Help in implementing client isolation on entire network via ebtables

Installing and Using OpenWrt Network and Wireless Configuration
1

But, I thought I had to streamline things, so I used AP's Linksys WRT54G(S) with a modified firmware.
Activated ebtables in the WRT54G(S)'s and I entered this:

#Accept DHCP to go everywhere (meaning: broadcasting without special MAC info)... 
ebtables -t broute -A BROUTING -i eth1 -p ipv4 --ip-proto tcp --ip-destination-port 67:68 -j ACCEPT 
ebtables -t broute -A BROUTING -i eth1 -p ipv4 --ip-proto udp --ip-destination-port 67:68 -j ACCEPT 

#Accept also arp-ing... 
ebtables -t broute -A BROUTING -i eth1 -p arp -j ACCEPT 

#For the rest, allow [b]only [/b]our gateway MAC (please insert yours) as a destination... 
ebtables -t broute -A BROUTING -i eth1 -d ! 00:01:02:03:04:05  -j redirect --redirect-target DROP

Done. No more com possible between clients. Period.
DHCP broadcasts are still visible to all, but the rest of the (radio) communication is just client<->AP<->pfSense.

[edit] By the way: these AP's (with the Sveasoft firmware, to name the house) offer already 'Client Isolation', but that only works for all the clients connected to one AP - not from 'seeing' each other if they are connected to 2 different AP's. As already said, I have many AP's all over the place.

can this setup be implemented on openwrt?

i want to isolate the wifi clients on the rest of the network including other wifi clients on other wifi ap.
client isolation on wifi will only isolate the client from other clients on the same wifi ap.

2

It would be easier to isolate the wifi to its own interface and zone.
Take example from the guest dumbAP.

1 Like
3

this is a network for a public "paid" wifi.
with multiple wifi ap.
has a central server (pfsense) with captive portal.
the client must be able to connect to the portal page and login the voucher code.

guest dumb ap wont work.

the main point is every user will not be able to scan other users ang spoof mac addresses.

4

See this:

5

Then please consider: https://openwrt.org/inbox/donate

2 Likes
6

can this also isolate clients from other aps?

7

No, that command only isolates between two branches of the same bridge; for example, when you bridge together (on the same router) a 2.4GHz radio with a 5GHz radio. If you have different APs (different routers), then you must apply equivalent measures on the main router / switch.