How to prevent Guest Network clients to communicate with each other?

Hmm...
How tomato setups it network, looks somewhat odd.

So why is it not working?

ebtables -A FORWARD --logical-in br-guest -j DROP

How can this rule even work on openwrt?
This can only work if dnsmasq (is it even dnsmasq on tomato?) is listening on all interfaces/wildcard or on the bridge interface itself?

I would assume that the dnsmasq instance is bound to one specific interface
(that is part of the bridge) on tomato.
And because of that using the above rule breaks dhcp,dns?

I think you should have used:
ebtables -A FORWARD --logical-in br1 -j DROP

And instead of iptables here
iptables -I INPUT -i br1 -m state --state NEW -j DROP
iptables -I INPUT -i br1 -p udp -m multiport --dports 53,67 -j ACCEPT
Use ebtables to make the dhcp,dns traffic flow through the bridge ports.

The Question here is on which bridge port does the dnsmasq instance listen.
ebtables -A FORWARD --logical-in br1 --ip-protocol udp --ip-destination-port 67:68 -j ACCEPT
ebtables -A FORWARD --logical-in br1 --ip-protocol udp --ip-source-port 67:68 -j ACCEPT
ebtables -A FORWARD --logical-in br1 --ip-protocol udp --ip-destination-port 53 -j ACCEPT
ebtables -A FORWARD --logical-in br1 --ip-protocol udp --ip-source-port 53 -j ACCEPT
ebtables -A FORWARD --logical-in br1 -j DROP

I think you can also make this working by using iptables phydev module.
But i guess tomato doesn't have this build-in by default.

can this work?

@shm0
Thanks for your input but to be honest i pretty much gave up on Tomato...It is only frustrating me over time.
So I bought a D-Link Dir860L B1, which i should get within the next days two days and then i'm going to set up everything with 2x OpenWRT routers (at least i'll try)... :wink:

Tomato is just too old, as dlakelan and Jeff already figured out. There is a recent build for my MIPSR2 based Router available but it's a forked one from a build of 2015 !

I think my explanation, why it isn't working, is wrong.
Actually im not quite sure if it is possible to have the bridge configured without ip.
And have individual IPs assign to the interfaces that are part of the bridge.
But that would defeat the purpose of the bridge?

I also missed your post, that shows that the bridge actually has an Ip assigned.

Too bad you gave up on tomato, i want to know how to get this working? :wink:

I got it working but only with 1 wired guest client, any other vlan assingned to a new bridge will fail (clients cannot recieve an IP adress anymore).
Tomato is also limited to br0-br3, so 4 bridges in total... As i said i will try to get everything done when i get my second OpenWRT router but i think it should be no problem.

Hopefully the Dir860L wasn't a bad pick but i only paid 25eur for it so it cant be bad. :wink:

1 Like

I wish more people who were beating on older and/or poorly supported took that course of action! I hear its a great little router

1 Like

My DIR-860L is ready to go but i dont get it done with the isolated guest AP@ OpenWRT (wired+wifi) :frowning:
First of all i followed this tut and disabled the firewall: https://wiki.openwrt.org/doc/recipes/dumbap
My WRT3200: 192.168.1.1, Guest Interface 192.168.55.1
DIR-860L: 192.168.1.3, Guest Interface: 192.168.55.2 (do i even need the second guest interace @the DIR-860L

VLAN config WRT:
vlan_wrt

VLAN config DIR-860L:
860L_vlan

I do get an IP of my normal LAN subnet at any port of the DIR-860L
If i set Lan1-4 off (VLAN1) i'm not able to recieve an IP adress anymore (im testing with a wired client atm)...
I'm a bit lost....

edit: i got it done, with the following switch config@860L...
860L_vlan_fixed

My Wifi AP's are also set up but isolation between wired and wifi clients doesn't seem to work again.
I guess for the ebtables "-A FORWARD --logical-in br-guest -j DROP" command i need the firewall UP and running, is that correct ?

So how do i enable Isolation between my wired and wireless guest clients @ the DIR-860L?
nvm: i need to install ebtables first, i am silly billy again...

I can't install ebtables on my DIR-860L.

Installing ebtables (2018-05-15-66a97018-1) to root...
Downloading http://downloads.lede-project.org/snapshots/packages/mipsel_24kc/base/ebtables_2018-05-15-66a97018-1_mipsel_24kc.ipk
Collected errors:
 * satisfy_dependencies_for: Cannot satisfy the following dependencies for ebtables:
 * 	kernel (= 4.14.44-1-cfa316e572ea7fa890feb6abb050c445) * 
 * opkg_install_cmd: Cannot install package ebtables.

The build that i'm using has: Kernel Version 4.14.37...
How do i get this fixed ?? :frowning:

You are running a snapshot, the kernel modules "expire" the next time the buildbot rebuilds...

I'd honestly just install stable, it will probably work for you. Otherwise install the latest snapshot, and also download all the kernel modules to your computer so that you can install kernel modules later.

Dammit, i'm using the optimized build from here: https://forum.openwrt.org/t/optimized-build-for-the-d-link-dir-860l (r6795) cause the dev told me the last build is abit "wonky"...

edit: stable = 18.06 ? Cause wifi isn't working with these version... nvm, that is a snapshot as well.
Are u talking about CC 15.05.01 ??

stable = 17.01.4

if you're using someone's custom build, then perhaps they have a separate archive of packages and you just need to tell opkg where to get them? I think this is a question for your custom build source. figure out how to get the packages that you need from the custom build, or if stable will work for you, and then come back and see if you can get your isolated setup going. Unfortunately I just don't know anything about your hardware, or the custom build you're using.

For example with davidc's builds for the WRT3200acm i can always install any package because he includes a custom package feed in his builds.
The dev of the optimized 860L builds doesn't seem to do it for his builds... :frowning:

Wow i was so close... to get it done !

edit: i'm gonne try and install his latest build with the latest Kernel.
I think stable isn't a good idea for the 860L as i read a lot of stuff got fixed for the wifi and i need decent wifi performance...

edit2: nvm it didn't work out, the latest build is kernel 4.14.41 :frowning:

Im going to flash the release version of 17.01.4 now
I guess there is not even Luci pre installed ?

Release versions typically have LuCI pre-installed (at least for "normal" devices). Snapshot builds (such as from openwrt-18.06 and master) do not have LuCI pre-installed.

@Jeff, yap just tried it and Luci was installed allready....

I was able to insall ebtables but vlan's aren't working with this build.
Someone allready mentioned that vlans aren't working with earlier versions and there is a commit needed....

God dammit, i think i rly have to learn howto build my own image, its just so sick that my setup fails cause im not able to install ebtables with the optimized build and there is no other pre configured build with Kernel 4.14.44 out there. 18.06 doesn't have working wifi, so im pretty much lost now !

It sucks to be a OpenWRT noob :frowning:
I am going to enjoy barbecue now, otherwise my whole sunday is kinda screwed...

edit: nvm, vlan is working with 17.01.4, im gonne setup my guest AP's now and see if it's working... pls wish me some luck !
I'm just wondering if i would need to disable/shutdown my firewall to get my setup done.
Will the ebtable command work without having the firewall enabled ?

So, looking back, one important idea is that we need the port that trunks between the router and the AP to let packets pass:

show me what ebtables rules you're trying on your AP

EDIT: also give output of "ip addr show"

Just the one which is also working on my main router...
ebtables -A FORWARD --logical-in br-guest -j DROP

DIR-860L:

root@DIR-860L:~# ip addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN qlen 1000
    link/ether a6:3e:XX:XX:XX brd ff:ff:ff:ff:ff:ff
    inet6 fe80::a43e:XX:XX:XX/64 scope link
       valid_lft forever preferred_lft forever
5: br-guest: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether a6:3e:XX:XX:XX brd ff:ff:ff:ff:ff:ff
    inet 192.168.55.2/24 brd 192.168.55.255 scope global br-guest
       valid_lft forever preferred_lft forever
    inet6 fe80::a43e:XX:XX:XX/64 scope link
       valid_lft forever preferred_lft forever
6: eth0.3@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-guest state UP qlen 1000
    link/ether a6:3e:XX:XX:XX brd ff:ff:ff:ff:ff:ff
7: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether 90:8d:XX:XX:XX brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.2/24 brd 192.168.1.255 scope global br-lan
       valid_lft forever preferred_lft forever
    inet6 fd02:XX:XX:XX::1/60 scope global
       valid_lft forever preferred_lft forever
    inet6 fe80::928d:XX:XX:XX/64 scope link
       valid_lft forever preferred_lft forever
8: eth0.1@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
    link/ether 90:8d:XX:XX:XX brd ff:ff:ff:ff:ff:ff
9: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether 90:8d:XX:XX:XX brd ff:ff:ff:ff:ff:ff
    inet6 fe80::928d:XX:XX:XX/64 scope link
       valid_lft forever preferred_lft forever
10: wlan1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
    link/ether 90:8d:XX:XX:XX brd ff:ff:ff:ff:ff:ff
    inet6 fe80::928d:XX:XX:XX/64 scope link
       valid_lft forever preferred_lft forever
11: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
    link/ether 90:8d:XX:XX:XX brd ff:ff:ff:ff:ff:ff
    inet6 fe80::928d:XX:XX:XX/64 scope link
       valid_lft forever preferred_lft forever
12: wlan0-1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-guest state UP qlen 1000
    link/ether 92:8d:XX:XX:XX:XX brd ff:ff:ff:ff:ff:ff
    inet6 fe80::908d:XX:XX:XX/64 scope link
       valid_lft forever preferred_lft forever
13: wlan1-1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-guest state UP qlen 1000
    link/ether 92:8d:XX:XX:XX:XX brd ff:ff:ff:ff:ff:ff
    inet6 fe80::908d:XX:XX:XX/64 scope link
       valid_lft forever preferred_lft forever

WRT3200acm:

root@WRT3200ACM:~# ip addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 532
    link/ether 60:38:XX:XX:XX:XX brd ff:ff:ff:ff:ff:ff
    inet6 fe80::6238:XX:XX:XX:XX/64 scope link
       valid_lft forever preferred_lft forever
3: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 532
    link/ether 62:38:XX:XX:XX:XX brd ff:ff:ff:ff:ff:ff
    inet6 fe80::6038:XX:XX:XX:XX/64 scope link
       valid_lft forever preferred_lft forever
5: sit0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN qlen 1000
    link/sit 0.0.0.0 brd 0.0.0.0
6: ifb0: <BROADCAST,NOARP> mtu 1500 qdisc noop state DOWN qlen 32
    link/ether XX:XX:XX:XX:XX:XX brd ff:ff:ff:ff:ff:ff
7: ifb1: <BROADCAST,NOARP> mtu 1500 qdisc noop state DOWN qlen 32
    link/ether XX:XX:XX:XX:XX:XX brd ff:ff:ff:ff:ff:ff
8: bond0: <BROADCAST,MULTICAST400> mtu 1500 qdisc noop state DOWN qlen 1000
    link/ether XX:XX:XX:XX:XX:XX brd ff:ff:ff:ff:ff:ff
11: teql0: <NOARP> mtu 1500 qdisc noop state DOWN qlen 100
    link/void
12: br-guest: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether 62:38:XX:XX:XX:XX brd ff:ff:ff:ff:ff:ff
    inet 192.168.55.1/24 brd 192.168.55.255 scope global br-guest
       valid_lft forever preferred_lft forever
    inet6 fe80::6038:XX:XX:XX:XX/64 scope link
       valid_lft forever preferred_lft forever
13: eth0.3@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-guest state UP qlen 1000
    link/ether 62:38:XX:XX:XX:XX brd ff:ff:ff:ff:ff:ff
14: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether 62:38:e0:XX:XX:XX brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
       valid_lft forever preferred_lft forever
    inet6 fde2:ec34:XX:XX/60 scope global
       valid_lft forever preferred_lft forever
    inet6 fe80::6038:XX:XX:XX:XX/64 scope link
       valid_lft forever preferred_lft forever
15: eth0.1@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
    link/ether 62:38:XX:XX:XX:XX brd ff:ff:ff:ff:ff:ff
16: eth1.2@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether 60:38:XX:XX:XX:XX brd ff:ff:ff:ff:ff:ff
    inet 192.168.254.1/24 brd 192.168.254.255 scope global eth1.2
       valid_lft forever preferred_lft forever
    inet6 fe80::6238:XX:XX:XX:XX/64 scope link
       valid_lft forever preferred_lft forever
26: pppoe-wan: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1492 qdisc fq_codel state UNKNOWN qlen 3
    link/ppp
    inet XX.XX.XX.XX peer XX.XX.XX.XX/32 scope global pppoe-wan
       valid_lft forever preferred_lft forever
27: wlan1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master br-lan state UP qlen 1000
    link/ether 60:38:XX:XX:XX:XX brd ff:ff:ff:ff:ff:ff
    inet6 fe80::6238:XX:XX:XX:XX/64 scope link
       valid_lft forever preferred_lft forever
28: wlan1-1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master br-guest state UP qlen 1000
    link/ether 62:38:XX:XX:XX:XX brd ff:ff:ff:ff:ff:ff
    inet6 fe80::6038:XX:XX:XX:XX/64 scope link
       valid_lft forever preferred_lft forever
29: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master br-lan state UP qlen 1000
    link/ether 60:38:XX:XX:XX:XX brd ff:ff:ff:ff:ff:ff
    inet6 fe80::6238:XX:XX:XX:XX/64 scope link
       valid_lft forever preferred_lft forever
30: wlan0-1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master br-guest state UP qlen 1000
    link/ether 62:38:XX:XX:XX:XX brd ff:ff:ff:ff:ff:ff
    inet6 fe80::6038:XX:XX:XX:XX/64 scope link
       valid_lft forever preferred_lft forever

I've only masked the MAC addresses, hopefully u dont need em...

Ok, with that ebtables rule you can never pass traffic to the router... so you need to let traffic go through the bridge, to and from the router. On your AP do:

ebtables -A FORWARD -i ! eth0.3 -o eth0.3 -j ACCEPT # allow AP clients to talk to router
ebtables -A FORWARD -i eth0.3 -o ! eth0.3 -j ACCEPT # allow router to talk to AP clients
ebtables -A FORWARD --logical-in br-guest -j DROP

EDIT: if you want additional isolated wired ports, you'll set them up on the AP as eth0.4 eth0.5 eth0.6 etc and add those to the br-guest bridge.

1 Like

I'll give that a try. Thanks...
Going to flash the latest 18.06 snapshot first (they fixed wifi) as the wifi performance isn't so good with 17.01.4.

Hopefully i'll get it done this time, this AP thing is killing me :wink:

edit:btw, what about the firewall, does it have to stay enabled @the 860L ?

The new rules seem to do the trick. Ty...
Got firewall enabled and could recieve an IP adress with my guest Wifi device...
Now i'll have to see if i understand u correct with the wired vlan's..

For example if i want to isolate lan port 2 does the following screenshot/Setup looks ok?:
vlan_new
eth0.4 is bridged to br-guest....

edit: must be wrong as i can still see my wired guest client connected at LAN port 2....

edit2: got it done: vlan_fixed
That should be correct as i cant see my wired guest client with my Wifi guest client and both have still internet access... WOW finally :slight_smile:

Since the isolation thing finally works i would only need to figure out how to block access to from guest clients to the GUI's of both Router Interfaces (192.168.55.1 + 192.168.55.2)
But i guess that should be easy done via Traffic Rules and i will figure that out on my own.

And one more thing came to my mind.... It would be quite usefull if i could revert my WAN into a LAN Port, because than i would have an addtional LAN port for another wired client or i could use the WAN port for the connection between my Main Router and the AP.
Does anyone know if this would work with the DIR-860L @ OpenWRT ? :slight_smile: