I have four AP's and one router. All of them run OpenWRT. They work fine for trusted clients, which roam freely.
I have also created additional "Guest WLAN" across my four AP's. Guest WiFi traffic is tagged as VLAN 5 which is then handled in router by specific "APGUEST" interface and routed according its own firewall rules. It too works fine except one thing: devices can ping each other as soon as they are connected to different AP's. I would like to "isolate" WiFi clients so they can only surf the Internet but not talk to each other. But they should still be able to "roam" between AP's (which have same SSID's and passwords. Preferrably with 802.11r enabled, if possible).
How do I isolate clients coming from different AP's? (ebabling "client isolation" in WiFi seems to take care of isolation within the same IP).
Should I create four different VLAN's for each AP and four Interfaces take care of it's traffic? That would probably work but I do I make sure client retains its IP across all four interfaces?
With other words, I would like client to receive IP 192.168.5.130 from DHCP when connected to AP1, be able to "roam" to AP2 or AP3 while retaining that IP, all while being "isolated" from other clients, which might be connected to same or different.
All your APs have one (the same) SSID with one (the same) password for one (the same) VLAN. Not VLAN5 to VLAN8. Just VLAN5.
Your central router has one subnet and one DHCP server for VLAN5.
Your APs isolate clients on that SSID.
So when clients are connected to this guest SSID on different APs, the APs will send the traffic to the router. There, you can identify guest access traffic by the IP address. In your firewall rules, you prohibit traffic stemming from that subnet to destiniations in that subnet.
I have that exact same setup up and running. Handoff / roaming works like a charm. Clients on trusted SSID can talk to each other, suspicious IoT / smart home / guest devices can't.
You actually have two possibilities to isolate clients from each other on multiple access points:
A: Put every access point into it's own vlan and enable client isolation on them. You either have to live with different subnets then or use a dhcp relay instead to keep one address range for all your access points. In this case you can use iptables to prevent the clients from talking to each other as the traffic between vlans gets routed.
B: Keep one single vlan for your guest network/all access points and again enable client isolation on them. The problem here is that traffic between two clients is switched and iptables aren't helping to isolate your clients. Ebtables and a bridge can achieve that: https://forum.openwrt.org/t/client-isolation/13914/31
Hi, my router is a x86 two-core AES-NI Atom mini PC with two NIC's running OpenWRT 18.06. AP's are Archer C7 V2's, also running OpenWRT 18.06. There is a smart switch between AP's and router (supporting VLAN taggning).
Thank you very much for your hints. Just couple of questions:
is "ebtables" a package I can install via opkg?
I have heard that ebtables is somewhat hard on CPU resources. Is installing and using "ebtables" going to affect/slow down my other traffic? (I do not care if ebtables are making guest WiFi somewhat slower as long as rest of traffic is still using "default" routing).
Built in 2.4GHz on Archer C7 is so much better than on x86 router (using mini-PCI card) that four AP's were overkill (trusted WLAN uses 5GHz only). So I decided for time being to just run guest WLAN off one AP as it covers whole house.
Otherwise, my plan was to run four unbridged VLAN's (for each AP) and let them share same DHCP (if possible). 802.11r would not work in such config but it would be rather straight forward setup that would not require (for me) unconventional ebtables.