I've tried searching for this on the internet but have not found a fitting solution so far.
We offer internet access to our clients via a hotspot solution of an external company. They supplied us with a small PC that creates a tunnel to their servers on the internet and presents itself as a normal router (dns-server, dhcp-server, gateway) to the client devices.
If a client tries to access the internet and is not logged in then instead of whatever page they try to surf to a login page is displayed. The check whether a client is logged in or not is done via the MAC address of the client, so it is important that the server sees the MAC of each client.
Currently we have 8 access points. All of them running OpenWrt and all set up as dumb APs with the hotspot SSIDs bridged to the network the server is connected to.
My big problem is that while I can tick the box so that clients are isolated per access point they are of course still able to see the clients connected to other access points.
I was thinking about removing the bridge and instead doing some magic in the firewall settings so that clients of the hotspot SSID can only access the IP of the server and nothing else. But doesn't that create separate networks and the server would only ever see the MACs of the access points?
So basically what I'm asking for is if there is a solution where i can limit access of all clients to the IP address of the server while keeping the ability that the clients' MAC addresses actually reach the server. And can this be done without changing any configuration on the server?
Some managed switches support L2 port isolation schemes; this allows you to restrict traffic between ports even on the same VLAN. Here's an example howto for Zyxel enterprise class switches of the scenario you're describing; presumably this would work if you connect your APs to the vendor's server via this switch. (Note this feature is not available on the GS1900 series I have, which is more of a SOHO-class switch. Obviously you'd need to research that a switch can do what you want before buying it.)
It's not clear to me that there's anything you can do with ebtables on the APs that would prevent wireless clients on different APs and the same subnet from ARPing each other via the switch fabric.
However, I think you could use ebtables to accomplish it on an OpenWRT supported switch without investing in a potentially expensive enterprise L2 switch; but I have not tried this. If I'm not mistaken it would require a switch supported by DSA, so that each switch port can be treated as a separate interface without recourse to VLANs. Again, the goal is Layer 2 port isolation on the switch that is shared by all APs, such that the APs cannot reach each other at the ethernet frame level; they can only reach the upstream provider's router. (If the APs are not on a common switch it might get trickier depending on your exact topology.)
It's more a question of why you would want to use VLANs. They don't contribute to the solution in any way I can see, more an unhelpful complication. All you want to do is -- on the switch that links the AP to the uplink, if no one has a better idea -- say at the L2 level, "all the ports in a certain set can to talk to this other port, but not to each other". And VLANs don't help with that.
Edit: for completeness, VLANs will put your APs on different networks; from the provider upllink and/or from each other. You don't want that; they are on the same network and you don't want to mess with that. You just want to isolate them from each other on the switch at Layer 2 while still allowing them to interact with the uplink.
Yes, but the APs don't have separate cable runs to a central location. I have 4 simple smart switches daisy-chained together and already using VLAN to separate three different networks. And the 9 different APs and the hotspot server are connected to the respectively closest switch. One VLAN is for managing the APs, one VLAN is connected to the "internal" SSID and one VLAN is connected to the hotspot SSID.
So I'm going to use VLANs anyway if I'm going to use a central OpenWrt device like you suggested.
And they are only separated into different networks until they are bridged at that central OpenWrt device where some kind of ebtables magic is hopefully able to prevent inter-bridge communication.
I don't see the difference to using DSA where I would need a device with 10 ports AND a managed switch with 10 ports just to temporarily make all of those VLANs untagged and then join them back together in a bridge. Okay, the difference is a lot more money, but from a software standpoint it should be the same.
Okay, as I said, was making some simplifying assumptions about your topology. I can't make solid enough inferences about your situation from that description to contribute further.
BTW I wasn't suggesting both a managed switch and a DSA-capable OpenWRT device, rather using the latter in place of the former, since you'll be able to run arbitrary commands on it. But again, it sounds like you've got some complexity built into your present design that affects this in ways I can't really guess at.