Bridge port isolation for wireless interfaces via netifd

AntonR · December 27, 2020, 12:28pm

Hello people,

I'm using a snapshot version (r15172-af07c6de9c) because my device (ASUS RT-AC65P) is not supported by a release.

I'm trying to do rather common thing, a guest wifi network with clients isolation. Because my device has 2 radios, I created 2 networks with same SSID and bridged them to have same IP-range.

/etc/config/network:


config interface 'guest'
    option type 'bridge'
    option proto 'static'

/etc/config/wireless:


config wifi-iface 'wifinet3'
    option device 'radio0'
    option mode 'ap'
    option isolate '1'
    option network 'guest'

config wifi-iface 'wifinet4'
    option device 'radio1'
    option mode 'ap'
    option isolate '1'
    option network 'guest'

That isolates clients within same band, but clients from one band may talk to clients of the second band. According to various topics here further isolation may be done via ebtables. Unfortunately that is tricky because of "WLAN interface names may be dynamic or unpredictable".

Newer kernels (4.18+) support a better way — port isolation. I've tried that by echo 1 >brport/isolated and it worked fine.

It seems tha netifd also somehow supports that feature.

But I can't make it work.

Am I right that netifd applies that only to non-bridged devices or bridges themselves, but not to bridged interfaces?

Is there a way to configure netifd to set that for bridged wlanX-Y interfaces?

Should that maybe a default behavior for netifd to mark wireless-isolated interfaces as brport/isolated?

AntonR · January 7, 2021, 9:43pm

Are there any netifd experts?

vgaetera · January 8, 2021, 12:14pm

The new feature likely relies on the network config instead of wireless:

uci set network.guest.isolate="1"
uci commit network
/etc/init.d/network restart

You can also try this way:
https://openwrt.org/docs/guide-user/firewall/fw3_configurations/bridge

It relies on the firewall zone, so it should work for dynamic interface names.

AntonR · January 8, 2021, 2:22pm

I've tried initially exactly that configuration, but it has no effect at all.

As I understood network.guest.isolate configures for netifd bridge device itself, not for bridged interfaces. And it uses latter ones to enable /sys/class/net/%s/brport/isolated option.

Don't know a use case for that, that could even be a netifd bug.

bridge-netfilter option is rather the same as ebtables-way. Yes, that should work.

But I'm curious about new port isolation feature — if it's added to netifd, then there should be a way to use it, right?

AntonR · January 17, 2021, 10:43pm

@nbd , could you please explain how to use this feature if it's applicable to bridge over wlans?