1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

What is the best way to isolate one device from others without a subnet?

Discussion in 'Tomato Firmware' started by Trent Bates, Apr 22, 2013.

  1. Trent Bates

    Trent Bates Serious Server Member

    Hi all,

    New here.
    Asus RT-N66U with Tomato Firmware 1.28.0000 MIPSR2-108 K26 USB AIO-64K after lots of experimenting with ASUS's FW as well as Merlins FW. I'm really enjoying Tomato and finally feeling like I have a solid product in the RT-N66U.

    This may have very well been covered in other threads, but I am not entirely sure what I'm looking for so I'm not sure what search the forum topics for. No disrespect meant towards the forum.

    Here's my problem:
    With ASUS's factory firmware in all versions that I had tried, there was an option to have a Guest SSID and isolate it from other devices on other SSID's, etc. but still exist in the same network of

    I didn't care if the Guest SSID was on a subnet or not before as I wanted to isolate the questionable devices from the known devices and I didn't see a need for anything special. In fact, I preferred guests on a subnet, but now it's limiting what I want to do with Tomato.

    What I think I want is to have 1 class C network and no subnets. I want to have my known devices be able to see each other. I then want to be able to have a known guest device on a guest SSID that's connected to br0 as well but can't see the other devices.

    I think I want this simply because it seems there are more options available to br0 than there are to the others. It seems that logging, charts, etc. are simpler that way as well.

    I suspect that this might involve iptables. I have a very basic understanding of iptables. I'm generally a quick study and tend to master new ideas once I see something in action though.

    So, can a specific guest SSID that is associated with br0 be isolated from other SSID's and wired devices?
    Is it something I can accomplish with specific MAC or IP entries somewhere? I am assigning specific IP's to these 6-7 guest devices already and I have no problem adding an entry with each new device that might be added. I prefer to use MAC addresses if possible.

    Any tips, ideas or other suggestions would be appreciated! Thanks!
  2. philess

    philess Networkin' Nut Member

    To make it short: I think the easiest way to do this would be using different subnets :)
    If you want the "comfort" of having everyone on br0 so that all charts, QoS etc work nicely,
    but you dont want to have any actual connection between the guests and your private network,
    i dont see the point of going through all the trouble with iptables etc.

    Simple create a second network, still on br0, connect that to your guest SSID.

    Example: Private network on br0: /
    Guest network on br0: /

    I *think* that should work just fine... But maybe some services of Tomato
    would have a problem listening on two IPs instead of one interface? I guess someone
    else here could comment on that further.
  3. Trent Bates

    Trent Bates Serious Server Member

    I hadn't thought of putting two class c's on one interface. I will try that tomorrow!
    I had played with splitting one class c into two subnets with a mask of but I didn't go very far with it before getting distracted. :)
  4. Trent Bates

    Trent Bates Serious Server Member

    Okay, I went to try what philess suggested and realized that I didn't know how it would be accomplished via the GUI. The GUI won't let me do that. Clip1.jpg

    Any other ideas?

    Even if iptables is not the way to go, is there an example of how it could be done? I feel kind of behind the times with my lack of iptables knowledge. I have read a lot of random iptables info but I haven't yet connected it all to what I do know.

    I really would like to hear any suggestions!
  5. darkknight93

    darkknight93 Networkin' Nut Member

    My Setup for completely isolating a device connected to LAN4 is this:


    Create a 3. vLAN for Special Routing the guest devices - then select which device/port you want to Bridge on this seperate vLan, in my case:
    Connect the device you want to isolate to Lan4 - this is routed differently to br1 (in my case


    [Firewall Script]
    #Network Access to br0 block
    iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j DROP
    iptables -I FORWARD -i br0 -o br1 -m state --state NEW -j ACCEPT

    EDIT: This roules block -i Input from br1(Guests) -o Outgoing to br0(Known Hosts) and in my case i allowed Connections from br0 to br1 for accessing guest Services due this is my DMZ.

    This should do the trick. If you have any questions, just post a reply.

    EDIT: if you want to isolate a WLAN SSID you can Bridge the WLAN Interface "wl.0" or any other to br1 instead of bridging LAN4 to br1

    EDIT2: I'm not sure whether its possible to block Access for some devices via Layer2 on the same subnet. I bet it can be done with iptables but this will be a complex and bad-to-handle Scenario.
    Creating a different Bridge br1 is easier. My IPTraffic/BW Charts are still working and Show up the Option for br1 - QoS i do not use due 100MBps Downstream is way enough ;)
    Bandwith limiter should work on br1 also. Which Features do you plan to use? :) I might check them out.

    Greetings from Germany
  6. Trent Bates

    Trent Bates Serious Server Member

    Hi darkknight93, all,

    Sorry for the delay in responding, but I wanted to make sure I had a clear idea in my head before committing it to the internet. :)

    I believe that I have already tried what you've suggested with the exception of the iptable entries. (I'm still trying to fully understand those.)

    (This is where my inexperience will show, feel free to correct me!)
    As you can see from my screencap above, I have two bridges already (br0, br1).

    I have had a VLAN3 (br1) with nothing associated but a guest SSID but have also found that it works without the VLAN3 entry. I still have that guest SSID associated with br1. (Maybe I need to put the VLAN3 entry back? It seems superfluous.)

    All physical ports and other SSIDs are on VLAN2 (br0) and WAN is on VLAN1.

    In the simplest of terms, I have one specific guest device (laptop) that I don't trust on my network and can't entirely control, and 5 other guest devices that I want grouped together. Some of these devices travel and pick up who-knows-what and I don't care to deal with the fallout. (I wouldn't allow these devices to pump out spam or anything, I just don't want to worry about local infections.)

    I want to apply fine tuned individual bandwidth limiting to these devices like br0 allows instead of the "everyone shares" method br1, br2 and br3 have.
    And there are also the graph and chart conveniences to consider, but those are less important.

    The main reason I'm asking about this at all is that the stock ASUS firmware seems to be able to accomplish this with a simple checkbox click. An individual guest SSID can be isolated from the other devices (and still have WAN access) but remain on the class c network. No apparent subnets are used.

    I can adjust my behavior and use subnets and so forth, but I'm still curious how it works in the stock ASUS firmware. What do they do to accomplish that?

    I could save settings and load some ASUS firmware and poke around, but I'm not certain that I know what I'd look for. I'm too new to iptables or whatever else might be used to get this kind of stuff to happen. I'm sadly very rusty at linux in general these days. I feel that I've forgotten more than I knew! :)

    How is isolation accomplished in Tomato?
    Under [Advanced:][Wireless] there's a dropdown box for AP Isolation {Disable* | Enable}.
    That's what I want for wl0.3! (and the other virtual wireless interfaces too)
    Enabling that for the entire 2.4GHz band is too much (can't print, etc.) but maybe I can save a copy of the environment and change that setting and compare the new environment to the old to see what is changed.

    How do I go about saving the running environment? Are there specific files to focus on? iptables, dnsmasq, hosts, etc.
    Is everything I'm looking for in /etc or should I be looking in /tmp, /var or /usr?

    I'm all ears here! Anyone with any ideas, please speak up!
  7. Trent Bates

    Trent Bates Serious Server Member

    It appears that any settings related to AP Isolation in [Advanced:][Wireless] are not saved in /etc at all. (Unless it's transferred there during before a reboot?)
  8. Trent Bates

    Trent Bates Serious Server Member

    UPDATE 2:
    Here's where my inexperience shows some more. I found something through PuTTY that shows that the state of "isolation" is on for one interface (2.4GHz) but I don't know where that information is stored or how it would be modified for wl0.3.

    /tmp/etc# nvram find isolate
    What happens when an nvram set command is issued? Where is that data stored? (Probably depends on the command.) Where would this one be stored? Does it even matter where as long as it can be changed?

    Is it feasible to issue a command such as:
    nvram set wl0.3_ap_isolate=1 [Enter]
    nvram commit [Enter]
  9. Bird333

    Bird333 Network Guru Member

    it's stored in the nvram which is on the flash chip. Your command looks reasonable and is probably safe but anytime you mess with nvram there is a risk. Try it without "nvram commit".
  10. philess

    philess Networkin' Nut Member

    I have played with the AP isolation few weeks ago too, but came to the conclusion that
    it simply does not work in Tomato (atleast with my E4200 it doesnt).

    I set the options through GUI, but also directly in nvram, for only 2.4GHZ, for 5, for both.
    No luck at all. I could still ping from one WLAN client to another WLAN client.

    On that note: Trent, are you sure you realize what the AP isolation is supposed to do?
    It is not to isolate your guest network from your other networks (your guest network
    is only a virtual interface, therefore the wireless drive cant do anything about that),
    AP isolation is to isolate the clients within one network, for example for public hotspots.
    So that the clients cannot access each other, but they all can acces the router (=web).

    Isolation your guest network has nothing to do with AP isolation. Isolation the network
    is about iptables rules and nothing else.
  11. Trent Bates

    Trent Bates Serious Server Member

    Thanks Bird333,

    I think I'm having a revelation about NVRAM and file structure on root. Am I correct in understanding that they are not the same thing entirely?
    I was assuming that NVRAM was represented by the file structure itself. (Perhaps parts of the structure contained NVRAM while other parts were configuration, binaries, etc.)

    I will reset everything back to normal and reboot, get my devices all connected and ready to test and try just that one command on and off without "commit" or "reboot".

    Thanks a bunch everyone. If this works, this is all I was after in the first place! :D

    I wish I was more fluent in the necessary terminology to explain myself! :)
    I "think" I am after AP Isolation in the method that was used by ASUS in the stock firmware.
    In their configuration, a guest device on a guest SSID in br0 was unable to see other devices on other SSIDs in br0.I believe that all devices on that guest SSID were also isolated from each other as we'd expect.
    If it was possible with the stock firmware, I'm hoping that it can be done on Tomato as well.

    I really don't mind a separate subnet, but now I want to see if it can be done on br0. On the flip side, I don't want to try and reinvent the wheel and push into territory that has been proven not to work.

    I'll report back with my findings in a bit. I've got to remember to set everything the way I want it and make another backup file and all of that!
  12. philess

    philess Networkin' Nut Member

    Note that only doing "nvram set wl0_ap_isolate=1" will not do anything, you need to
    restart the wireless driver for the new setting to take effect.
  13. rafwes

    rafwes Serious Server Member

    Asus accomplishes this with ebtables. Here are some sample rules:

    ebtables -t broute -A BROUTING -p IPv4 -i wl0.1 --ip-dst --ip-proto tcp -j DROP
    ebtables -A FORWARD -i wl0.1 -o ! vlan2 -j DROP
    ebtables -A FORWARD -i ! vlan2 -o wl0.1 -j DROP 
  14. Trent Bates

    Trent Bates Serious Server Member

    Right! Thanks for reminding me!
  15. Trent Bates

    Trent Bates Serious Server Member

    Uh-oh, I was just starting to get my mind settled on iptables. What / where are ebtables?
  16. philess

    philess Networkin' Nut Member

    By "this" you mean isolation the clients from each other or isolation the guest network from the private network?
    I am very sure that any ip/ebtables rules can only affect routing through the router itself, or LAN clients,
    but WLAN clients talk directly to each other once they know about each other. This has been pointed out
    recently in another thread here. AP isolation without proper wireless-driver support is afaik impossible.

  17. jerrm

    jerrm Network Guru Member

    Think of NVRAM as one master config file. It is the only user configurable data that is persistent unless other storage methods are enabled. The startup processes read the nvram variables and create files with the proper settings before invoking any other programs. Some router-specific programs may read NVRAM directly. Any changes to the file system itself do not persist through a reboot.

    Using dnsmasq.conf as an example - there is no "dnsmasq.conf" that exists when the router first boots. Tomato's startup code reads the various nvram variables related to dhcp, dns, interfaces, etc. and constructs the file at boot time before invoking the dnsmasq executable. You can edit dnsmasq.conf anyway you want, restart the service and see the changes put into effect, but all those changes will be lost at the next boot. For some files like dnsmasq.conf, the gui allows custom config options, which are saved to nvram and then appended to the tomato-generated file.

    JFFS, USB, and CIFS can also be used for persistent storage, but that is another topic.
  18. Trent Bates

    Trent Bates Serious Server Member

    Okay, I can see where you are with this.
    I did have my RT-N66U running ASUS firmware from versions ...4.112 up to ...4.354beta as well as a few Merlin variations. I felt that ASUS-based firmware was buggy and although it's only been a few weeks, I now feel like I was using another device instead of the same device with Tomato on it.

    I did have a guest SSID with isolation on and had those 6 guest devices on the same class c network as all of my other devices. I have roughly 25 devices total.
    It worked fine. The guest devices could neither see each other or the private devices but could see the WAN. Private devices could not see guest devices either. All of this was on and I ran it this way for 6 months or so.

    I'm a bit fuzzy about wireless driver support with Asus vs. Tomato. Is it not the same closed-source binary driver from Asus? It may not be the exact driver version that's being released now, but might it be one of the binary drivers that was able to perform this function with the Asus firmware in the past? If so, I'm inclined to think that the function is there to be activated.

    As I've already alluded to, I really have no idea or expertise. I'm experimenting.
    Also, I'm really glad to see the discussion on this pick up a bit!
  19. Trent Bates

    Trent Bates Serious Server Member

    Thank you for explaining a bit!
  20. rafwes

    rafwes Serious Server Member

    iptables acts on routing, while ebtables acts on switching. unfortunately ebtables can only control traffic that enters and leaves interfaces/bridges. since 2 wifi clients on the guest network communicate with each other without ever leaving their virtual interface, ebtables cannot do anything about it. it will though isolate guest clients from all other clients.

    as you correctly said, full isolation has to be done at driver level. unfortunately broadcom drivers' support for client isolation is very substandard. if you really need this, a workaround could be to create a different ssid for each client and restrict access only to its own mac address. just a guess, never tried it...
  21. rafwes

    rafwes Serious Server Member

    instead o using nvram, try talking directly to the driver and see if it works:

    wl ap_isolate 1
  22. philess

    philess Networkin' Nut Member

    I dont doubt that it can work, i am glad it did for you. But as i said, i had no luck with AP isolation at all.
    I will get a new RT-N16 tomorrow to install, going to see if it works there.
    It may have been a difference between the Asus drivers and Merlins version, or maybe it was
    related to your specific router model. As i said, i tested on a Linksys E4200, not RT-N66U.
    But i am very glad to hear that it is actually possible to use!

    Setting up a SSID for each client simpy HAS to work :) But there is a limit to how many SSID (Virtual WLANs)
    you can create on most routers (eg. 3 per radio = 6 total on a MIMO 2.4/5GHz model, i think?).
    But mostly, thats not really practical for most people, setting up multiple SSIDs.
    Unless in a very rare scenario where all clients are known and are not really "guests".
    Because the advantage of actual AP isolation would be to have only one network with login details
    to give out to clients. If you have to give a different SSID out to every client... i dont think thats really
    practical. But sure, possible :) Thanks for bringing this up!
  23. darkknight93

    darkknight93 Networkin' Nut Member

    On the Bandwith-Limiter page you can define for each IP/IP Range a different bandwith-limiting for UP/Download. So this just to be mentioned. :)
  24. Trent Bates

    Trent Bates Serious Server Member

    While I can set an NVRAM entry as shown below:
    Tomato v1.28.0000 MIPSR2-108 K26 USB AIO-64K
    root@RT-N66U:/tmp/home/root# nvram find isolate
    I can't seem to interact with devices wl0.1, wl0.2, wl0.3 like I can with wl0.
    I was able to change the state of the isolation checkbox for 2.4GHz in the GUI from PuTTY earlier.

    The above wl0.2 entry doesn't seem to have an effect. I wonder if it's available at all or if I'm just addressing it incorrectly.
  25. philess

    philess Networkin' Nut Member

    wl0.2 wl0.3 and so on are virtual devices, the wireless driver has no clue about them, therefore
    the nvram variable does not exist and if you create it yourself, it has no effect.

    If you do 'nvrams et wl0.2_ap_isolate=1' it appears to accept it, but it creates the variable.
    There is no error message about it. You could do 'nvram set bla=bla' and that would appear
    to be valid. But the wireless driver only takes care of the actual hardware radio interfaces,
    which are usually wl0 and wl1 (and thats why those exist with _ap_isolate in nvram).

    You can try to enable ap_isolate for ALL hardware radios, maybe that will work with your

    nvram set wl0_ap_isolate=1
    nvram set wl1_ap_isolate=1
    nvram set wl_ap_isolate=1
  26. rafwes

    rafwes Serious Server Member

    wl for me did not output any variables for virtual lan specific isolation, just for radio-wide isolation. it might just do the trick for you, because even if you isolate private clients, they should still be able to reach each other over the bridge (provided you do not prevent them from doing so with ebtables).
  27. Trent Bates

    Trent Bates Serious Server Member

    What I found was:
    You can define up/down for each IP or MAC on that page, but if the MAC is on VLAN1/br1 for example, only the upload limit has an effect. The download limit is affected by the group br1 setting on that same page.

    Those settings can be read in the /etc/qoslimit file where it seems that the upload settings are somehow merged. (Maybe erroneously) I don't have a current file to show this with, but it seemed that download limits were explicitly defined while upload limits were not as specific.
  28. Trent Bates

    Trent Bates Serious Server Member

    philess, rafwes,

    You both raise good points. Thanks!
    I am aware that I can set a random variable in nvram but hoped I was actually addressing a "device" properly. It doesn't look like I have.

    I have been operating under the impression (faulty observation) that isolating devices on a network would keep all the devices on wl0 from seeing each other. Given the description of what iptables and ebtables do, I now wonder if I'm fighting an issue that actually doesn't exist.
    I will enable isolation on both wl0 and wl1 and try that and then add wl if needed.
    I'll be back later with my findings!
  29. philess

    philess Networkin' Nut Member

    Dont forget to also block routing between the clients on the side of the router too then!

    As rafwes mentioned: If AP isolation on the wl driver actually works, the router still acts
    as a, well router, between those isolated clients. You need to block that routing on the router
    too then. And THEN it would be actual AP isolation like most enterprise level AP´s do for
    public hotspots etc.
  30. Trent Bates

    Trent Bates Serious Server Member

    FWIW - I copied this from:

    AP Isolation: A prime example would be like in a hotspot (e.g. coffeeshop like Starbucks, hotels) wherein a lot of computers connect randomly to the network. Since all computers are connected to 1 single network there is a possibility that they could access each other which may result in unwanted hacking. AP isolation will help prevent this by making each and every single computer a separate entity on their own. When enabled, the router prevents wireless devices from communicating with each other. If disabled, the unit will switch traffic from one wireless client to another.
  31. Trent Bates

    Trent Bates Serious Server Member

    Can you elaborate on that? My mind is getting fuzzy and I can't remember where/how I would do that.
  32. Trent Bates

    Trent Bates Serious Server Member

    Okay, here's what I've found:

    nvram set wl0_ap_isolate=1
    nvram set wl1_ap_isolate=1
    nvram set wl_ap_isolate=1
    This seems to do nothing by themselves. I committed to NVRAM and rebooted after.

    I'm able right now to connect from eth2 (5GHz) to wl0.2 and eth1 because they are all on the same bridge of br0.

    I must be missing something. Something simple and obvious! ;) Something like philess's instruction above.
  33. philess

    philess Networkin' Nut Member

    Well it´s slowly getting later here and i am getting drunk´ish ;) But i´ll try :)

    Problem is tho, you would need your clients that you want to isolate with
    specific IP´s (nobody wants to create 253 seperate rules, one for each
    possible client). Atleast i dont know how that would be possible otherwise.

    What you need is to tell the router that from each client ip, only connections
    that are intended for either the router himself (example DNS lookups)
    or that are intended for another network (br0, or of course: wan).
    Everything else would be intended for other clients, and thats what we dont
    want in this case. I think it would be doable to limit the DHCP range of your
    guest network to like 10 (or however many clients + a bit room you expect),
    and then create rules for exactly those IP´s.

    But thinking of it, this could work:

    # Everything that comes FROM br1 and is intended to GO TO br1, we DROP
    iptables -I FORWARD -i br1 -o br1 -j DROP
    Hmm could it really be so simple?? I´ll test that right now.

    Edit: Nope, no luck. The rule gets accepted and so far in theory it should work.
    But with wl_ap_isolate=1 set for all physical interfaces, wl driver restarted,
    iptables rule active and firewall restarted: i can still ping between wireless clients
    which are both in br1, and i even switched them to new IP´s after that to
    avoid the case that they already know each others MAC adress from ARP cache.

    But then again this might just be the wl driver acting up on my router here.
    It could work for you.

    ebtables -I FORWARD -i br1 -o br1 -j DROP
    didnt work either :( i give up with this router. Hope the Asus arrives soon
    so i can try again.

  34. Trent Bates

    Trent Bates Serious Server Member

    I really appreciate all of you working on this issue! I'm getting overwhelmed myself as it sounds like you all are.

    Let me see if I can more clearly define in my head what the issue is now that we've tried some stuff.

    Private network on - br0

    Guest SSID on also - br0

    ASUS firmware was able to isolate guest SSID from private network by means of a checkbox in each guest SSID section. The device isolation seemed to work as enterprise access points do. All guest networks were in the same class c range. No subnets.

    ASUS firmware accomplished this with ebtables

    Maybe someone can help me simplify this. Each radio and virtual SSID seems to have an ID of some sort. There's almost an individual MAC for each. (WAN shares with eth2 and eth1 shares with LAN I believe) The virtual LANs all have their own MACs and IDs such as wl0.1, wl1.1, etc.

    Are we all in agreement that there could / should be a basic rule for wl0.1 or wl0.2, etc. as it relates to the others. Basically, each virtual interface could have a "WAN traffic only" rule (or rules).

    If ebtables is what ASUS uses, maybe I need to delve into that. I'm envious of all of you that understand these ip/ebtable entries. I need to learn this stuff!
    I'm going to take a break for a few hours and later study the ebtables example above. Thanks again everyone! Keep the ideas coming!
  35. Bird333

    Bird333 Network Guru Member

    This rule doesn't work because clients on the same subnet doesn't go through iptables. The switch handles them directly. Even though this is what I have been told, I still don't know if packets on the same subnet at least goes through the PREROUTING chain of iptables.
    philess likes this.
  36. philess

    philess Networkin' Nut Member

    Quick reply: Every SSID must have a MAC adress, you can see and change them in the Virtual Wireless menu
    (depending on your exact Tomato mod). What you mean by ID is the VIF, you can see those in the VLAN
    menu. So for example your WAN port is VLAN2, all ethernet ports are in VLAN1. And then you have your
    guest network as VLAN3. They are all bridged to one of the br, uhmm, interfaces. Except VLAN2 is WAN.

    Yes, what we need would be a rule "everything from wl0.1 can only go to WAN, or to the router itself
    for DNS/DHCP". Very basically put. PLUS we need the wl driver to prohibit the WLAN clients from talking
    directly to each other.

    No reason to be jealous haha, if you spend enough time on something you can learn anything.
    I just read up on ebtables today myself. And yes, i think too that that will be the solution. But how...
  37. philess

    philess Networkin' Nut Member

    Absolutely true. I realized that a few minutes later :) Thats why we would need ebtables to handle that.
  38. rafwes

    rafwes Serious Server Member

    subnets define which IPs are locally reachable WITHOUT routing, so if you are trying to prevent IPs on the same subnet to reach each other, iptables can't help you at all. it's not handling the packages, so it can't drop them.

    ebtables does at link level what iptables does at network level. IF there are packages moving from one interface to another (the analogue of subnets in the routing case), ebtables can handle them.

    what you can basically tell ebtables to do is (this is what asus fw does): hey look, all my guest clients are in wl0.1. please drop packages if they try to send/receive anything to/from any interface other than vlan2 (the internet). besides that, block any TCP connection from guest clients reaching the subnet, thus only allowing udp (dns/dhcp) while blocking for example http, ssh, telnet...

    in order to fully isolate guest clients you would need driver support, since they are not leaving the interface wl0.1 when talking to each other. ebtables is as blind to intra-interface traffic as iptables is blind to intra-subnet traffic.
    Monk E. Boy likes this.
  39. rafwes

    rafwes Serious Server Member

    on bridges:

    when you isolate clients on driver level, you are preventing direct communication between them over wifi. communications between the clients and the router itself are not blocked (otherwise you would have no internet access at all).

    by default there is a bridge (basically a virtual switch) interconnecting all private interfaces. for instance the bridge connects the router, wired devices and the (virtual) wifi networks together so they can really share a subnet.

    so you might not be able to reach another wifi client over the air directly, but you should still be able to send the package to the bridge and the bridge will forward it back to the other wifi client, allowing indirect communications. so client isolation on a private bridged network should be ineffective as long as you allow ebtables to forward this traffic over the brigde.
    Monk E. Boy likes this.
  40. philess

    philess Networkin' Nut Member

    Very well explained, thank you rafwes!
  41. Bird333

    Bird333 Network Guru Member

    I thought ebtables could work using MAC addresses so you can block traffic from one interface (MAC address of computer for example) to another. Is this not correct?
  42. Elfew

    Elfew Addicted to LI Member

    Interesting reading. I know that this function is in stock Asus fw.

    Is there any way how to implement this to Tomato? Something like in Windows - you can set public or home network... with public settings you cannot see other devices in network...
  43. Trent Bates

    Trent Bates Serious Server Member

    I really appreciate all of the information presented so far!
    I think I need an "iptables and ebtables for Dummies" book. :) Not because I'm a dummy, but because I'm starting from scratch in a way. Back in the days when it was more useful, I used to write batch files and Novell login scripts that were very complicated (150-300 lines) and I really enjoyed it. My problem right now is I don't understand the structure of these commands.

    Quick side question: (Thus a different color)

    Something about me can't stand how LAN (br0) was on VLAN1 and WAN was on VLAN2. I assumed it was assigned that way because of the sequential MAC order of the interfaces. My WAN interface is one number higher than my br0 interface.
    Long story short, I switched them around so that they appeared like so:
    VLAN1 = WAN
    VLAN2 = LAN0
    VLAN3 = LAN1, etc.

    I see references to WAN being assigned to VLAN2 and now I wonder if my OCDish behavior might cause me problems later. Does anyone think it matters?

    Also, I went back and checked my MAC addresses because I stated earlier that they were shared among two devices. I "know" better in general, but believed that it made sense from a certain point of view.
    In fact, All four ethernet ports and the 2.4GHz interface have the same MAC. I believed that somehow the WAN port also shared with something else, but it doesn't because the first octet is different instead of the last octet. It was just a bit too much to comprehend that the WAN and another interface were sharing somehow. :confused:
  44. Trent Bates

    Trent Bates Serious Server Member

    That's a good point! I wish I had an extra Tomato router and some current skill to investigate it!
    I do have a cheap ($15) On Networks N150R (Netgear's cheap label) that also does network isolation. I could try to get into that but then I'd have to learn those procedures too... I don't know if I want to do that.

    I can no longer be sure that the stock Asus firmware isolated each device from another, but I thought it did. I say that because when isolation was active, I couldn't print to my IP printers and I couldn't see other devices on the network. Turning off isolation fixed that immediately as I remember.
  45. philess

    philess Networkin' Nut Member

    Technically it shouldnt matter that now WAN is VLAN1 instead of VLAN2,
    but if you are using any additional scripts on your Tomato, they might
    assume that VLAN2 is still WAN. *might*... if its a good script it will use
    the correct VLAN1 now.

    Your MAC adresses may appear to be the same at a quick look.
    When you create new virtual interfaces such as your guest network,
    a new MAC adress is generated at random based on one of your
    already existing MACs. But, you can easily change almost all of your
    MAC adresses to whatever you want in the Advanced/Mac Adress menu.
    Be aware that often (Cable-)-Modems need a reboot if you change
    your WAN MAC. And yes, all your ethernet ports have one single MAC,
    because the ethernet switch is one single device.

    For example i like to use fake MAC adresses which "resolve" to
    companys like Sega, Atari, Commodore, Nintendo :)
    Just to have some fun with those people who start up a WLAN
    scanner and look at the router manufacturers.


  46. Trent Bates

    Trent Bates Serious Server Member

    :D regarding Sega, Atari, Commodore, Nintendo, etc.

    Note that in my RT-N66U, the 2.4GHz radio is also using the same MAC as the 4 ethernet ports. (For the sake of later discussion) I have not modifed any of the MAC addresses. I've noticed this since I unpackaged the unit because I have a list of MACs and the devices associated for the entire household.

    Also, the virtual SSIDs seem to have predefined MACs as well instead of generated MACs. Maybe there is something important about that information?
    Since you are expecting a RT-N16 soon, I'm interested to hear what you find along those lines!

    So, the consensus seems to be that ebtables working on MACs might be the direction to head in. I'm going to go searching!
  47. philess

    philess Networkin' Nut Member

    Wow that is a bit odd that your LAN and WLAN have indeed the same MAC,
    but well, since the cannot directly talk to each other its not a probem, just weird.
    If you would set two WLAN interfaces to the same MAC, that would cause problems definitely.

    Yes the RTN16 has just arrived some hours ago, but sorry, i already flashed Tomato and
    changed the MACs to new fakes :( Didnt pay attention to what they were before.
    When i am done setting everything up, i might reset everything, look at the MACs, and then
    go back to new settings from backup. Dont hold me to it tho.

    If you find a iptables/ebtables for dummies ebook, please share! :)
  48. Bird333

    Bird333 Network Guru Member

    When I typed my previous reply, I was thinking more along the lines of users that you knew their MAC addresses. You could (I think) create rules for each of those interfaces to keep them from seeing each other. However, for random guest users that isn't going to work. I guess if some smart guy could write a script to check for new MAC addresses and then create an ebtables rule to match it that could work. I don't know how hard that would be though.
  49. philess

    philess Networkin' Nut Member

    That is a great idea Bird333! And making such a script would be quite easy:

    arp -a | grep " on br1"

    and go on from that. write all new MACs to a file, create the rules, if a MAC
    has not been in the ARP table for X amount of time, remove the rule and
    remove entry from list. Check the ARP table every Y minutes, compare to
    file, if new MAC = add to file. etc.

    But the problem is still creating those damn ebtables rules :(
  50. Trent Bates

    Trent Bates Serious Server Member

    Here's a couple of interesting posts I've found regarding ebtables. Most of this thread gets messy quickly so take it all with a grain of salt.


    http://www.linksysinfo.org/index.ph...s-from-wired-side-of-network.9485/#post-43311 I see that Bird333 posted right below this one.

    These posts show something similar to what rafwes posted here in #13. I do hope that rafwes knows that I've kept this in mind as this thread has meandered about, I'm just trying to understand how it works and how to apply it.
  51. Bird333

    Bird333 Network Guru Member

    This was discussed on smallnetworkbuilder forum. I don't know why ASUS did this but in my opinion that is in error. Each interface should have a unique MAC for maximum options in dealing with packets. As we see here that might be necessary. :) Also Trent, if I remember correctly there is also something known as 'arptables'. :D
  52. Bird333

    Bird333 Network Guru Member

    I think creating the rules is the least of the problem. As long as ebtables is loaded on the router, that shouldn't be a big deal. We still run into the issue of the order of the rules just like iptables. It shouldn't be as much of an issue because most people don't regularly create ebtables rules as they do iptables.
  53. Trent Bates

    Trent Bates Serious Server Member

    I've always assumed that the 2.4GHz unit was on the 5th port of the "4 port switch" and that's why it shared a MAC. (I don't remember the details, but switch chipsets come in certain configurations. A basic 5 interfaces = 4 ports and one internal, 2x5 interfaces = 8 ports and two internal, etc.)
    I can't remember anymore, but it seemed like there might not have been a method to isolate 2.4GHz from LAN or even 5GHz from LAN. The isolation setting might have only been on the 6 guest WLANs. (3 2.4GHz, 3 5GHz)
    Actually, the setting was called "Access Intranet" with options for "on" or "off". guest2.png

    If that's all that is possible/needed, how hard would it be to have a simple rule that would isolate wl0.1 (and a rule for wl0.2, wl0.3, wl1.1...) from eth1 or eth2 or whatever might collectively constitute other clients. Isolate virtual from physical.
    In other words, step 1 might be to simply isolate wl0.1 from wl. Then the same rule could be modified and applied to wl0.2, etc.
    Could it be as simple as only allowing wl0.1's MAC to interact only with WAN's MAC? Break all connections and then allow what is needed. Unspecified connections would be forbidden further down.
    Is that the right approach?
    01 Allow A to talk to B.
    02 Allow B to talk to A.
    03 Block everything else.

    The more I think about it, I do really believe that stock ASUS firmware as well as my cheap N150R router were able to isolate each client from each other. I depend on interconnectivity a lot and ran into situations where I needed to turn off the feature to print or access a share on various devices. We often simply stream media from one of the shares on a NAS or PC. I have allowed one guest SSID to do so while blocking another within the RT-N66U.

  54. philess

    philess Networkin' Nut Member

    I think you have been thinking about this too much now :) You should take a break,
    leave it alone for day and then look at it again.

    You are mistaken wl0.1 wl0.2 etc for clients. wl0.1 is a network device. Virtual, yes, but still a network.
    Isolating wl0.1 from wl0.2 is no problem at all, we can do that easily. Same as the actual wl0 or wl1.

    What we want, and this thread has been about, is to isolate not networks, but clients within one network.

    So all clients that are inside wl0.1 should only talk to WAN, or services on the router such as DNS,
    but are not allowed to talk to any other clients that are in wl0.1 too.

    Scenario: Hotspot for guests, they can all surf the web, but should not access each other.
    The hotspot wifi network is wl0.1, a virtual network that is based on the actual wl0 (uses the
    same radio device, but different SSID/WPAKEY, and usually different SUBNET). Now we want
    to isolate everyone from eachother inside of that wl0.1.

    For that we seem to need two things:

    1. The wireless driver needs to use AP isolation to not allow the clients to talk directly to each other over WiFi.
    2. We need to block all routing on the router side from one client to another, only allow WAN/DNS/DHCP.
  55. Toastman

    Toastman Super Moderator Staff Member Member

    Tomato's AP Isolation appears to be somewhat temperamental. Although the "feature" has been part of the GUI for several years, many people found it doesn't actually work properly. Probably because it is dependent on the wireless driver, and there have been quite a few changes in recent years. There was a post here on the forum recently about it, I recall.

    Just as an aside, here where I live I often get called on to go look at nonfunctioning wifi installations in apartment blocks. There have been a great many different systems in use, and I never saw one yet that had guests isolated from each other.
  56. Bird333

    Bird333 Network Guru Member

    This is why we need a script that won't give an IP until their MAC has been added to an ebtables rules to block access to others.
  57. philess

    philess Networkin' Nut Member

    That wouldnt change much in regards to security tho.
    If you "delay" the DHCP for that MAC, create the rule, then give the IP, nothing is stopping a user
    from simpe not using DHCP, assigning a IP himself and use the network without that rule.

    If we create that rule automatically, it must be based on the ARP table. Because wether he uses
    DHCP or not, every client that talks to the router (wants internet etc) will shop up there.
    Only a client that explicitly not talks to the gateway wont show up there, but i think that will
    be very rarely the case in most scenerios. Anyway, this is only intended to stop normal users
    from accessing each other ("Firewall? Whats that?") so that average people are protected from
    each other. If someone is clever enough to not use DHCP, not access the gateway at all and then
    try to attack another client, well then... :)

    But that is all under the assumption that we need a rule for every single MAC.
    If we find a way to block the intra-network traffic in general, that above wont matter at all.
    Even if a client manages to sneak in that way, he still wont be able to talk to the others.
  58. Monk E. Boy

    Monk E. Boy Network Guru Member

    By the way, I've noticed that on RT-N66Us the MAC addresses aren't set correctly after flashing to Tomato. You need to manually go into the MAC Address page (under Advanced) and click Default for all interfaces. The MAC addresses should then all have been changed to unique values. Hit apply and your router should come back with a new MAC address, which will likely disrupt wireless communication for a while.

    If you do start to look into iptables and etables, don't be discouraged if things don't entirely make sense. Tomato, like most unix operating systems, has been customized for its own priorities, so things won't always line up 1:1 with documentation you'll find out on the internet. 95% of what you're looking for will be out there and documented, same as any other Linux distribution, but the last 5% though will be Tomato specific.

    FWIW, normal Tomato distributions only implement iptables, not etables. ASUS has made some pretty extensive changes which is why they have etables (among other things). You can add etables to Tomato but it's kind of involved (you'll need a flash drive or hard drive plugged into the router, plus formatting/partitioning it properly for Linux, plus downloading/installing/configuring entware, then pulling etables from entware... involved...).
    philess likes this.
  59. Bird333

    Bird333 Network Guru Member

    You are quite right. The goal is not to give network access (well except to the router) until the rule is added. I hope there is a simpler way to do this but based on what Toastman has said it doesn't seem to be. It would be good to have a whitelist too in case you have machines that you don't mind accessing each other (i.e. all the kids' devices :)).
  60. jerrm

    jerrm Network Guru Member

    A little misleading depending on your definition of "normal Tomato distributions." Most of Shibby's and I'm pretty sure Toastman's K26 builds include ebtables. Not sure about the 4MB builds, but I'm at the point I don't use any 4MB hardware at all.
  61. philess

    philess Networkin' Nut Member

    Oh maybe he didnt exactly mean "dont include ebtables" but more "dont make use of the functionality".

    @Bird333 i personally wouldnt need a whitelist there at all. Imho, clients that should be allowed to access
    each other shouldnt be in that network at all, use a seperate network for those clients.

    Guestnetwork (Hotspot) = for everyone, no access to each other
    Private network = for the trusted clients, can access each other

    But thats just me. Sure if possible we can add a whitelist option to the script then.
  62. Trent Bates

    Trent Bates Serious Server Member

    Ha! :) I may very well be over-thinking this, but I'm not saying what it sounds like I'm saying. :) I don't mean to mistake virtual devices for clients. I was just using shorthand in a way.

    I'm thinking of everything such as clients, interfaces, networks and virtual networks as their basic identifying fearture which I've equated to their MAC addresses. If iptables and/or ebtables can act on MACs, does that help? I might be behind most of you in my thought process though.
  63. philess

    philess Networkin' Nut Member

    Yes, if we can get ebtables to act upon MAC adresses (which is what it is supposed to do) that
    would help. I dont think that that is even the actual problem, we can sure figure that out.
    Maybe tomorrow i will spend (too much) time on it.

    The real issue is tho, even if ebtables works and we block traffic between clients on the router,
    it is still WLAN. So the clients can talk directly to each other. ebtables alone is useless for WLAN.
    If this was about LAN, ebtables would be the sole solution. What we really need is the AP isolation
    to be working, and then additionally ebtables can block on the router side.
  64. jerrm

    jerrm Network Guru Member

    Has anyone actually tested this yet? I have my doubts that the linux stack would even see packets from one wireless client to another if they are on the same ssid.
  65. Monk E. Boy

    Monk E. Boy Network Guru Member

    Eh? Was it added fairly recently? LIke in the last six months?

    Tomato v1.28.0500 MIPSR2Toastman-RT-N K26 USB Ext
    root@rooter:/tmp/home/root# etables
    -sh: etables: not found
  66. philess

    philess Networkin' Nut Member

    ebtables ;) But i am sure it was just a type this time and its actually not installed.
  67. Monk E. Boy

    Monk E. Boy Network Guru Member

    Sadly I'm afraid its just me being ignorant. Sorry guys, I honestly didn't realize it was present.

    root@rooter:/tmp/home/root# ebtables
    ebtables v2.0.10-2 (July 2011)
    ebtables -[ADI] chain rule-specification [options]
    ebtables -P chain target
    ebtables -[LFZ] [chain]
    ebtables -[NX] [chain]
    ebtables -E old-chain-name new-chain-name


    I had googled etables but didn't spot the b until a couple minutes ago when I was about to close the ebtables documentation. I looked, looked again, and had a "ohhh crap" moment.
  68. Trent Bates

    Trent Bates Serious Server Member

    Hi all,

    So, I think I'm understanding what is being said about all the devices on a WLAN interface and the driver needing to be in isolation mode.

    I realize this might not help everyone, but bear with me for a bit.
    I said somewhere above a couple of days ago that my understanding was that the Broadcom drivers used in the ASUS devices were closed source. It's a binary file that is included in the firmware but not available for inspection, modification, dissection, etc. Because of this, doesn't Tomato have to include the same drivers? They aren't reverse engineered or a partial subset of the originals.

    I believe that the same drivers used by ASUS 6+ months ago when I got my RT-N66U allowed for wireless isolation. I used it right away and it worked well. I have recalled situations that indicated it was working.
    (To support my assertion from a different angle, the feature also works in a cheap On Networks N150R that I paid $15 for. As a matter of fact, I cannot even get to the router's web interface wirelessly once the feature is activated on that unit. Tried it yesterday and was briefly confused that I had to connect physically to continue managing it.)

    I got my RT-N66U with ASUS firmware v.112 and we are now up to v.270 and v.354 is in beta. I don't exactly know what version of Broadcom drivers exist in those firmware versions, but I didn't think Tomato was using much older versions. That's something to check out I guess.

    Assuming that Tomato is using Broadcom drivers that have been capable of isolation under ASUS firmware, does that mean that the feature exists somehow but isn't activated by Tomato? If so, how can it be activated?

    When I issued an NVRAM SET wl0_ap_isolate=1 command, I also immediately modified the state of the checkbox for 2.4GHz in the Tomato GUI. Is that all that I accomplished? Did the driver ignore that command? (I realize that we probably don't know.)

    Is there possibly a unique set of commands for this with the Broadcom drivers?

    On the other hand, jerrm stated a couple of posts above that this might not even be an issue anyway.
    I'm interested in testing this, but I need to understand what I need to do to be sure I'm only testing one thing at a time.
    I have a couple of wireless IP printers and my laptop on the actual 2.4GHz interface. Nothing virtual. I can activate AP_isolation in every way I know how and see if I can see the printers/scanners. One even has a web interface that I can check.

    In the past, enabling isolation on the RT-N66U or the $15 unit was enough to keep me from seeing, printing and scanning. The scanner also could not detect target devices to send to. It worked the way we'd expect it to.
    Those that say they haven't seen isolation work in lots of different equipment are surely correct, but I've seen it here with two newer pieces of equipment. It might not be as thorough as enterprise level equipment. ;) I have no idea at the moment.

    I'll test this in a bit, but I imagine that I'm missing something as stated earlier. What can I do to be sure I'm testing properly?
  69. Trent Bates

    Trent Bates Serious Server Member

    I did as I described above.

    I enabled isolation via nvram commands and checked the GUI. I "commit"ed and rebooted.
    NVRAM now reports:
    Wireless printers/scanner and wireless laptop on non-virtual 2.4GHz.

    I can not see them, scan from them, print to them. Yay!
    (I can still see my Linksys NSLU2 that is on LAN port 4 of the RT-N66U.)

    BUT, I can still see devices on some of the virtual 2.4 GHz WLANs (wl0.2 from wl0).

    I'm going to hop on one of the virtual WLANs and see if I can see devices from within that SSID...
    Did that, and I can still see a couple of Chumbys on this SSID. I can see the wireless stats page from the Chumby update periodically and the values change.
    I now also see the printers/scanner on wl0 from wl0.2.
    There seems to be nothing blocking guest virtual WLANs from seeing private WLANs with AP_isolation on.

    I need to make a chart!

    It seems to me the problem can be summed up by saying that the 6 virtual WLANs need isolation controls. They are probably there, but I don't know how to modify them.

    I wonder if anyone can look at the source code for ASUS firmware (not the driver code) and see what that firmware does to enable AP_isolation on guest WLANs. It would be great if it was a unique set of nvram commands that could be set or something that could be added to Tomato soon!
    philess likes this.
  70. jerrm

    jerrm Network Guru Member

    Does the stock ASUS firmware support multiple SSIDs with isolation? If it does and it works it shouldn't be too hard to reverse engineer if it's a simple nvram setting.

    The seeing each other across vlans or virtual SSIDs would be expected if the router is configured for them to.
  71. Trent Bates

    Trent Bates Serious Server Member

  72. jerrm

    jerrm Network Guru Member

    Try this:
    1. Go back to ASUS firmware
    2. Set up the SSIDs the way you want without isolation and test.
    3. Save the output of nvram show and iptables -vnL.
    4. Enable isolation and test again.
    5. Save the output of nvram show and iptables -vnL.
    6. Run a diff against the saved output.
    Also, I would try the same against RMerlin's build and see if you get the same results.

    It may be simple nvram settings we can duplicate, if there is code making it happen, then you would need to dig into the ASUS source. Either way, if it really works, it can probably be brought into Tomato, it will just take someone who cares enough to make it happen. I have the feeling it's not really on Toastman/Shibby/Victek's list of priorities, but I doubt they would have any problem porting the ability if the legwork is already done.
    philess and Elfew like this.
  73. Elfew

    Elfew Addicted to LI Member

    Please let us know about the results
  74. Trent Bates

    Trent Bates Serious Server Member

    I will have to wait just a bit before going through those steps. I have almost everything I need to run that test except for the block of uninterrupted time it would require. My RT-N66U is in use and I'm not the only one depending on it. ;)

    I have asked for RMerlin's help on smallnetbuilder in hopes that he might be able to quickly tell us where to go since he focuses on ASUS firmware and the modification of it. He might be able to quickly look it up with the degree of understanding he probably has.

    Sort of related, I happened across a recent post by RMerlin about the drivers used by ASUS currently and that general version number matches what I get in the "[TomatoUSB] About" screen of Tomato.
    I would guess that the drivers being used by Tomato are the same used currently by ASUS. So, there's that!
  75. w11x22

    w11x22 Networkin' Nut Member

    Hi Trent
    I am not a Network Guru just have some basic knowledge, I had posted the same thing in this Forums and yet to get an answer. I tried Merlin for few weeks and it worked flawlessly for the GUEST but it looks impossible in Tomato... I love Tomato and addicted to it so Cant go back to Stock...Wish it (GUEST Setup) is as simple as in Merlin or Stock...Here is the link to my question...

  76. Trent Bates

    Trent Bates Serious Server Member

    RMerlin is not able to offer as much help as I was hoping for.

    One option that others have mentioned in other threads and that might be a good workaround is to run guest clients the main interface and use isolation there. Then run the private network on a virtual interface.

    Of course, there's still the method that already works of using a different subnet. (Is that really the correct way to say it?)

    I still plan to load ASUS firmware and save nvram and iptables with guest isolation on and off and see if there are any differences that can be found.

    I too feel that I can't fathom going back to ASUS firmware. I have had such better performance and stability with Tomato that I'm hooked. I just would like to customize it a bit more I guess.
  77. Elfew

    Elfew Addicted to LI Member

    Ok compare nvrams or just upload them tgere and maybe we can find a solution
  78. Trent Bates

    Trent Bates Serious Server Member


    GOT IT! A user by the name of "dodava" on Smallnetbuilder provided the command necessary to enable guest isolation!

    I've tested it for a few minutes and it seems to work! I can continuously ping another device on the same guest interface and toggle the isolation on and off!

    For RT-N66U:
    wl -i wl0.1 ap_isolate 0 (or 1) to toggle state of guest 2.4GHz 1
    wl -i wl0.2 ap_isolate 0 (or 1) to toggle state of guest 2.4GHz 2
    wl -i wl0.3 ap_isolate 0 (or 1) to toggle state of guest 2.4GHz 3
    wl -i wl1.1 ap_isolate 0 (or 1) to toggle state of guest 5 GHz 1
    wl -i wl1.2 ap_isolate 0 (or 1) to toggle state of guest 5 GHz 2
    wl -i wl1.3 ap_isolate 0 (or 1) to toggle state of guest 5 GHz 3

    wl -i wlx.x ap_isolate [Enter] will show the current state of the interface specified

    This command also works with the physical interfaces of eth1 and eth2.
    wl -i eth1 ap_isolate

    Here's dodava's post: (I don't know if an account is needed to see it.)

    As I understand it, ebtables is probably still needed to isolate interfaces from each other, but this is a great start! I wonder if I could have found this by comparing nvram?
  79. Trent Bates

    Trent Bates Serious Server Member

    Further information: This may seem obvious, but it might help someone out.

    Issuing the new commands on an interface that's not active returns an error. In the top example, I hadn't yet set the first 5GHz virtual SSID, then I did.

    wl -i wl1.1 ap_isolate
    wl: wl driver adapter not found
    wl -i wl1.1 ap_isolate
    Also, it appears that nvram doesn't "know" about these settings. I'm talking to the drivers directly. (As someone earlier in this thread mentioned) It would seem that these settings probably can't be saved in nvram as it exists.

    Eventually, someone might modify Tomato's UI to use these settings, but until then;
    How would these settings, and the necessary ebtables be entered in Tomato so that they would survive a reboot and automatically occur on startup?
  80. jerrm

    jerrm Network Guru Member

    Great news!

    The GUI firewall script would probably be the best location. It should be called anytime interfaces are modified.
  81. Bird333

    Bird333 Network Guru Member

  82. philess

    philess Networkin' Nut Member

    I dont think there is a publicly available documentation on the driver from Broadcom.
    I looked at the DD-WRT wiki some time ago too, but found that a lot of commands
    didnt work on my E4200/Tomato. I would assume that their Wiki page is also based
    on an older WL version, probably not up to date.

    Yes, putting the correct wl commands and the ebtables in the firewall script section
    would be the best way to go. Integrating it into the WebUI itself, dunno. I kinda expect
    the driver/isolation to sometimes work and sometimes not, depending on router model
    and hardware revision. Sure it could be integrated in the UI but might not be easy to
    make it work reliable. Maybe better to add it yourself thru the scripts section.

    Unfortunately i wont have time to really test this find by Trent the next few days,
    but i am eager to hear how it works for other users :) Thank you Trent!
  83. Trent Bates

    Trent Bates Serious Server Member

    I'm just really glad that we've gotten somewhere with this! :) I appreciate everyone in this thread that has fueled the discussion and helped figure out what is needed. I do hope that it's something fairly universal when all is said and done.

    I could really use some help with the ebtables concept. I am envisioning a color coded example that can eventually be posted for others. Something like:

    wl -i wl0.1 ap_isolate
    ebtables -A FORWARD -i wl0.1 -o ! vlan2 -j DROP

    black = command
    purple = interface
    red = option

    with explanations of what each part does.
    It would be nice to have a generic set of commands that the
    interfaces can be manually "plugged" into as the script is
    copied or entered.
    It would also be nice to have a complete set of rules that
    block all virtual interfaces from interacting. Then the person
    could possibly comment out (or remove/change) what they'd like.

    If this made it into the GUI, that would be great, but I understand
    that it might only work in some hardware and might not be a
    feasible option.
  84. kthaddock

    kthaddock Network Guru Member

    Use "ebtables -h" to see what command is possible to use with ebtables
  85. Trent Bates

    Trent Bates Serious Server Member

    Hi all,
    I haven't really had time to work with any of this the last few days. I'm still planning to get a grip on ebtables.

    I'd really like to see a before/after ebtables listing from an RT-N66U with isolation turned off/on on a guest interface. I'd like to see the actual effect as opposed to generic examples.
    I might revert to ASUS firmware and check this out myself soon, but it won't be today, Saturday or Sunday. (Too many users and other stuff to tend to.)

    Perhaps someone here has an "ASUS firmware'd" device at their disposal?
  86. Bird333

    Bird333 Network Guru Member

    You mean you don't have at least two spare routers? What kind of router geek are you? :D
    philess likes this.
  87. Trent Bates

    Trent Bates Serious Server Member

    :D A poor one maybe? :D
    philess likes this.
  88. darkknight93

    darkknight93 Networkin' Nut Member

    Trent Bates and philess like this.
  89. Trent Bates

    Trent Bates Serious Server Member

    Hi all,

    Thanks to an individual named jobongo at smallnetbuilder.com, I have what he's found to be the ASUS ebtables entries that provide isolation between interfaces.

    I need to point out that it's nearly identical to what rafwes posted in #13 above. I've always believed that rafwes's post was correct, but I didn't have enough understanding yet to "get it". Rafwes has an additional line above that I'd like to get a handle on as well.

    In any case, this is the exact stuff I've put in my firewall script:
    There's a few changes that someone else might need to make if they are to use these entries. I have reorganized my "vlan" numbering because it bothered me the way it was. My WAN is now vlan1 instead of vlan2.
    I've added unnecessary entries for wl1.1 to wl1.3 even though I don't have those interfaces active right now. I view that as my desired "default" state so I put the entries in there. If I use a 5GHz guest interface, it will be isolated already.
    Also, as you can see, I have left wl0.2 in "non-isolated" mode.
    Lastly, I have decided to FLUSH the ebtables first with "ebtables -F" so that it didn't fill up with duplicate lines. My ebtables was empty but someone else might have entries in there already and might not want to use the FLUSH command. There's probably a more elegant way to handle this.
    wl -i wl0.1 ap_isolate 1
    wl -i wl0.2 ap_isolate 0
    wl -i wl0.3 ap_isolate 1
    wl -i wl1.1 ap_isolate 1
    wl -i wl1.2 ap_isolate 1
    wl -i wl1.3 ap_isolate 1
    ebtables -F
    ebtables -I FORWARD -i wl0.1 -o ! vlan1 -j DROP
    ebtables -I FORWARD ! -i vlan1 -o wl0.1 -j DROP
    ebtables -I FORWARD -i wl0.3 -o ! vlan1 -j DROP
    ebtables -I FORWARD ! -i vlan1 -o wl0.3 -j DROP
    ebtables -I FORWARD -i wl1.1 -o ! vlan1 -j DROP
    ebtables -I FORWARD ! -i vlan1 -o wl1.1 -j DROP
    ebtables -I FORWARD -i wl1.2 -o ! vlan1 -j DROP
    ebtables -I FORWARD ! -i vlan1 -o wl1.2 -j DROP
    ebtables -I FORWARD -i wl1.3 -o ! vlan1 -j DROP
    ebtables -I FORWARD ! -i vlan1 -o wl1.3 -j DROP
    So, that's what I have so far. I'd like some input from any of you about all of this! I do like how "self-contained" this has turned out to be. These entries in the firewall section are all that are needed! :)
  90. Bird333

    Bird333 Network Guru Member

    I assume this is working how you want correct? Everything looks fine. I would just say though that I don't think you need ebtables for those commands. You can do the same thing with iptables. Of course as we have discovered, you need those 'wl' commands to keep wireless clients on the same interface from seeing each other but the rest can be done with iptables. Also, I haven't tested this but I think you only need the 'iptables/ebtables -I FORWARD -i ! vlan1 -o wl0.x -j DROP' rules if your interfaces are in the same subnet. If you have them on separate subnets then they wouldn't be necessary. But this begs the question, if you don't want any of your interfaces to see each other then why not just put them on different subnets? Maybe I missed it/forgotten it from your OP.
  91. jerrm

    jerrm Network Guru Member

    I don't think iptables can even see the individual interfaces (eth0, wl0.x, vlan1, etc) contained in the bridge, it doesn't look like tomato includes physdev. It pretty much has to be ebtables when controlling what passes over the bridge.

    Why not use subnets is valid question though, but there are always edge cases where it would be helpful. In some ways this would be easier than setting up separate DHCP entries, bridges, etc in the GUI, not saying I would make it normal practice though.
  92. Bird333

    Bird333 Network Guru Member

    You may be right, but I thought at one time I had some iptables rules that were applied to wl0.1.
  93. Trent Bates

    Trent Bates Serious Server Member

    Way up top, buried in the middle of a lot of stuff :D, I said that the reason I wanted this instead of setting up clients on a second bridge is;
    I want to apply individual bandwidth limits per MAC.
    I want to see these guest clients in the charts screen, etc.
    The factory ASUS firmware was capable of guest SSIDs on the same class c.
    Why not in Tomato?
  94. Malitiacurt

    Malitiacurt Networkin' Nut Member

    You can apply these bandwidth limits per MAC and see guest clients on the charts screen with different subnets.

    You have to use Shibby's mod though. The 'vanilla' B/W limiter included in Toastman's (not sure about Victek's) does not include the ability to limit bandwidth on multiple subnets, only br0. Can also see IP-traffic monitoring and web-usage on the different subnets.
  95. Trent Bates

    Trent Bates Serious Server Member

    I'm using what I believe is Shibby's latest release. This is what I have in the [About] tab. "Built on pon, 04 mar 2013 09:42:55 +0100 by Shibby, http://openlinksys.info"

    In this build, I can create individual bandwidth limits for a MAC address under the br0 section, but it doesn't have the desired effect on that MAC if it's on br1. (That makes sense since that is the way the screen reads.)

    Yes, I can see bandwidth and IP traffic on more than one bridge, but it adds unnecessary complexity now that I've gotten this working. :)
  96. Malitiacurt

    Malitiacurt Networkin' Nut Member

    The reasoning behind why you'd do this is wrong. Why would you bandwidth limit by mac address on the guest network. It should be done either by IP range and a default class rate.

    If it's a known guest, you give that MAC a static IP outside the DHCP range so he gets a bit 'higher' bandwidth priority. (Eg DHCP for guest is Give static IP's to known guests

    Then other unknown guests will be put in the default class rate.

    By your logic, when a guest connects, he is NOT bandwidth limited UNTIL you log into the router and add his mac into your bandwidth limiter table.

    And as of right now, I don't see whats limiting your guests to set a static IP on their own computer to be in the range of your network br0, hence circumventing the guest isolation.
  97. Bird333

    Bird333 Network Guru Member

    Well iptables will take the rule below. I don't know if it works because I haven't tested it.
    iptables -I FORWARD -i wl0.1 -o wl0.2 -j DROP
  98. jerrm

    jerrm Network Guru Member

    It will also take "iptables -I FORWARD -i notaninterface -o bogusinterface -j DROP." That doesn't really mean anything. Try a simple log rule, I doubt anything happens.
  99. Trent Bates

    Trent Bates Serious Server Member

    Malitiacurt, You raise good points in a typical "guest" sense. My situation is somewhat specific.
    Let me see if I can make some sense of it without writing a novel. ;)

    Nobody on my router is an unknown guest. I'm using the word "guest" out of convenience to refer to a group of devices that do not stay here all the time. These devices are frequently on other networks, possibly unprotected and I don't own them. It's a BYOD scenario.

    Every device I'm referring to has an assigned IP but I filter by MACs.

    These 6 devices have access to only one virtual SSID. That SSID is what I have isolated from other SSID's. They are in the same class c as everything else, but can't see anything but WAN.

    Some of these devices tend to use more data than I'd like. I could set up QOS, but I'm really trying to keep their data usage to a steady flow instead of periodic spikes.
    Two stationary examples are a Nintendo Wii and a RoKu streaming Netflix. They can be given a relatively low speed limit (640-768Kbps down) and stream perfectly.
    This keeps them from sucking up all the bandwidth they can get for a few moments at a time.
    This is why I prefer individual MAC bandwidth limiting. If I group them all in br1 and limit that, these 6 devices fight among each other more than I'd like for that group's bandwidth.

    I hope this makes more sense now. I am open to other thoughts and ideas!
  100. Armand1234

    Armand1234 Addicted to LI Member

Share This Page