Client isolation on guest vlan in BATMAN mesh doesn't work

So basically I got it all then, right? This IS the isolation as is understood by everybody - can see, but can't talk. Client isolation is NOT stealth, correct?

no, I'm still not sure what's achievable, nor what client isolation really does/is supposed to do... But it seems like you should be able to achieve your "stealth" idea.

Here's an interesting read:


To configure a NIC for stealth mode in Linux, disable the Address Resolution Protocol (ARP), which breaks the link between the IP address and the MAC address of the interface. Run the following commands, replacing with the NIC's name, for example, eth0.

*To configure a NIC for stealth mode, run this command:

ifconfig -arp up

*To return the NIC to normal mode, run this command:

ifconfig <interface> arp up


Network Agent can work with a stealth mode NIC only if the interface retains its old IP address in the Linux system configuration file, /etc/sysconfig/network-scripts/ifcfg-<adapter name>.

yeah, that's not relevant to your situation. that's to make a client be unable to be reached, and it's IPv4 only

Do I have it right that you've got several devices, each one has an AP bridged to a batman device? And the batman links are entirely over wifi not wired batman links?

Yes, that's correct. Two wireless mesh nodes.

OK let's call them node A and node B... if you connect two devices to the AP on node A can they see each other? or only when one device is on A and one on B? How about if both are on B?

Once we've got that established, we can see where the issue lies.

Node G (gateway) and B (bridge)
Both devices connected to G, both nodes are on - yes, I can see the other devices
Both devices connected to G, only G node is on - no, I cannot see the other devices
Both devices connected to B, both nodes are on - yes, I can see the other devices
Both devices connected to B, only G node is on - no, I cannot see the other devices
One device on G, one on B, both nodes are on - yes, I can see the other devices
I cannot connect to any of the nodes when both of them are off :frowning:

And I think I found the culprit:
This option keeps a copy of arp table on (some) nodes:
option distributed_arp_table 1
If I understand correctly what is happening here, the scanner goes through the IPs in the subnet - asking "Where's". First thing batman does is it checks the arp table it has locally - and instantly replies: "it's at 08:CD:AB:34:12". Oh, great, the scanner says - dear user, I found a device! And continues through the range.
So to keep the devices stealthy, you need to both disable the distributed arp table AND enable ap_isolation.


Here's the solution:
To prevent vlan client communication, it is necessary to:

  1. Set respective wireless interfaces to isolate: option isolate '1' in /etc/config/wireless
  2. Set respective batman vlans (bat0.xxxx) to isolate: option ap_isolation '1' in /etc/config/network
    However, there seems to be a bug in batman implementation that sets ap_isolation to 0 (hardcoded):
    atomic_set(&vlan->ap_isolation, 0);, check
    To get around this, use batctl -m bat0.2 ap 1 to force the setting every time a batman VLAN goes up.
    I do it in a hotplug.d script (note the interface names are specific to my setup):
root@asus:~# cat /etc/hotplug.d/iface/bat_ap_isol

[ "$ACTION" = ifup -o "$ACTION" = ifupdate ] || exit 0

[ "$INTERFACE" = work -o "$INTERFACE" = guest -o "$INTERFACE" = iot ] || exit 0

logger -t batman "Reenabling ap_isolation due to $ACTION of $INTERFACE ($DEVICE)                        "

if [ "$INTERFACE" = work ]
    batctl -m bat0.3 ap 1

if [ "$INTERFACE" = guest ]
    batctl -m bat0.2 ap 1

if [ "$INTERFACE" = iot ]
    batctl -m bat0.4 ap 1

With this setup the clients will be aware of each other because of how batman operates, but won't be able to communicate (also I believe a subject to how firewall is set up).

To achieve a complete client-to-client stealth in a vlan, it is necessary to also disable batman's distributed arp table: option distributed_arp_table 0 in bat0 stanza in /etc/config/network.


This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.