Client isolation while roaming across multiple AP's (using same IP)


This is continuation of my earlier topic:

I have four AP's and one router. All of them run OpenWRT. They work fine for trusted clients, which roam freely.

I have also created additional "Guest WLAN" across my four AP's. Guest WiFi traffic is tagged as VLAN 5 which is then handled in router by specific "APGUEST" interface and routed according its own firewall rules. It too works fine except one thing: devices can ping each other as soon as they are connected to different AP's. I would like to "isolate" WiFi clients so they can only surf the Internet but not talk to each other. But they should still be able to "roam" between AP's (which have same SSID's and passwords. Preferrably with 802.11r enabled, if possible).

How do I isolate clients coming from different AP's? (ebabling "client isolation" in WiFi seems to take care of isolation within the same IP).

Should I create four different VLAN's for each AP and four Interfaces take care of it's traffic? That would probably work but I do I make sure client retains its IP across all four interfaces?

With other words, I would like client to receive IP from DHCP when connected to AP1, be able to "roam" to AP2 or AP3 while retaining that IP, all while being "isolated" from other clients, which might be connected to same or different.

Is this doable? Thanks!

Your setup is exactly what you need, except for your central router's fsettings.

Your central router can only affect traffic that it handles, so WiFi Client Isolation at each AP is an essential setting for your scenario. You have already configured that.

To isolate clients of different APs within your guest VLAN, set up your central router such that traffic within the VLAN's subnet is disallowed. That's the whole trick.

Yes, that is exactly what I would like to do. But how do I do that in practice and still retain one DHCP server/IP range for all four VLAN's?

I will have VLAN5,VLAN6,VLAN7,VLAN8. All those VLAN's must have same subnet and device that for example receives IP must be able to "roam" from VLAN5 to VLAN6 and still retain that IP.

All your APs have one (the same) SSID with one (the same) password for one (the same) VLAN. Not VLAN5 to VLAN8. Just VLAN5.

Your central router has one subnet and one DHCP server for VLAN5.

Your APs isolate clients on that SSID.

So when clients are connected to this guest SSID on different APs, the APs will send the traffic to the router. There, you can identify guest access traffic by the IP address. In your firewall rules, you prohibit traffic stemming from that subnet to destiniations in that subnet.

I have that exact same setup up and running. Handoff / roaming works like a charm. Clients on trusted SSID can talk to each other, suspicious IoT / smart home / guest devices can't.


You actually have two possibilities to isolate clients from each other on multiple access points:

A: Put every access point into it's own vlan and enable client isolation on them. You either have to live with different subnets then or use a dhcp relay instead to keep one address range for all your access points. In this case you can use iptables to prevent the clients from talking to each other as the traffic between vlans gets routed.

B: Keep one single vlan for your guest network/all access points and again enable client isolation on them. The problem here is that traffic between two clients is switched and iptables aren't helping to isolate your clients. Ebtables and a bridge can achieve that:

Perfect for this scenario would be something like "private vlans": but unfortunately it is not available on OpenWrt.

what @accelerate said

with multiple vlans:
bridge them at the central router and make a non-forwarding (star) bridge like ebtables -P FORWARD DROP (or something more specific if you also want "normal" bridges)

with a single vlan:
use ebtables to drop all traffic at the edges (AP's) but arp/dhcp to the router macaddress.

the former is easier, more generic but "wastes" more resources on transporting stuff to the center that will be dropped there.
the later is more efficient but a little harder to implement right.

@Gruntruck I think you should make clear what your central router actually is (model + firmware / operating system).

Hi, my router is a x86 two-core AES-NI Atom mini PC with two NIC's running OpenWRT 18.06. AP's are Archer C7 V2's, also running OpenWRT 18.06. There is a smart switch between AP's and router (supporting VLAN taggning).

Thank you very much for your hints. Just couple of questions:

  1. is "ebtables" a package I can install via opkg?
  2. I have heard that ebtables is somewhat hard on CPU resources. Is installing and using "ebtables" going to affect/slow down my other traffic? (I do not care if ebtables are making guest WiFi somewhat slower as long as rest of traffic is still using "default" routing).

hope you found out for yourself by now, if not:

  1. yes
  2. maybe (try it)

Built in 2.4GHz on Archer C7 is so much better than on x86 router (using mini-PCI card) that four AP's were overkill (trusted WLAN uses 5GHz only). So I decided for time being to just run guest WLAN off one AP as it covers whole house.

Otherwise, my plan was to run four unbridged VLAN's (for each AP) and let them share same DHCP (if possible). 802.11r would not work in such config but it would be rather straight forward setup that would not require (for me) unconventional ebtables.