Guest networks can be a great way to allow guests to go online, without giving them access to other devices on your network. I’ve set one up on my TP-Link Deco mesh system, but I ran into trouble when I installed a Pi-hole network ad blocker. It took me a while to realize why, so I thought I’d post about it.
The issue: “Connected, no internet”
Guest would be able to connect, but their internet connection wouldn’t work. TP-Link (like many other brands) uses something called “client isolation” for guests. This means that users connected to the guest network are not able to access other devices on the network. This is a little different from some other brands, which create a whole second subnet.
How a Pi-hole works
In order to block ads on the entire network, a Pi-hole acts as a DNS proxy. This sounds complicated, but it’s actually not. DNS servers are the phonebooks of the internet. When you type in a URL or follow a link, your browser connects to a DNS server (usuallly the one at your ISP) to get the location of the server hosting that website.
When you set up a Pi-hole, you instruct your network to use it as the DNS. DNS queries are then sent to the Pi-hole on your network, filtered, and passed on if the request is not on any blacklist.
The thing to note here is that the Pi-hole is a device on your local network. And because of that, guests won’t be able to reach it. And no DNS equals no internet.
Depending on the make and model of your router, a number of solutions may be possible.
- Set a different DNS server for the guest network. Unfortunately, Deco does not offer this setting.
- Allow access to the Pi-hole by creating an exception. Again, this is not an option on the Deco.
- Set a public DNS server for the network, and edit the network details on your devices to use the Pi-hole.
Unfortunately, I’ve had to choose the third option. This means that new devices aren’t automatically protected, but it’s the only way to get the guest network working properly.