1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

AP Isolation

Discussion in 'Tomato Firmware' started by bman87, Feb 4, 2009.

  1. bman87

    bman87 Addicted to LI Member

    I have enabled AP Isolation in Tomato 1.23

    I thought that having that turned on Wireless clients could not see each other. This works fine, but being wired into the router, I cannot see the wireless clients.

    Does this block from wired to wireless? Is there a way I can enable wired to talk to the wireless, while keeping AP Isolation on?
  2. peyton

    peyton LI Guru Member

    i don't know how it works but if someone have explaination.. :)
  3. baldrickturnip

    baldrickturnip LI Guru Member

    AP Isolation

    has anyone got a full explanation of how this works and what it really does.

    I have 4 54GLs which are connected together via LAN - 1 of the 54GLs is connected to a modem via WAN and it also runs the DHCP server. I have turned on AP isolation as I want to only allow the WiFi clients who connect access to the internet and not access to the devices on the local LAN. This does not seem to be the case.

    has anyone got any experience with this
  4. peyton

    peyton LI Guru Member

    In my experience it just disallows wlan clients to see other wlan clients.

    With the lan i can reach a wlan client and a wlan client can reach my lan. Haven't tested with 2 wlan clients.
  5. Victek

    Victek Network Guru Member

    Correct peyton, AP isolation blind other wlan clients to see each other.
  6. baldrickturnip

    baldrickturnip LI Guru Member

    is there a method which can be implemented to restrict wlan clients only to transit the WAN port of the internet facing 54GL.

    can it be done by IP ?
  7. RonWessels

    RonWessels Network Guru Member

    Actually the overall picture is a little more complicated than that.

    First, a bit of background. There are two wireless modes that can be used for communication: ad-hoc and infrastructure mode. In ad-hoc mode, each wireless client (eg. laptop) talks directly with other wireless clients. In infrastructure mode, there is the concept of an "access point" (AP) that each wireless client associates with ("connects to"). And the access point will forward communication to other nodes in your LAN infrastructure as required to deliver the data.

    Let's concentrate on infrastructure mode. For one wireless client to talk to another wireless client on the same AP, the message is sent from the first client to the AP which then re-transmits it to the second client. Within the router, this is all handled magically by the wireless driver. Now, "ap isolation" is a flag to the wireless driver to not perform this forwarding. That means that two wireless clients associated with the same AP cannot communicate with each other.

    But wait a second, I hear you asking. Isn't that what was just explained? So why did you say that "it's a little more complicated than that"?

    Consider what happens when you have multiple access points connected either wired or wireless (WDS). If wireless client A is associated with access point #1 and wireless client B is associated with access point #2, they _can_ communicate with each other even if one or both AP's have the "ap isolation" flag turned on! This is because that flag only controls the behavior of a single AP and does not control communication outside of the association zone of that AP. A wired or wireless interconnection of two AP's takes the communication out of the realm of that single association zone.

    Hence, "ap isolation" does _not_ in general mean that two wireless clients cannot communicate with each other. That restriction only happens if you have only one AP in your lan infrastructure.
  8. RonWessels

    RonWessels Network Guru Member

    Yes, it can be done. But not through the GUI, and not unless you know what you are doing. You will have to break the bridge between the wireless and wired networks and set up explicit routing and firewalls between the three networks (wired LAN, wireless, and WAN). If you want to do that, I'd recommend OpenWRT or perhaps DD-WRT.

    And yes, when you configure the routing and firewalls, you can set up any rules you want, including IP based rules.

    Another possibility is to use two routers, where the first is connected to the Internet and provides wireless access. The second router has its WAN port connected to a LAN port of the first router and provides your wired network. This way, any wireless client is blocked from your wired network just like other internet traffic would be blocked on the WAN port.

Share This Page