So for some reason Clients can still ping each other and probing the network for clients with my android phone also works, so I can discover any active host on my guest network using an app called Port Authority...
"My Setup"
LAN Router IP: 192.168.1.1
Guest Network IP: 192.168.55.1
option isolate '1' @both of my guest wifi AP's
Firewall Rules (without the default-rules):
..........................
config rule
option src 'wifi_guest'
option dest 'lan'
option name 'Disable Guest Lan Access'
option target 'REJECT'
option dest_ip '192.168.1.0/24'
config rule
option target 'DROP'
option src 'wifi_guest'
option dest 'wan'
option dest_ip '192.168.254.0/24'
option name 'Disable Modem Access'
config rule
option src 'wifi_guest'
option dest 'wifi_guest'
option name 'Block Guest to Guest [ISOLATE]'
option target 'REJECT'
config rule
option src 'wifi_guest'
option name 'Disable Router Access [HTTP]'
option dest_port '80'
option target 'DROP'
config rule
option src 'wifi_guest'
option dest_port '443'
option target 'DROP'
option name 'Disable Router Access [HTTPS]'
config rule
option src 'wifi_guest'
option name 'Disable Router Access [SSH]'
option dest_port '22'
option target 'DROP'
config rule
option src 'wifi_guest'
option name 'Disable Router Access [Telnet]'
option dest_port '23'
option target 'DROP'
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option network 'lan'
option forward 'REJECT'
config zone
option name 'wan'
option output 'ACCEPT'
option masq '1'
option mtu_fix '1'
option input 'DROP'
option forward 'DROP'
option network 'wan wan6 Modem'
config forwarding
option src 'lan'
option dest 'wan'
config include
option path '/etc/firewall.user'
config include 'miniupnpd'
option type 'script'
option path '/usr/share/miniupnpd/firewall.include'
option family 'any'
option reload '1'
config zone
option name 'wifi_guest'
option input 'ACCEPT'
option forward 'REJECT'
option output 'ACCEPT'
option network 'guest'
option masq '1'
config redirect
option target 'SNAT'
option src 'wifi_guest'
option dest 'lan'
option proto 'all'
option src_dip '192.168.1.1'
option name 'Allow-Guest-Internet'
config forwarding
option dest 'wan'
option src 'wifi_guest'
config redirect 'adblock_dns'
option name 'Adblock DNS'
option src 'lan'
option proto 'tcp udp'
option src_dport '53'
option dest_port '53'
option target 'DNAT'
I don't know what i'm doing wrong here and I would appreciate a helping hand.
Basically all i want is completely isolated guest clients, they should only get access to the internet and nothing more...
What you want is client isolation, as long as there's just one AP all you have to do is enable isolation, look in docs for that option or maybe it's just a check box in luci
I've allready enabled client isolation in the GUI and its also present in my wifi config.
I got an 5 an 2.4ghz Guest AP and both got this option ticked.
Is it clients on opposite bands can talk to each other but clients on same band are isolated? If so you need to firewall and turn on the sysctls for bridge iptables.
I can ping and see clients within the 5ghz guest ap when connected to 2.4 and vice versa.
It's really driving me crazy as i don't know where the problem lays...
Nope, that works also... i've just tried it.
Was connected to my 5ghz guest AP with a win 10 laptop and could ping my Android phone connected to the 2.4ghz guest AP.
Oh btw, I'm using a WRT3200acm@ latest davidc build.
I feel like there should be an easy fix for this and i find it kinda essential to get something like this to work with OpenWRT.
Sorry, misunderstanding.
I can't ping from a client which is connected to my 2.4ghz guest AP to another client which is connected on the same 2.4ghz guest AP
I guess, each of your APs is an interface in the same firewall zone. I think you just need to disable forward between interfaces in the same zone. It is on the Firewall page: choose Drop instead of Accept.
UPDATE: it will be at the bottom where you guest firewall zone is displayed.
The LAN Interface within the guest zone is my vlan link to my Tomato AP.
I can try to put a lan client into my guest network (i have a guest vlan because of the tomato AP) and see if i can ping it from a wireless guest client...
I have a very similar setup with several APs and one wired port in the same guest zone and I only used AP isolation and disabled forward within the zone. Why does it work for me then without using ebtables? No one can ping anyone within the zone. And they cannot access LAN because the input rule for LAN is drop.
So i've just tested and yes a guest-LAN client is able to ping a guest-wifi client and vice versa....
I would love to know that as well... Maybe my setup is wrong from the beginning on.
I'll need to reconfigure everything tomorrow, because i got no more energy today.
Are ur lan clients within the guest network also isolated ?
Choose drop for Input for LAN and guest and that will fix it.
I do not think so; you are almost there. Having said that, I have just tested my setup and clients connected to different APs in the same guest firewall zone can only see each other is accept is chosen for the Forward rule. If I set it to drop, they cannot see each other.
No, this is a very different problem and I only have a single wired client that deserves this kind of treatment. But it is isolated from all the WiFi client.