Client isolation on guest vlan in BATMAN mesh doesn't work

Yes. I have at least three different locations that use client isolation inside their guest network, meaning clients connected to the guest WAP cannot reach each other. (Then depending on the particulars of the private networks, I also have additional firewall rules at the gateway-level to deny/allow guest network clients from reaching other networks.) The guest network is my only use-case for client isolation, so I don't use it with any other network (and do not quite understand why you are using with almost every single private network at your location).

The reason I mentioned that you should reset your devices is because I noticed multiple unusual settings in your first post. For example, in your /etc/config/network files:

there are two options--namely, delegate and ap_isolation-- that are not listed in the OpenWrt documentation (https://openwrt.org/docs/guide-user/base-system/basic-networking). (If you restart your network settings via /etc/init.d/network restart and then check the syslog via logread, don't you see anything unusual there?)

In addition, your bat0 config contains ap_isolation 1 but you do not need it for you non-mesh clients (anyone joining your guest WAP, for example). Set it to ap_isolation 0 instead.

Then specifically talking about in your "dumb" AP, disable dnsmasq (and dhcp), firewall, and odhcpd, as follows:

/etc/init.d/dnsmasq stop && /etc/init.d/dnsmasq disable 
/etc/init.d/odhcpd stop && /etc/init.d/odhcpd disable
/etc/init.d/firewall stop && /etc/init.d/firewall disable

This is what makes it "dumb" and ignore the respective config files in /etc/config/. I'm mentioning this because in your original post, you pasted the dhcp and firewall config files for your "dumb" AP, which should be ignored if the AP is actually "dumb".

And still in the "dumb" AP, notice that in /etc/config/wireless, its config wifi-iface 'mesh0' stanza has a duplicated option encryption. Also, now in the /etc/config/network config file, we have (a) duplicated option, (b) use of option that do not exist, and (c) your AP does not even specify a protocol for the guest interface:

(For reference, see a standard mesh-bridge config here.)

Do you see what I mean? There are multiple strange things going on that make it so much harder to troubleshoot the client isolation issue you are experiencing, and I've not even mentioned the use of batctl to change batman-adv config. If you've not given up on the issue, then follow the suggestion in my previous message and let me know how it goes.

Can we dig a little deeper here? What exactly do you mean by "cannot reach"? Is it they can't see each other? They can't ping each other? They can't see any ports on other clients?
I'm asking because when batctl -m bat0.4 ap 0, my clients can ping each other, but when it is batctl -m bat0.4 ap 1, no ping is possible and no ports are reachable. So they are not reachable! But they can still somehow see each other (ipv6?)

The guest network is my only use-case for client isolation

This case is good enough - one of the three "shared" vlans I'm setting up is a guest network. If I can set it up this way, I can just replicate the settings for the other vlans.

you should reset your devices

I respectfully disagree - this is not Windows 98 we are playing with here and you shouldn't be reinstalling the OS every time you got a segfault from borland ide...

there are two options--namely, delegate and ap_isolation -- that are not listed in the OpenWrt documentation

You are looking in the wrong place:

In addition, your bat0 config contains ap_isolation 1 but you do not need it for you non-mesh clients

It does change the behavior - without it the clients can ping each other and with it they cannot. Nothing else changes.

Then specifically talking about in your "dumb" AP, disable dnsmasq (and dhcp), firewall, and odhcpd, as follows:

This has been done as my configuration is 95% based on your guide!

ignore the respective config files in /etc/config/

I didn't know that! Maybe this explains no reaction of the dumb ap router on the firewall config change...

has a duplicated option encryption

Has been corrected previously

your AP does not even specify a protocol for the guest interface:

I've not even mentioned the use of batctl to change batman-adv config

Hey, that's the only thing the moves me in the right direction!

I do think there's a bug with batman vlan config. I might even have it set up right, I'm just not sure what should I expect from client isolation really...

So this is indeed weird. I'm reading up on OSI, it says:

3. Network Layer

The network layer has two main functions. One is breaking up segments into network packets, and reassembling the packets on the receiving end. The other is routing packets by discovering the best path across a physical network. The network layer uses network addresses (typically Internet Protocol addresses) to route packets to a destination node.

That means that any discovery packet my phone might be sending (idk, ping or port scan or whatever) should indeed be routed through the gateway (remember destination node above?) IN ANY CASE and the gateway should stop this discovery attempt - no matter what happens on Layer 2. And in fact batman's ap_isolation should have no effect on the bahavior. But it does. What's going on there?

Or is not going through the gateway? We have an option enabled option distributed_arp_table '1', which if I understand correctly keeps a table of IP-mac records, we have 'bridge_loop_avoidance '1'' and 'aggregated_ogms '1'' which should in fact forward a packet directly to destination without ever sending it to the gateway before it even has a chance to pass through the firewall. Is that what you were trying to tell me guys?

packets on a given LAN don't go through the gateway ever. On a single LAN they just go through switches. for a situation like a BATMAN mesh they get shunted through the various bridges.

https://www.open-mesh.org/projects/batman-adv/wiki/Ap-isolation

says that it doesn't do anything to stuff connected via wired links. If you have any wired LAN clients, you won't be able to isolate them with BATMAN only.

What exactly is the behavior you're trying to achieve? Be as specific as possible please!

If you have any wired LAN clients

No, not on the VLANs

What exactly is the behavior you're trying to achieve? Be as specific as possible please!

Currently I got as far as this:

1. A phone connected to the wireless iot network and running a network scanner (such as Fring or Net Analyzer) is able to list all the other devices on the network and Fring even says they are "online".
2. When I try to ping another device, I get 100% packet lost
3. Traceroute hops fail every time
4. The scanners cannot find any open ports

If I disable batman's isolation (but not wireless AP isolation), I can ping other devices and see open ports on them.

I am trying to figure out if this is expected behavior and how the network analyzer and fring are able to discover all other devices when there no open ports and pings possible? Can complete stealth be achieved in this scenario?

well I was hoping you could tell me what you wanted rather than what you've currently got.

But based on your question about "complete stealth" I'd say it sounds like what you want is that any device connected to your wifi access points can only send to / receive from the MAC address of the gateway/router.

is that right?

Btw I tried one more thing. I enabled firewall on the ASUS dumb AP bridge and configured the following rules:

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config include
        option path '/etc/firewall.user'

config zone
        option name 'iot'
        option input 'REJECT'
        option forward 'REJECT'
        option network 'iot'
        option output 'ACCEPT'

config rule
        option dest_port '67'
        option src 'iot'
        option name 'iot_DHCP'
        option target 'ACCEPT'
        list dest_ip '192.168.10.1'   #this is the ARCHER gateway running DHCP and DNS and giving internet access

config rule
        option dest_port '53'
        option src 'iot'
        option name 'iot_DNS'
        option target 'ACCEPT'
        list dest_ip '192.168.10.1'

And it didn't change the behavior in any way.

That I'm not sure, I want the scanners to not show other devices on the networks - if this is only achievable by clients only talking to the gateway MAC - then yes, that's it.

yeah, that's basically the gist of it. within the LAN you want devices to only talk to the gateway, not others in the same LAN, and that's basically at the MAC level.

So basically I got it all then, right? This IS the isolation as is understood by everybody - can see, but can't talk. Client isolation is NOT stealth, correct?

no, I'm still not sure what's achievable, nor what client isolation really does/is supposed to do... But it seems like you should be able to achieve your "stealth" idea.

Here's an interesting read:

Linux

To configure a NIC for stealth mode in Linux, disable the Address Resolution Protocol (ARP), which breaks the link between the IP address and the MAC address of the interface. Run the following commands, replacing with the NIC's name, for example, eth0.

*To configure a NIC for stealth mode, run this command:

ifconfig -arp up

*To return the NIC to normal mode, run this command:

ifconfig <interface> arp up

!Important

Network Agent can work with a stealth mode NIC only if the interface retains its old IP address in the Linux system configuration file, /etc/sysconfig/network-scripts/ifcfg-<adapter name>.

yeah, that's not relevant to your situation. that's to make a client be unable to be reached, and it's IPv4 only

Do I have it right that you've got several devices, each one has an AP bridged to a batman device? And the batman links are entirely over wifi not wired batman links?

Yes, that's correct. Two wireless mesh nodes.

OK let's call them node A and node B... if you connect two devices to the AP on node A can they see each other? or only when one device is on A and one on B? How about if both are on B?

Once we've got that established, we can see where the issue lies.

Node G (gateway) and B (bridge)
Both devices connected to G, both nodes are on - yes, I can see the other devices
Both devices connected to G, only G node is on - no, I cannot see the other devices
Both devices connected to B, both nodes are on - yes, I can see the other devices
Both devices connected to B, only G node is on - no, I cannot see the other devices
One device on G, one on B, both nodes are on - yes, I can see the other devices
I cannot connect to any of the nodes when both of them are off

And I think I found the culprit:
This option keeps a copy of arp table on (some) nodes:
option distributed_arp_table 1
If I understand correctly what is happening here, the scanner goes through the IPs in the subnet - asking "Where's 192.168.40.1?". First thing batman does is it checks the arp table it has locally - and instantly replies: "it's at 08:CD:AB:34:12". Oh, great, the scanner says - dear user, I found a device! And continues through the range.
So to keep the devices stealthy, you need to both disable the distributed arp table AND enable ap_isolation.

Here's the solution:
To prevent vlan client communication, it is necessary to:

1. Set respective wireless interfaces to isolate: option isolate '1' in /etc/config/wireless
2. Set respective batman vlans (bat0.xxxx) to isolate: option ap_isolation '1' in /etc/config/network
   However, there seems to be a bug in batman implementation that sets ap_isolation to 0 (hardcoded):
   atomic_set(&vlan->ap_isolation, 0);, check
   https://github.com/open-mesh-mirror/batman-adv/blob/master/net/batman-adv/soft-interface.c
   To get around this, use batctl -m bat0.2 ap 1 to force the setting every time a batman VLAN goes up.
   I do it in a hotplug.d script (note the interface names are specific to my setup):

root@asus:~# cat /etc/hotplug.d/iface/bat_ap_isol
#!/bin/sh

[ "$ACTION" = ifup -o "$ACTION" = ifupdate ] || exit 0

[ "$INTERFACE" = work -o "$INTERFACE" = guest -o "$INTERFACE" = iot ] || exit 0

logger -t batman "Reenabling ap_isolation due to $ACTION of $INTERFACE ($DEVICE)                        "

if [ "$INTERFACE" = work ]
  then
    batctl -m bat0.3 ap 1
fi

if [ "$INTERFACE" = guest ]
  then
    batctl -m bat0.2 ap 1
fi

if [ "$INTERFACE" = iot ]
  then
    batctl -m bat0.4 ap 1
fi

With this setup the clients will be aware of each other because of how batman operates, but won't be able to communicate (also I believe a subject to how firewall is set up).

To achieve a complete client-to-client stealth in a vlan, it is necessary to also disable batman's distributed arp table: option distributed_arp_table 0 in bat0 stanza in /etc/config/network.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.