I am using a RUTX50 Router and have three TAP200 Access Points in my network. My goal is to restrict WebUI access for the TAP200s (Ports 80 and 443) to specific IP addresses.
I have created the following Firewall Rules on the RUTX50 under Network → Firewall → Traffic Rules:
As I understand, TAP devices are in the same network as you’re trying to restrict access from. This is unlikely to work, as traffic within the same firewall zone will simply bypass the firewall.
I would suggest configuring separate VLAN either for WebUI/SSH access of TAP200s, or seperate VLAN for TAP users. This way you will have traffic separation and can control traffic leaving/exiting the TAP WiFi network.
If you’d like to place TAP users to a different network, you can follow this guide: https://wiki.teltonika-networks.com/view/How_to_set_up_a_guest_WiFi_network_on_RUTX, just instead of assigning the new RUTX50 guest LAN interface to WiFi AP, assign it to the port that TAPs are connected to. Make sure to use tagged VLANs.
Then on TAP device, edit the created APs and specify the VLAN ID that will be used for user traffic.
Let me know if you need any further help!
Thank you for your response and the suggestion to use VLANs for traffic separation. However, the switch used in this setup is unmanaged, meaning VLAN configuration is not possible.
Given this limitation, is there an alternative method to restrict WebUI access to the TAP200s without VLANs? Ideally, I would like to ensure that only specific IP addresses (e.g., Admin PCs) can access the TAP200 WebUI, while blocking all other devices in the same subnet.
Just to clarify - the VLANs should be configured on the router. If the switch is unmanaged it will simply forward the traffic with VLAN ID, no additional configuration is needed. Then TAP will only use the VLAN ID for all user traffic.