartphone, and it was tested for and did respond to ICMP ping tests from a device on the guest network. Packet capture showed nothing on the XG for that same ICMP test (my guess is that the traffic is simply being passed between these two devices which at that time were on the same AP). Other devices were not contactable. I noticed this Android device that was, was using the 2.4GHz band, where all other devices were on the 5GHz band.
Again, I have not exhaustively tested further, to see what if any other protocols, ports, etc. can be communicated between the two devices, but if I had to guess, it would be that guest isolation is not working as expected in this scenario, that it relates to use of both 2.4GHz and 5GHz bands.
I can provide further details, firmware levels and configuration etc., however would first like to sanity check I am not missing anything obvious here and this is actually unexpected/undocumented behaviour.
This thread was automatically locked due to age.
