1x Router LAN port connected to a self-hosted server
2.5G WiFi AP point enabled with SSID "okayokay"
5G WiFi AP point enabled with SSID "fastfast"
(Isolate clients checkbox is checked/enabled for both AP)
What I want happening:
Completely isolate all WiFi clients (inter and intra AP/SSID and every other way) so that a compromise/malware of one client cannot infect other clients
Allow all WiFi clients to access the self-hosted server (via the wireguard server on it) (could the clients end up communicating inside server when they are connected to the server?)
I mostly have a default out-of-box config (only changed root password and set up WiFi APs through the web interface only). How can I achieve what I want happening? My router has enough RAM, Flash, and CPU power for mostly anything.
I really appreciate any inputs.
Thank you in advance!!
As you mentioned, you have the isolate clients option enabled. This will prevent all wifi devices from talking to each other provided that there is only a single access point. It will not isolate wifi from ethernet and vice versa. Where multiple APs are in use, wifi client devices connected to one AP 'appear' to be ethernet connected from the perspective of the other AP.
Wireguard isn't necessary for devices already on your network to access your server, unless there is some other purpose for Wireguard. (I'm assuming the server is on the same network).
So that means for instance all clients on fastfast are completely isolated from each other, but clients on fastfast can talk to clients on okayokay; is that correct? If so, how can I also isolate them?
Also, how easy is it for clients on fastfast to bypass isolation and end up talking to each other?
Yeah, they are on same network as described in my setup in original post. I implemented wireguard as I also want to sometime soon allow accessing my server remotely and wanted to reduce leak and open ports attack surface.
I did not really understand what you meant by "different networks." I would really appreciate if you are able to guide me a bit with it or point me to a guide/docs!
Yes, on some devices (and older versions of OpenWrt) an additional step of creating a VLAN is needed. Some others (DSA-based), you just hit "Add" on the network interfaces web GUI page.