Allow only access to local subnet for specific SSID

TP-Link APs allow to filter traffic so that you can create an SSID like "OnlyLocal". Then you can set up that only access to local subnet is allowed. Clients in "OnlyLocal" get the same IP/are on the same subnet like clients in "FullAccess".
Is that possible with OpenWRT? I guess so. Can you point my to the right documentation?

In general, not on any device (traffic addressed for the same subnet does not need to pass the routing/firewall engine of the Kernel and never reaches it).

But...if you place these devices on different VLANs and bridge them for example...there may be some bridge filtering you could implement. I'm not too familiar with that - I'm sure others will chime in.

Do you have some use case where you need only broadcast packets or something?

Otherwise, I don't see why you don't setup another interface/network/IP range/SSID/etc. and only permit Firewall default forwarding to FullAccess? :thinking:

Found out how this is possible.

You need to install

opkg update
opkg install kmod-br-netfilter iptables-mod-physdev

This module is responsible for availability of -m physdev in iptables

This module forwards Layer 2 packets to Layer 3 so iptables/netfilter can handle.

You have to enable this behavior:

#runtime
sysctl -w net.bridge.bridge-nf-call-iptables=1

#make changes permanent
cat << EOF >> /etc/sysctl.conf
net.bridge.bridge-nf-call-iptables=1
EOF

Give the interface the SSID "OnlyLocal" runs on a name. This makes it much easier transferring the rule to another device.
a) Webinterface
image
or
b) /etc/config/wireless

config wifi-iface 'OnlyLocal'
        option device 'radio0'
        option mode 'ap'
        option ssid 'OnlyLocal'
        option encryption 'sae-mixed'
        option max_inactivity '3600'
        option key 'uN5fSfBuHrtLCVK1ydx1'
        option ieee80211r '1'
        option mobility_domain '1111'
        option ft_over_ds '0'
        option ft_psk_generate_local '1'
        option network 'lan'
        option ifname 'onlylocal'

Important is the last line, not the first with config wifi-iface

Now set a custom rule

iptables -I FORWARD ! -d 192.168.1.1/24 -m physdev --physdev-in onlylocal -m comment --comment "Only Local" -j REJECT
iptables -I FORWARD -d 255.255.255.255  -m physdev --physdev-in oertlich -m comment --comment "Broadcast / DHCP" -j ACCEPT

Done. Now devices in SSID OnlyLocal can only access local network.

Note:
If you're using tagged VLANs according to IEEE 802.1Q and as soon as you set sysctl -w net.bridge.bridge-nf-call-iptables=1 you need two special rules, because OpenWRTs default FORWARD policy is to drop and none of the predefined policies will match. So your SSIDs configured to a VLAN won't work anymore.

When using a VLAN19 like described there Use SSID in specific VLAN - Wifi connection can not be established - #15 by VLANMaster you need these settings:

iptables -I FORWARD -m physdev --physdev-in eth0.19  -m comment --comment "VLAN19" -j ACCEPT
iptables -I FORWARD -m physdev --physdev-out eth0.19  -m comment --comment "VLAN19" -j ACCEPT

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.