Hey everyone !
I am new to OpenWRT, I have converted an OpenWRT router to an openflow-enabled Access point, I have also enabled wireless isolation but the later doesn't seem to work! i still can ping between two devices connected to the wifi. Any suggestions please ?
Thank you !
Are you running a single AP or do you have multiple APs in your space?
Let's see your configuration:
Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
Just in general, client isolation only works between clients connected to the same AP interface (for dual-band APs you get two independent AP interfaces!), this means any wired clients (and clients on the other band or connected to a second, third, etc. AP) are switched (or bridged) to each other and bypass client isolation.
Thank you for your response,
I am running a single AP in my setup. When I run tcpdump to capture traffic on the wlan0 interface,and start a ping from my phone to my laptop, i see the echo request and the echo reply in the output although client isolation is enabled. I thought in this case, the AP will intercept the echo request and will not forward it to the other machine but this isn't really what is happening.
Here is the configuration :
ubus call system board :
root@OpenWrt:~# ubus call system board
{
"kernel": "5.4.188",
"hostname": "OpenWrt",
"system": "ARMv8 Processor rev 3",
"model": "Raspberry Pi 4 Model B Rev 1.4",
"board_name": "raspberrypi,4-model-b",
"release": {
"distribution": "OpenWrt",
"version": "21.02.3",
"revision": "r16554-1d4dea6d4f",
"target": "bcm27xx/bcm2711",
"description": "OpenWrt 21.02.3 r16554-1d4dea6d4f"
}
}
cat /etc/config/network :
root@OpenWrt:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd2c:13a7:1ecc::/48'
config interface 'eth0'
option proto 'dhcp'
option device 'eth0'
config interface 'br0'
option device 'br0'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
config interface 'wifi'
option device 'wlan0'
option proto 'static'
option ipaddr '192.168.1.2'
option netmask '255.255.255.0'
config interface 'ETH1'
option proto 'static'
option device 'eth1'
list ipaddr '192.168.1.3'
cat /etc/config/wireless :
root@OpenWrt:~# cat /etc/config/wireless
config wifi-device 'radio0'
option type 'mac80211'
option path 'platform/soc/fe300000.mmcnr/mmc_host/mmc1/mmc1:0001/mmc1:0001:1'
option channel 'auto'
option cell_density '0'
option country 'DE'
option hwmode '11g'
config wifi-iface 'default_radio0'
option device 'radio0'
option mode 'ap'
option isolate '1'
option ssid 'OpenWrt_Guest'
option encryption 'none'
option network 'wifi'
cat /etc/config/dhcp:
root@OpenWrt:~# cat /etc/config/dhcp
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option localservice '1'
option ednspacket_max '1232'
config dhcp 'wifi'
option interface 'wifi'
option start '50'
option limit '50'
option leasetime '12h'
option dhcpv4 'server'
list ra_flags 'managed-config'
list ra_flags 'other-config'
option ra 'hybrid'
option dhcpv6 'hybrid'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config dhcp 'br0'
option interface 'br0'
option start '100'
option limit '50'
option leasetime '12h'
option dhcpv4 'server'
list ra_flags 'managed-config'
list ra_flags 'other-config'
option ra 'hybrid'
option dhcpv6 'hybrid'
config host
option name 'sdn'
option dns '1'
option ip '192.168.1.10'
option mac '<mac@>'
config host
option name 'homeassistant'
option dns '1'
option mac '<mac@>'
option ip '192.168.1.20'
config host
option name 'kiosk'
option dns '1'
option mac '<mac@>'
option ip '192.168.1.30'
config host
option name 'M2012K11AG'
option ip '192.168.1.89'
option mac '<mac@>'
cat /etc/config/firewall:
root@OpenWrt:~# cat /etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'wan'
option output 'ACCEPT'
option mtu_fix '1'
option masq '1'
list network 'eth0'
option input 'ACCEPT'
option forward 'REJECT'
config zone
option name 'br0'
option input 'ACCEPT'
option output 'ACCEPT'
list network 'br0'
option forward 'REJECT'
config forwareding
option src 'wan'
option dest 'br0'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Support-UDP-Traceroute'
option src 'wan'
option dest_port '33434:33689'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
option enabled '0'
config include
option path '/etc/firewall.user'
config forwarding
option src 'wan'
option dest 'br0'
config forwarding
option src 'br0'
option dest 'wan'
Your problem may be related to the multiple interfaces you have assigned using the same subnet here... These need to change:
Instead, remove these entirely:
Create a bridge for eth1 like this
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth1'
Modify your br0 interface to look like this:
config interface 'guest'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
then change your radio configuration to look like this:
config wifi-iface 'default_radio0'
option device 'radio0'
option mode 'ap'
option isolate '1'
option ssid 'OpenWrt_Guest'
option encryption 'none'
option network 'guest'
You'll also need to update your firewall and dhcp configurations to use the new network name guest
There are other issues with the firewall, but this is the key stuff you need to change.
Hey,
Thanks for your reply .
I should not change these interfaces because that would break the configurations I made in the Openvswitch to control devices with the SDN controller. I have followed this article :
https://wiki.helsinki.fi/display/WiFiSDN
it was mentioned that after I change the bridge in the OpenWRT router with the br0 and create the interfaces, devices connected via wifi will not be able to see each other provided that the wireless isolation and the PVLAN are enabled. However, it is still not working.
I don't see anywhere in the guide you linked where it says you should create 3 independent interfaces that use the same subnet. This configuration is invalid and will break lots of things. Each interface must be on its own subnet.
If you need br0 as an interface name, you can simply rename guest above to br0 (and you can also make br-lan into br0 as well, just as long as you make everything consistent). in that case, it would look like this (where you have a device named br0 and a network named br0):
[quote="psherman, post:5, topic:166359"]
config device
option name 'br0'
option type 'bridge'
list ports 'eth1'
config interface 'br0'
option device 'br0'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
and
config wifi-iface 'default_radio0'
option device 'radio0'
option mode 'ap'
option isolate '1'
option ssid 'OpenWrt_Guest'
option encryption 'none'
option network 'br0'
(alternatively, you can likely rename the references to br0 in the other configs to match whatever the network interfaces are.)