Yes. I have at least three different locations that use client isolation inside their guest network, meaning clients connected to the guest WAP cannot reach each other. (Then depending on the particulars of the private networks, I also have additional firewall rules at the gateway-level to deny/allow guest network clients from reaching other networks.) The guest network is my only use-case for client isolation, so I don't use it with any other network (and do not quite understand why you are using with almost every single private network at your location).
The reason I mentioned that you should reset your devices is because I noticed multiple unusual settings in your first post. For example, in your /etc/config/network
files:
there are two options--namely, delegate
and ap_isolation
-- that are not listed in the OpenWrt documentation (https://openwrt.org/docs/guide-user/base-system/basic-networking). (If you restart your network settings via /etc/init.d/network restart
and then check the syslog via logread
, don't you see anything unusual there?)
In addition, your bat0
config contains ap_isolation 1
but you do not need it for you non-mesh clients (anyone joining your guest WAP, for example). Set it to ap_isolation 0
instead.
Then specifically talking about in your "dumb" AP, disable dnsmasq (and dhcp), firewall, and odhcpd, as follows:
/etc/init.d/dnsmasq stop && /etc/init.d/dnsmasq disable
/etc/init.d/odhcpd stop && /etc/init.d/odhcpd disable
/etc/init.d/firewall stop && /etc/init.d/firewall disable
This is what makes it "dumb" and ignore the respective config files in /etc/config/
. I'm mentioning this because in your original post, you pasted the dhcp
and firewall
config files for your "dumb" AP, which should be ignored if the AP is actually "dumb".
And still in the "dumb" AP, notice that in /etc/config/wireless
, its config wifi-iface 'mesh0'
stanza has a duplicated option encryption
. Also, now in the /etc/config/network
config file, we have (a) duplicated option
, (b) use of option
that do not exist, and (c) your AP does not even specify a protocol for the guest interface:
(For reference, see a standard mesh-bridge config here.)
Do you see what I mean? There are multiple strange things going on that make it so much harder to troubleshoot the client isolation issue you are experiencing, and I've not even mentioned the use of batctl
to change batman-adv config. If you've not given up on the issue, then follow the suggestion in my previous message and let me know how it goes.