Client isolation on guest vlan in BATMAN mesh doesn't work

Hi guys,

I'd appreciate your help as it seems I hit the wall and three days of reading whatever I could find on the subject I've configured a batman mesh. Gateway is ARCHER, 'dumb AP' bridge is ASUS. Four VLANs - private (supposed to be bridged with all LAN ports on both routers), iot, work, guest. Routers are meshed over wifi (no cable). Each node has a number of wifi ssids set up same way on both to enable roaming. Non-mesh clients are able to connect to each of the networks, get ip and get online.

I have the following issues:

  1. A network scanner installed on a phone is able to see (list and ping) all the clients connected to the same vlan it is connected to. E.g. if I connect to iot wifi, I can see all the iot devices but not my laptop connected to private network (so vlan isolation seems to work properly while isolation within vlan doesn't). I have made several attempts to isolate the clients but in vain. For example if I issue a command "batctl -m bat0.4 a 1", then the setting returns "enabled" for this interface for a while, but then reverts back to disabled (not sure if after some time or after router reboot)

EDIT1: It seems this is by design - I'm just failing to control AP isolation on per-vlan basis:

This setting only affects packets without any VLAN tag (untagged packets). The ap isolation setting for VLAN tagged packets is modifiable through the per-VLAN settings.

https://www.open-mesh.org/projects/batman-adv/wiki/Tweaking

EDIT2: so it's quite weird. I tried adding the following to network configs and it did nothing to enable ap_isolation on vlan interfaces:

config interface 'bat0vlan2'
        option protocol 'batadv_vlan'
        option ifname 'bat0.2'
        option ap_isolation '1'

This option is not set upon service network restart.
Then I just tried enabling this on both routers:

batctl -m bat0.2 ap 1

and it kind of worked. The scanner is still able to find the other devices on vlan, but now it cannot ping them and port scanner doesn't show any open ports (I guess it's good, right? But can we make so that they don't see each other completely, or is this about as far as ap_isolation goes?). So how I make this option persistent?

  1. SOLVED (wrong IP config on ASUS private interface) I cannot access ASUS (dumb ap, bridge node) from a wirelessly connected client. I'm only able to access it through a cable connected to a lan port of the router.

Configs:

root@asus:~# batctl ap
enabled
root@asus:~# batctl -m bat0.4 ap
disabled

Gateway (ARCHER)

dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'guest'
	option start '100'
	option limit '150'
	option interface 'guest'
	option leasetime '6h'

config dhcp 'work'
	option start '100'
	option leasetime '12h'
	option limit '150'
	option interface 'work'

config dhcp 'iot'
	option start '100'
	option leasetime '12h'
	option limit '150'
	option interface 'iot'

config dhcp 'private'
	option start '100'
	option leasetime '12h'
	option limit '150'
	option interface 'private'

firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'
	option drop_invalid '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan private'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'wan wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config zone
	option name 'guest'
	option output 'ACCEPT'
	option network 'guest'
	option input 'REJECT'
	option forward 'REJECT'

config forwarding
	option dest 'wan'
	option src 'guest'

config rule
	option dest_port '53'
	option src 'guest'
	option target 'ACCEPT'
	option name 'guest_DNS'

config rule
	option dest_port '67'
	option src 'guest'
	option target 'ACCEPT'
	option name 'guest_DHCP'

config zone
	option forward 'REJECT'
	option name 'work'
	option output 'ACCEPT'
	option input 'REJECT'
	option network 'work'

config rule
	option dest_port '53'
	option src 'work'
	option target 'ACCEPT'
	option name 'work_DNS'

config rule
	option dest_port '67'
	option target 'ACCEPT'
	option src 'work'
	option name 'work_DHCP'

config forwarding
	option dest 'wan'
	option src 'work'

config zone
	option forward 'REJECT'
	option name 'iot'
	option output 'ACCEPT'
	option input 'REJECT'
	option network 'iot'

config forwarding
	option dest 'wan'
	option src 'iot'

config rule
	option dest_port '53'
	option src 'iot'
	option target 'ACCEPT'
	option name 'iot_DNS'

config rule
	option dest_port '67'
	option src 'iot'
	option target 'ACCEPT'
	option name 'iot_DHCP'

network


config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd43:e6b7:2b88::/48'

config interface 'lan'
	option type 'bridge'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.50.1'
	option igmp_snooping '1'
	option delegate '0'
	option ifname 'eth0.1'
	option stp '1'

config interface 'wan'
	option ifname 'eth0.2'
	option proto 'dhcp'

config device 'wan_eth0_2_dev'
	option name 'eth0.2'
	option macaddr '98:da:c4:2b:39:4d'

config interface 'wan6'
	option ifname 'eth0.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '2 3 4 5 0t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '1 0t'

config interface 'bat0'
	option proto 'batadv'
	option routing_algo 'BATMAN_IV'
	option aggregated_ogms '1'
	option ap_isolation '1'
	option bonding '0'
	option bridge_loop_avoidance '1'
	option distributed_arp_table '1'
	option fragmentation '1'
	option gw_mode 'off'
	option hop_penalty '30'
	option isolation_mark '0x00000000/0x00000000'
	option log_level '0'
	option multicast_mode '1'
	option multicast_fanout '16'
	option network_coding '0'
	option orig_interval '1000'

config interface 'nwi_mesh0'
	option proto 'batadv_hardif'
	option master 'bat0'
	option mtu '2304'

config interface 'private'
	option type 'bridge'
	option stp '1'
	option delegate '0'
	option ifname 'bat0.1 eth0.1'
	option proto 'static'
	option netmask '255.255.255.0'
	option ipaddr '192.168.10.1'

config interface 'guest'
	option type 'bridge'
	option ifname 'bat0.2'
	option stp '1'
	option proto 'static'
	option ipaddr '192.168.20.1'
	option netmask '255.255.255.0'
	option delegate '0'
	option ap_isolation '1'

config interface 'work'
	option type 'bridge'
	option stp '1'
	option ifname 'bat0.3'
	option proto 'static'
	option ipaddr '192.168.30.1'
	option netmask '255.255.255.0'
	option delegate '0'
	option ap_isolation '1'

config interface 'iot'
	option type 'bridge'
	option ifname 'bat0.4'
	option stp '1'
	option proto 'static'
	option ipaddr '192.168.40.1'
	option netmask '255.255.255.0'
	option delegate '0'
	option ap_isolation '1'

wireless


config wifi-device 'radio0'
	option type 'mac80211'
	option hwmode '11a'
	option path 'pci0000:00/0000:00:00.0'
	option channel '36'
	option htmode 'VHT80'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option mode 'ap'
	option ssid 'defaultssid'
	option ieee80211w '1'
	option key 'defaultkey'
	option encryption 'psk2'
	option network 'private'

config wifi-iface 'mesh0'
	option network 'nwi_mesh0'
	option device 'radio0'
	option ifname 'ifmesh0'
	option mode 'mesh'
	option mesh_id 'mesh0id'
	option key 'mesh0key'
	option mesh_fwding '0'
	option mesh_rssi_threshold '0'
	option encryption 'sae'

config wifi-device 'radio1'
	option type 'mac80211'
	option channel '11'
	option hwmode '11g'
	option country 'US'
	option path 'platform/ahb/18100000.wmac'
	option htmode 'HT20'

config wifi-iface 'wifi_guest'
	option encryption 'psk2'
	option device 'radio1'
	option mode 'ap'
	option isolate '1'
	option network 'guest'
	option ssid 'guestssid'
	option key 'guestkey'

config wifi-iface 'wifi_work'
	option encryption 'psk2'
	option device 'radio1'
	option mode 'ap'
	option isolate '1'
	option network 'work'
	option ssid 'workssid'
	option key 'workkey'

config wifi-iface 'wifi_iot'
	option encryption 'psk2'
	option device 'radio1'
	option mode 'ap'
	option isolate '1'
	option ssid 'iotssid'
	option key 'iotkey'
	option network 'iot'

config wifi-iface 'wifinet5'
	option ssid 'wifinet5ssid'
	option encryption 'psk2'
	option device 'radio1'
	option mode 'ap'
	option key 'wifinet5key'
	option network 'private'


Bridge (dumb AP) - ASUS

dhcp


config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'


firewall


config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan private'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'


network


config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdb0:3c92:1080::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0'
	option proto 'static'
	option ipaddr '192.168.50.11'
	option netmask '255.255.255.0'
	option gateway '192.168.50.1'
	option delegate '0'
	list dns '192.168.51.1'

config device 'lan_eth0_dev'
	option name 'eth0'
	option macaddr '38:d5:47:0d:78:48'

config interface 'wan'
	option ifname 'eth1'
	option proto 'dhcp'

config device 'wan_eth1_dev'
	option name 'eth1'
	option macaddr '38:d5:47:0d:78:4c'

config interface 'wan6'
	option ifname 'eth1'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '1 2 3 4 0'

config interface 'bat0'
	option proto 'batadv'
	option routing_algo 'BATMAN_IV'
	option aggregated_ogms '1'
	option ap_isolation '1'
	option bonding '0'
	option bridge_loop_avoidance '1'
	option distributed_arp_table '1'
	option fragmentation '1'
	option gw_mode 'off'
	option hop_penalty '30'
	option isolation_mark '0x00000000/0x00000000'
	option log_level '0'
	option multicast_mode '1'
	option multicast_fanout '16'
	option network_coding '0'
	option orig_interval '1000'

config interface 'nwi_mesh0'
	option proto 'batadv_hardif'
	option master 'bat0'
	option mtu '2304'

config interface 'private'
	option proto 'static'
	option ipaddr '192.168.10.11'  #corrected
	option netmask '255.255.255.0'
	option type 'bridge'
	option gateway '192.168.50.1'
	list dns '192.168.50.1'
	option delegate '0'
	option stp '1'
	option ifname 'bat0.1 eth0'

config interface 'guest'
	option ifname 'bat0.2'
	option proto 'none'   #corrected
	option delegate '0'
	option type 'bridge'
	option type 'bridge'
	option ap_isolation '1'   #corrected

config interface 'work'
	option ifname 'bat0.3'
	option proto 'none'   #corrected
	option type 'bridge'
	option delegate '0'
	option stp '1'
	option ap_isolation '1'   #corrected

config interface 'iot'
	option ifname 'bat0.4'
	option delegate '0'
	option proto 'none'   #corrected
	option type 'bridge'
	option stp '1'
	option ap_isolation '1'   #corrected


wireless


config wifi-device 'radio0'
	option type 'mac80211'
	option channel '11'
	option hwmode '11g'
	option path 'platform/soc/a000000.wifi'
	option htmode 'HT20'

config wifi-iface 'wifi_guest'
	option encryption 'psk2'
	option device 'radio0'
	option mode 'ap'
	option isolate '1'
	option network 'guest'
	option ssid 'guestssid'
	option key 'guestkey'

config wifi-iface 'wifi_work'
	option encryption 'psk2'
	option device 'radio0'
	option mode 'ap'
	option isolate '1'
	option network 'work'
	option ssid 'workssid'
	option key 'workkey'

config wifi-iface 'wifi_iot'
	option encryption 'psk2'
	option device 'radio0'
	option mode 'ap'
	option isolate '1'
	option network 'iot'
	option ssid 'iotssid'
	option key 'iotkey'

config wifi-iface 'wifinet5'
	option ssid 'wifinet5ssid'
	option encryption 'psk2'
	option device 'radio0'
	option mode 'ap'
	option key 'wifinet5key'
	option network 'private'

config wifi-device 'radio1'
	option type 'mac80211'
	option channel '36'
	option hwmode '11a'
	option path 'platform/soc/a800000.wifi'
	option htmode 'VHT80'

config wifi-iface 'mesh0'
	option device 'radio1'
	option network 'nwi_mesh0'
	option ifname 'ifmesh0'
	option mode 'mesh'
	option mesh_id 'mesh0id'
	option key 'mesh0key'
	option mesh_fwding '0'
	option mesh_rssi_threshold '0'
	option encrytpion 'none'
	option encryption 'sae'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option mode 'ap'
	option ssid 'defaulssid'
	option ieee80211w '1'
	option key 'defaultkey'
	option encryption 'psk2'
	option network 'private'


1 Like

It increasingly seems to me that batctl -m bat0.4 ap 1 setting is not preserved after restart

I think you could add this command to System->Scheduled Tasks so it gets executed on restart. I don't know how to write scripts, sorry.

What routers (model numbers) are you using?

I know for example the EA8300 linksys uses the IPQ4019 CPU which has problems with VLANS - not sure if it can do it yet. I would like to try eventually as I am using that router in a 3 node mesh.

Under the network->wireless section in the above example:

option isolate '1', is missing.

So it's not getting saved or added to config? (Not sure if that interface was supposed to be isolated). Maybe try adding it manually through VIM to the appropriate interfaces?

Then at some point you might want to hard reset everything to try to clear out caches and reinitialize everything. Shut everything off and then go around and turn it all back on again - if possible.

Not sure if that helps - I'm still pretty new.

Thank you!

I think you could add this command to System->Scheduled Tasks so it get executed on restart. I don't know how to write scripts, sorry.

This is a workaround, but I don't think it's a pretty one. My hope is I'm not writing the config correctly and not that this is a bug.

What routers (model numbers) are you using?
Archer:

[    0.000000] CPU0 revision is: 00019750 (MIPS 74Kc)
[    0.000000] MIPS: machine is TP-Link Archer A7 v5
[    0.000000] SoC: Qualcomm Atheros QCA956X ver 1 rev 0

Asus:

[    0.000000] Booting Linux on physical CPU 0x0
[    0.000000] Linux version 4.14.221 (builder@buildhost) (gcc version 7.5.0 (Op
enWrt GCC 7.5.0 r11306-c4a6851c72)) #0 SMP Mon Feb 15 15:22:37 2021
[    0.000000] CPU: ARMv7 Processor [410fc075] revision 5 (ARMv7), cr=10c5387d
[    0.000000] CPU: div instructions available: patching division code
[    0.000000] CPU: PIPT / VIPT nonaliasing data cache, VIPT aliasing instructio
n cache
[    0.000000] OF: fdt: Machine model: ASUS RT-AC58U

Under the network->wireless section in the above example:

option isolate '1', is missing.

This is intended as I'm not looking to isolate clients on my private network. Only on guest, work and iot (bat0.2, bat0.3, bat0.4).

Guest and work appear to be missing: option ap_isolation '1'. And on iot its commented out - in this screen grab - you may have updated it since then.

Quote:
To enable use of 802.11s mesh

opkg remove wpad-basic
opkg install wpad-mesh-openssl # or wpad-mesh-wolfssl

...wolf is a stripped down version to save memory ~300kb

...but it probably wouldn't hurt to test:

wpad-openssl

This package contains a full featured IEEE 802.1x/WPA/EAP/RADIUS…

I use it on some of my nodes no problem. Only ~500kb. Just for test purposes perhaps as it has a more complete set of supported protocols / services.

Then my next question is which ATH10K drivers are you using on the dumb AP
(ASUS RT-AC58U)?

Try switching between CT and non-CT versions? CT version is better suited to 256mb ram machines vs the non-CT which is better suited to 128mb which is what the ASUS RT-AC58U is.

Similarly look at the A5 drivers.

opkg update everything.

Do not opkg upgrade anything.

This option doesn't have an effect on batman. batctl -m bat0.4 ap returns disabled no matter if ap_isolation parameter is present in configs or not.

Try switching between CT and non-CT versions

I was not able to make CT work on the ARCHER and I gather CT doesn't support mesh.

Also, the mesh is working fine and vlans are working fine, too. It's just that clients are not isolated within vlans.

1 Like

The wifi AP definition in /etc/config/wireless needs to be set to isolate as well. With isolate off, the wifi driver will bridge clients on the same AP without the packets even reaching the kernel network bridge.

You mean within respective ssid stanzas in /etc/config/wireless? Done it every way - no effect.

actualized configs

There were multiple reports of instability under load, likely due to 128 MB RAM being insufficient for two “ath10k” radios.

Prior to 19.07, using the non-“ct” ath10k drivers and firmware could improve stability (default was kmod-ath10k-ct).

19.07 is now using kmod-ath10k-ct-smallbuffers by default, with many reporting no issues for this device.

There are issues configuring vlans from LuCI for ipq40xx boards, please edit /etc/config/network directly.

The ASUS RT-AC58U V2 and V3 models have different soc and should be considered as a different device.

Also.....

luci->system->software->update lists->filter->batman

...try installing "batmand" B.A.T.M.A.N. layer 3 routing daemon on all routers.

... MAC address isolation is layer 2 I believe but this might help.

Maybe try installing batctl-full on all routers. Or if you have already then try the other ones. Something will jostle it to life.

Are all routers running 19.07.7?

Just a shot in the dark....

versus what this guy did....

config interface 'bat_if'
	option mtu '2304'
	option proto 'batadv_hardif'
	option master 'bat0'
	option ifname 'eth0.2' # sadly this simple line did the trick for me

Above config sample taken from near the bottom of this thread or just click on "solved" at the top of the thread.

It sounds like he was trying to do batman over wired but if you are adding a dumb AP then you are too with respect to the dumb AP as it is being wired in over LAN?

Maybe @markbirss or @cgomesu has seen this layer 2 client isolation problem?

The issue is not isolated (sorry) to ASUS, same behavior on ARCHER

Are all routers running 19.07.7

yes

try installing "batmand" B.A.T.M.A.N. layer 3 routing daemon on all routers.

Alright, this is already beyond my understanding, but I think I saw somewhere that level 3 is "old way" and not correct.
Here: Unless you've got a strong reason to use the older, Layer 3 protocol (such as interoperation with an existing mesh), `batman-adv` is suggested.

Again, the feature seems to be present but it fails to persist. I created a bug report, we'll see what the maintainer says.

option ifname 'eth0.2' # sadly this simple line did the trick for me

My setup is not wired, so I don't have to bridge to lan. The mesh itself works, pings and internet access are there, clients are hopping from one node to another - no issues there. The issue is that on each vlan a client can see other clients.

Under network->wireless, encryption can't be both off and sae.

I'm also curious if STP is impacting layer 2 client isolation since it works on layer 2. Try turning it off for testing purposes?

LuCI->network->interface->mesh lan->physical settings->STP

I'm not using STP in vanilla 802.11s on my modest 3 node mesh but I'm not sure if it's required in BATMAN.

Thank-you as this will help me when I configure BATMAN eventually.

Isolation between two clients connected to the same AP on the same router won't have anything to do with your BATMAN link to the next router. Those packets aren't going to reach the BATMAN interface.

You may want to try a regular locally-routed guest network to see if you can achieve such isolation. I have tested it on the 2 GHz radio of an RT3200 and it does work, though it may not work with other wifi chips and drivers.

An option isolate 1 in the AP configuration is of course critical. Also I have the general "keep guests out of my private IPs" rule in the firewall:

config rule
	option name 'Guest-LAN-Block'
	option target 'REJECT'
	option src 'guest'
	option dest '*'
	option dest_ip '192.168.0.0/16'
	option proto 'all'
	option family 'ipv4'

Since guest IPs are in this IP block, this in theory prevents guest-guest communication, though I didn't think the firewall worked on a "hairpin" to the same interface on the same bridge. I don't have time to test further right now though you could try with and without this rule.

1 Like

For clarification - are all isolated VLANs failing to isolate clients?

option ap_isolation '1' is the wrong syntax.

It should be: option isolate '1'

This should fix it. Client isolation happens in the AP.

Try adding: option isolate '1' to each of the configs shown above....

or just use LuCI->network->wireless->click on the AP you want clients isolated on->advanced settings->check isolate clients.

Save.
Then Save and Apply.
Then reboot.
Now use your phone to join the AP you just set to isolate and see if you can ping any other clients.

If it fails then cycle the power to that AP and retest.

Probably nothing but...

bridge was declared twice.

Fixed, thanks. I don't think it matters though as the next line would override the previous. Weird, I cannot edit the original post.

I'm also curious if STP is impacting layer 2 client isolation since it works on layer 2. Try turning it off for testing purposes?

STP option was added on a later stages of troubleshooting. It doesn't seem to affect this.

Thank-you as this will help me when I configure BATMAN eventually.

I'd be happy if anything I posted would help somebody!

For clarification - are all isolated VLANs failing to isolate clients?

Yes, behavior is similar across all VLANs. When I enable the isolation through batctl -m bat0.4 ap 1, the clients cannot be pinged and port scanner doesn't show any open ports. But the scanner is somehow able to see the others.

option ap_isolation '1' is the wrong syntax.

This is incorrect as per man:
[**meshif** **<netdev>**] **ap_isolation**|**ap** [**0**|**1**]
https://www.debian.org/doc/manuals/debian-reference/ch05.en.html
But I will test it just in case bat0 and bat0.4 should be configured differently

or just use LuCI->network->wireless->click on the AP you want clients isolated on->advanced settings->check isolate clients.

You are mixing two things here. Wireless interfaces are configured in /etc/config/wireless and are configured with option isolate 1. The network interfaces and batman vlans are configured in /etc/config/network and have different option name.

bridge was declared twice.

Fixed, thanks

Isolation between two clients connected to the same AP on the same router won't have anything to do with your BATMAN link to the next router. Those packets aren't going to reach the BATMAN interface.

I don't really have enough knowledge to understand what this means. But batctl -m bat0.4 ap 1 does affect the way the clients interact, so I'd say batman definitely does at least something here.

option dest_ip '192.168.0.0/16'

Wow if I understand correctly what is written here, this is an atomic configuration.
Ah, wait. So only the clients coming from guest zone will be subdued, right? option src 'guest'
But how do the clients get their IPs and resolve DNS? You are blocking it all - option dest '*'

There are rules to allow port 53 and 67 input to the router. (These rules need to be in the file ahead of the overall deny rule, since the first rule that matches will be used). It's a standard guest network configuration.

1 Like

woops my bad...

Fact still remains that...

After changing and saving these settings a reboot or power cycle may be in order to get it working.

Okay, that didn't seem to work. In a way that the lan scanner on the phone is still able to find all the other clients. No ping or open ports - but it just lists them all. May that be ipv6 playing jokes? Is there supposed to be stealth in the first place? Or maybe inaccessible unpingable devices with every port blocked is what I should be expecting?

AND - when I turn batman vlan ap isolation off (batctl -m bat0.4 ap0), my phone is able to ping other devices on the vlan. How's that possible?

Latest gateway firewall:


config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'
	option drop_invalid '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan private'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'wan wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config zone
	option name 'guest'
	option output 'ACCEPT'
	option network 'guest'
	option input 'REJECT'
	option forward 'REJECT'

config forwarding
	option dest 'wan'
	option src 'guest'

config rule
	option dest_port '53'
	option src 'guest'
	option target 'ACCEPT'
	option name 'guest_DNS'
	option family 'ipv4'

config rule
	option dest_port '67'
	option src 'guest'
	option target 'ACCEPT'
	option name 'guest_DHCP'
	option family 'ipv4'

config zone
	option forward 'REJECT'
	option name 'work'
	option output 'ACCEPT'
	option input 'REJECT'
	option network 'work'

config rule
	option src 'guest'
	option name 'guest_lan_block'
	option target 'REJECT'
	list dest_ip '192.168.0.0/16'
	option dest '*'
	list proto 'all'

config rule
	option dest_port '53'
	option src 'work'
	option target 'ACCEPT'
	option name 'work_DNS'
	option family 'ipv4'

config rule
	option dest_port '67'
	option target 'ACCEPT'
	option src 'work'
	option name 'work_DHCP'
	option family 'ipv4'

config forwarding
	option dest 'wan'
	option src 'work'

config zone
	option forward 'REJECT'
	option name 'iot'
	option output 'ACCEPT'
	option input 'REJECT'
	option network 'iot'
	option family 'ipv4'

config forwarding
	option dest 'wan'
	option src 'iot'

config rule
	option src 'work'
	option name 'work_lan_block'
	option target 'REJECT'
	list dest_ip '192.168.0.0/16'
	option dest '*'
	option family 'ipv6'
	list proto 'all'

config rule
	option dest_port '53'
	option src 'iot'
	option target 'ACCEPT'
	option name 'iot_DNS'
	option family 'ipv4'

config rule
	option dest_port '67'
	option src 'iot'
	option target 'ACCEPT'
	option name 'iot_DHCP'
	option family 'ipv4'

config rule
	option src 'iot'
	option name 'iot_lan_block'
	option target 'REJECT'
	list dest_ip '192.168.0.0/16'
	option dest '*'
	list proto 'all'


latest bridge firewall


config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan private'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'