But, I thought I had to streamline things, so I used AP's Linksys WRT54G(S) with a modified firmware.
Activated ebtables in the WRT54G(S)'s and I entered this:
#Accept DHCP to go everywhere (meaning: broadcasting without special MAC info)...
ebtables -t broute -A BROUTING -i eth1 -p ipv4 --ip-proto tcp --ip-destination-port 67:68 -j ACCEPT
ebtables -t broute -A BROUTING -i eth1 -p ipv4 --ip-proto udp --ip-destination-port 67:68 -j ACCEPT
#Accept also arp-ing...
ebtables -t broute -A BROUTING -i eth1 -p arp -j ACCEPT
#For the rest, allow [b]only [/b]our gateway MAC (please insert yours) as a destination...
ebtables -t broute -A BROUTING -i eth1 -d ! 00:01:02:03:04:05 -j redirect --redirect-target DROP
Done. No more com possible between clients. Period.
DHCP broadcasts are still visible to all, but the rest of the (radio) communication is just client<->AP<->pfSense.[edit] By the way: these AP's (with the Sveasoft firmware, to name the house) offer already 'Client Isolation', but that only works for all the clients connected to one AP - not from 'seeing' each other if they are connected to 2 different AP's. As already said, I have many AP's all over the place.
can this setup be implemented on openwrt?
i want to isolate the wifi clients on the rest of the network including other wifi clients on other wifi ap.
client isolation on wifi will only isolate the client from other clients on the same wifi ap.