Can anyone explain how client isolation in OpenWRT works? Specifically, the checkbox option in LUCI. Beyond the basic description of "prevents client-to-client communication."
What mechanisms are used in this implementation? At what level does checking this box make changes?
What are the strengths and weaknesses?
How to defend against attackers getting around it?
How to design firewall rules, etc to enable specific clients to communicate across isolated networks?
1: it isolates STAs within the same BSSID, anything that traverses the BSSID (and reaches the bridge) is out of reach ~= no isolation.
2: it's weak, unless you isolate it into dedicated/ unshared networks per BSSID.
3: you can't, but there is an easy solution - don't give network access to untrusted entities.
4: the firewall is not involved here
At the BSSID level, HOW does it isolate clients connected to the same BSSID? Checking that box must modify some code somewhere.
Let's use the guest network example. Clients connected to the guest network should not be able to ping each other, and they should not be able to ping network devices or clients on other networks, but they should be able to make DHCP and DNS requests so they can browse the internet. OpenWRT creates the guest network using a br-guest with no ports assigned.
If a LAN port is assigned to the br-guest, will the isolated clients on the guest BSSID be able to communicate with clients on the guest LAN? Will the addition of the LAN port to the bridge break the BSSID isolation? Meaning can clients connected to the BSSID just go around the isolation to see each other?
Read the finest manual?
Yes (the isolation is SSID-specific).
The description provided by Slh was quite detailed.
No.
(A simple test will also produce these results BTW.)
Hopefully the description at lines 568 and 569 [of the official documentation] satisfies the OP's inquiry this time.
Love a good manual. There is only one mention of "isolate" or "isolation":
# Client isolation can be used to prevent low-level bridging of frames between
# associated stations in the BSS. By default, this bridging is allowed.
#ap_isolate=1
The manual indicates a reference path of: root/hostapd/hostapd.conf. I am not able to confirm the correlation between LUCI "isolate clients" and ap_isolate=1 because the reference path does not appear to exist on my device:
root@GL-MT6000:~# find / -name "hostapd"
/rom/usr/sbin/hostapd
/sys/fs/cgroup/services/wpad/hostapd
/tmp/run/hostapd
/usr/sbin/hostapd
Check:
ls /tmp/run/hostapd*.conf
OpenWrt uses the Unified Configuration Interface (UCI) abstraction layer for configurations. In OpenWrt, you generally make configurations per OpenWrt documentation and UCI syntax.
My guess is the manual was provided as the [verbose] answer to your extended inquiries regarding the isolate feature.
Yes, multiple users directed you to that section of the manual.
(If you are not satisfied or seek more information, you may wish to contact the developer of the underlying hostapd software.)
Maybe to add, there is an ethernet “port isolation” which can be used in addition depending on how you wired everything, but its still iffy.
If you want full isolation, then better make 1 VLAN per BSSID, but that likely blocks fast roaming (maybe there are some workarounds possible, but it does not feel like the right solution). The best solution would be to setup each AP as router for those (B)SSIDs then you can have full isolation. But then you likely will have double NAT for IPv4 etc.
It happens at the bridge level, as the ap_isolate=1 hostapd option is always set (more info here). The actual isolation is done by disabling the hairpin_mode bridge port option ( /sys/class/net/*/brport/hairpin_mode) for the wireless interface that allows packets to enter the bridge port they originated from.
On the same bridge (and the same device only*) you can isolate the clients from two or more BSSIDs by setting the bridge_isolate uci option (in 25.12 this is also exposed as Isolate Bridge Port in the webinterface) on all relevant wireless interfaces.
This enables the /sys/class/net/*/brport/isolated bridge port option, which is the same as enabling the port isolation setting for wired interfaces that Ramon mentioned.
I am requesting extended explanation because I am trying to learn how it works, and in my researching the topic, I discovered a recurring theme of people getting confused about this, with a number of other threads going off on tangents trying to solve case-specific challenges. Bits and pieces of info buried deep in threads here and there, difficult to find. Some really good answers in this thread, hopefully others will find it useful.
I am trying to setup a network that looks more or less like this. The primary issue I am trying to work out right now is the IoT network. The IoT devices do not need to see each other, and they should not see anything in the other networks, but they do need to communicate with the control server.
The exception is the printers, which needs to be accessible from both the trusted and privileged guest vlans.
The control server should also be able to communicate with the media devices and trusted devices, as well as the NAS.
I am trying to keep the hardware as minimal as possible here, and also to avoid mDNS (if possible)
How does your network setup relate to hairpin or isolate inquiry?
So, have you spoken to the hostapd creator yet?
Also, can you explain whay you mean by "hairpin mode" on the same interface?
("Hairpin" must have a different meaning as you used it - than commonly used in parlance discussing OpenWrt.)
If OP wants to dig into the general topic this is a good resource. Not directly related to wifi on Linux and hostapd but to illustrate the general issue.
I assume either someone needs to write a school essay or having late night talks with a chat bot -.-
Are you sure the kernel bridge is involved at all? I thought the wifi driver itself handled (or dropped, depending on how configured) layer 2 bridging between clients of the same AP.
It is possible to run an AP that is not attached to a kernel bridge, by defining only an Interface and placing an IP address directly on the Interface. This configuration does not allow bridging outside of the AP but I thought that bridging between its STAs would still occur.
I have never actually tested this though.
No. It's correct that in this Special case of wifi client isolation has nothing to do with Linux bridges perse. But I wanted to underline that this topic is wider then OP seams to realize. Nothing more.
I was to lazy to verify but I would assume that Cisco and co have good material on the topic of wifi client isolation, how it works and what to expect.
This is super cool! Thanks for the wisdom.
I may never sleep again.
At a most basic level, Infrastructure mode works like a hub. The AP participates in the communication by forwarding packets to clients - at the Layer-2 level. Client Isolation places a packet filter on the AP so only traffic to/from the AP is allowed. This setting is local to that AP's wireless bridge BSSID. Once it makes it out of that wireless bridge such as crossing between 2.4 and 5Ghz, it is free from this Client Isolation setting. So you have to enable it on every AP carrying that SSID and turn on bridge isolation to prevent traffic between wireless bridges. This might be an oversimplification but it works for me so I hope it helps you.
