1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Guest AP Isolation

Discussion in 'Tomato Firmware' started by eahm, Feb 21, 2013.

  1. eahm

    eahm LI Guru Member

    Now, keeping talking about VLANs, how do I isolate every Guest WiFi client on br1 without touching the ones on br0?

    br0 (192.168.1.1/24) LANclient <---> LANclient <---> WLANclient <---> WLANclient <---> ...

    br1 (Guest SSID, 2.4GHz and 5GHz) (10.0.0.1/24) WLANclient -x- WLANclient -x- WLANclient -x- ...
     
  2. Jeffspears

    Jeffspears Serious Server Member

    Goto Advanced and then Wireless and you will see it disabled by defalt.

    Edit: cough unless you are talking about LAN users which I have no idea ;)
     
  3. eahm

    eahm LI Guru Member

    It's not that. You missed the part "without touching the ones on br0?". Also AP Isolation doesn't even work as it should, it doesn't isolate at all, I've tested it last night (Toastman and Shibby). Anyway, that's not the case.

    Anyone else messing with VLANs and Guest Wireless?

    I am asking too much, I don't think it's possible anyway, it's a feature no one asked before and no one yet integrated.
     
  4. lefty

    lefty Networkin' Nut Member

    In your definition, how is AP isolation not working? What can still see what?

    And for the record, VLANs and multiple wireless lans are very different, i keep reading posts on the matter and alot of people keep saying VLAN, which isn't what this is. VLANs are 802.11q tagging/trunking or physical port map switching based VLANs, nothing to do with wireless.
     
    koitsu likes this.
  5. eahm

    eahm LI Guru Member

    It doesn't isolate the clients, I can still see, access, transfer files between them.

    It wouldn't even work anyway because I need to isolate only the guest wireless clients. Do you know a way with Tomato?

    If I plug a cable or activate the wireless on a different virtual network what's the difference? Still a VLAN.
     
  6. koitsu

    koitsu Network Guru Member

    The "AP Isolation" capability in wireless drivers has been broken all over the board for at least 4 years. It varies per SOC/wifi chip and so on. Even some stock Linksys firmwares had it broken. You can find some mentions of it even in OpenWRT's bug tracker.

    Googling "AP Isolation" returns a bunch of vague descriptions of what it really is and how it works on an actual technical level (meaning the description I keep seeing Internet forum warriors pasting does not necessarily reflect the truth). I can't find a single definitive source of information about it. I can see it being what people describe (i.e. don't allow 802.11 frames between 802.11 clients to reach one another, i.e. no "802.11 broadcast" equivalent), but given closed-source drivers and its unreliability in the past, I'm not sure what I can believe.

    lefty's point about it being separate from VLANs is absolutely spot on, however. The term VLAN is used all over the place horribly wrong; some of us know what an actual VLAN is per 802.1Q spec -- note I said 802.1Q, not 802.11q (lefty made a typo, and it's 802.1 not 802.11) -- while others use the term to define "virtual LAN" in a vague/ambiguous manner that may not rely on 802.1Q at all but instead proprietary methods.
     
  7. eahm

    eahm LI Guru Member

    Let me try to ask in a better way. I know this is possible with Cisco routers and I understand Tomato is not that powerful etc. I need to be able to create the same situation of an Isolated VLAN.

    To be able to create virtual wireless networks you need to create a virtual LAN, I just want to know if I can be able to isolate every single machine of the virtual LAN br1(br2/3) without touching the LAN br0. I want to keep br0 as it is and as it should be but make br1/2/3's machines isolated between each other.
    Is this possible with Tomato?

    Thanks for the AP Isolation post koitsu, I won't bother trying again.
     
  8. jakey

    jakey Networkin' Nut Member

    I have setup 2 virtual wireless guest nets, one on 2.4GHz and one on 5GHz.

    It's been a while since I did this and I have to admit I don't fully understand how it all works :)

    Never the less it seems to do the job and isolates the separate guest nets and also the guest nets from accessing the router admin pages.

    My setup is as the attached pics with the firewall rules added to the firewall section of the admin script page.

    The method was posted by a member of this forums in another thread somewhere and I adjusted it to my own needs so all credit to him whoever it was.

    Please ignore if I'm way off the mark :-/

    EDIT: can't remember but I may have had to adjust some mac addresses to prevent clashes

    [​IMG]

    [​IMG]

    [​IMG]

    Code:
    iptables -I INPUT 1 -i br1 -p udp --dport 53 -d 192.168.1.1 -j ACCEPT
    iptables -I INPUT 2 -i br1 -p udp --dport 67 -d 192.168.1.1 -j ACCEPT
    iptables -I INPUT 3 -i br1  -d 192.168.1.1 -j DROP
    iptables -I INPUT 1 -i br2 -p udp --dport 53 -d 192.168.1.1 -j ACCEPT
    iptables -I INPUT 2 -i br2 -p udp --dport 67 -d 192.168.1.1 -j ACCEPT
    iptables -I INPUT 3 -i br2  -d 192.168.1.1 -j DROP
    iptables -I INPUT 1 -i br1 -p udp --dport 53 -d 192.168.2.1 -j ACCEPT
    iptables -I INPUT 2 -i br1 -p udp --dport 67 -d 192.168.2.1 -j ACCEPT
    iptables -I INPUT 3 -i br1  -d 192.168.2.1 -j DROP
    iptables -I INPUT 1 -i br2 -p udp --dport 53 -d 192.168.2.1 -j ACCEPT
    iptables -I INPUT 2 -i br2 -p udp --dport 67 -d 192.168.2.1 -j ACCEPT
    iptables -I INPUT 3 -i br2  -d 192.168.2.1 -j DROP
    iptables -I INPUT 1 -i br1 -p udp --dport 53 -d 192.168.3.1 -j ACCEPT
    iptables -I INPUT 2 -i br1 -p udp --dport 67 -d 192.168.3.1 -j ACCEPT
    iptables -I INPUT 3 -i br1  -d 192.168.3.1 -j DROP
    iptables -I INPUT 1 -i br2 -p udp --dport 53 -d 192.168.3.1 -j ACCEPT
    iptables -I INPUT 2 -i br2 -p udp --dport 67 -d 192.168.3.1 -j ACCEPT
    iptables -I INPUT 3 -i br2  -d 192.168.3.1 -j DROP
     
  9. eahm

    eahm LI Guru Member

    Why did you put the 5GHz on br2? I usually make just br1 for 2.4GHz and 5GHz, I don't care which band they use as long as it's another network.

    I also leave 1440 at home, sometimes guest are friends visiting, I don't want the lease to expire every 2 hours, 1 day is fine with me. For public places' customers usually 240.
     
  10. jakey

    jakey Networkin' Nut Member

    As I said I don't fully understand, I'm no guru just a user who wants it work :) but thanks for that info, I've now moved both to br1 now it's tidied things up nicely.

    As for the lease nobody here using guest will ever be connect for more than 2 hours. so can't see the point of having it any longer.

    Anyway it does the job of isolating which was your question and the point of my post!
     
  11. eahm

    eahm LI Guru Member

    It's ok and yes, br1 isolates from br0 but if you read again I'd like to isolate every device connected to br1 from every other device connected to br1 (and of course br0) without touching the rules of br0, everyones on br0 must remain like it is.

    br0 = private network

    br1/2/3 = public network/s, with isolation between the devices
     
  12. rafwes

    rafwes Serious Server Member

    never tried it, but what if you told ebtables just to allow input to br1's mac address with a drop not rule? you could also try just to allow forwarding between br1 and wan.
     

Share This Page