AP isolation route to router

I'm running pfsense as router and openwrt configured as a dumb AP. I have all devices connecting to the AP in the same VLAN but different IP segment. The topology is like this:

  • All-in-one-VLAN: with PC assigned to and Phones assigned to, all via mac address allow in DHCP server inside pfsense

I want those devices in the PC IP segment to communicate with each other but not to devices in the Phones segment (trying to emulate a VLAN here, there are several reasons behind it, mainly because of having a poor switch that can't tag VLAN based on mac address).

I have 1 PC and 1 Laptop inside the PC IP segment and 1 IPhone inside the Phones IP segment. I want the PC and Laptop to be able to ping each other but cannot pin the IPhone. When I turned AP isolation on, I cannot ping from my PC to my Laptop.

I have read from the docs that by turning on AP isolation, the packets from my PC will be forwarded to br-interface for it to decide. How can I be sure that br-interface will forward that packet to pfsense and let it route to my Laptop, or will br-interface just drop the packet and not forward it. Is there any way that I can configure openwrt to behave as what I wanted?

Thanks for any of your help!

Not sure how to do that, maybe with firewall rules, but what you at least have to change is the IP ranges. and are both routable, i.e. they are non-private ranges.
Try 192.168.x.x or 10.x.x.x

1 Like

If you add the following config, Forwarding between different subnets in the same firewall zone should be rejected.
file: /etc/config/firewall

config zone
	option forward 'REJECT'

I guess this is the closest it gets to what you want. I'm not sure if the "Isolate Client" option does the same. If this config doesn't work y guess would be to make Firewall Rules. But it isn't a very nice solution.