I've locked myself out of the router this morning, so i had to reset it anyway.
Now starting from the scratch... hopefully i'll get it done, it's really driving me crazy ! 
Here's what I'd do:
- Set up the two radios with a single ESSID "myguest" (for example)
- Bridge the two radios into a single guest network so roaming works.
- Turn on isolation mode
- Use either the ebtables fix to prevent bridging between the two radios as highlighted in the linked articles above, or turn on the sysctls to allow firewalling in the bridge and adjust the firewall settings
This will give you the advantage of roaming working, but still isolated.
1 Like
Thanks, I'll give that a try...
Do you mean 2.4+5GHZ guest AP with the same ESSID ?
So insteand of 5ghz-guest and 2.4-guest just "guest-wlan" for both ?
Sadly i dont find any guide to double check my config... i set everything up via Luci.
I've tried it with ebtables yesteday but i didn't work out for me.
Why do this have to be so complicated... 
Yes just do "guest-wlan" not separate SSIDs for each band. Devices are getting better about preferring 5ghz when it's available, because 5ghz offers significant performance improvements now, whereas under 802.11n it was mostly just "a different band" now it's got .ac stuff like 40mhz and 80mhz channel widths and MU-MIMO and soforth and so device manufacturers are actually setting up their roaming to prefer it. My moto 5g phone and Kindle HD8 tablet for example always connects to 5ghz even when 2.4 is available with the same ESSID
The ebtables rule will only work when the networks are bridged which is why it didn't work for you yesterday, since you didn't have them bridged.
So, my suggestion is put the same ESSID (network name) on both bands, bridge the two wifi SSIDs into a single bridge, and then set up the ebtables rule. all of it is doable by LUCI, most of it in the gui, and the ebtables rule in the user.firewall script.
1 Like
Ok, i thought that i allready had them bridged before...
Does this look allright ?
2.4 and 5 ghz guest wlan got same SSID now and roaming seems to work, thanks for the tip !
Yes that looks right.
now make sure the wireless config has the "isolate" option checked, and add the commands to the user firewall script:
ebtables -A FORWARD --logical-in br-guest -j DROP
or replace br-guest with whatever the name is of the bridge
then reload your firewall.
Yes, both guest AP's got the "isolate option" checked, i also double checked at my wireless config file.
Both config wifi-iface's got option isolate '1' set....
I'll try that ebtable rule now, to be honest im kinda scared that it wont work again.
backup your config. if you get locked out again, you can reset and upload the config from before ebtables.
br-guest is correct with my setup...
I've put the ebtable rule into "Firewall" >> "custom rules" and rebooted to make sure it got loaded...
Same result, i can still ping my android phone (2.4ghz) from my Laptop (5ghz) 
Anything wrong here ?
did you actually install ebtables ?
Dammit... Im such a silly billy... it's not even installed. 
I thought it was allready included in davidc's build.
Do i need ebtables + ebtables-utils or just the ebtables package ?
edit: These are the avalible ebtables packages....
you need ebtables for sure, and kmod-ebtables, I'm not sure what ebtables-utils contains but it's tiny, so get that too. Since you don't need any ip level filtering, you can avoid kmod-ebtables-ipv4 etc
once you install that, reboot, I bet it'll work.
1 Like
Wow what a rollercoaster... Your bet was 100% correct, it actually works !!!
And such a shame that i didn't even had ebtables installed.
Now i need to reconfigure all my other stuff but luckily it's not that much (Adblock, dnscrypt-proxy, sqm-qos, dyndns and a few port forwardings).
Big thanks to all, especialy dlakelan for being so patient with me ! <3
Hopefully this will help someone in the future...
1 Like
Yeah, we should really get this into the guide to setting up guest networks on the wiki, at least to link to this thread and the other thread for those who want guests on multiple bands or the like.
perhaps you can figure out where in the wiki this should go and put in a few links?
1 Like
You are right, it should be noted somewhere...
And imho it's really essential to completely "isolate clients" in a guest network.
I've just tested a LAN client connected to the guest network and it's also working for my LAN clients. Awesome !
I think it depends on the use you're putting the guest network to. For example, if you want your guests to be able to come to your gaming festival and connect up and play LAN games together, it obviously won't work. But if you are assuming the guests are all independent people who have nothing to do with each other at a coffee shop, or a library, or bus station... then your assumption is probably safest.
What is the point of bridging when you disable it afterwards with ebtables?
Why not put each guest wifi (interface) in a own zone and setup forwarding/firewall rules accordingly?
Also i think wifi client isolation will not prevent anyone on the same wifi network to sniff traffic from each other?
If you want real isolation you need something like radius with authentication per user ?
The point of the bridging is you can roam between the two radios without losing your connections.
All the ebtables rule does is check to see if the packet came IN on any port in this bridge, and if it did, don't let it be bridged to any other port on this bridge... That keeps two clients on the same bridge from talking to each other... but it doesn't keep your device from using either one of the bridge ports... in this case the ports are wlan radios, so a client can start say close to the AP, connected to high speed 5ghz and as it moves farther away from the AP potentially switch over to 2.4 ghz which usually has longer range... and still stay connected with the same IP address and continue all of its ongoing TCP connections etc.
Are you sure that the connections don't get dropped?
Because the clients still have to reauthenticate when they switch over from 2.4ghz to 5ghz?
And when im correct op wants that regardless if guest-lan ,guest2.4ghz, guest5ghz
Clients should not be able to talk to each other, i think the bridge can be removed.
As already posted here, put all interfaces in the same zone and then disable forwarding in that zone.
For the communication between the clients on wifi, as already posted, client isolation can be used.
But for the guest-lan i dont know?
Well, I've roamed between access points in my home while having VOIP conversations. I suppose it's possible tcp connections drop but UDP are ok. in general though, even if TCP resets occur, it's a lot more useful to roam between multiple APs on the same ESSID vs just sticking to the one ESSID until you actually can't communicate anymore and then seeing if anyone else you know how to connect to is available once you really do drop, and then connecting to that, doing a DHCP for a new IP address, and then starting all over again. Connection droppage is certainly shorter with the bridge, as you don't need to do DHCP. This is particularly true when you have several APs in different physical locations, bridging them all into the same LAN with the same ESSID is the way to go, not "myhouse-frontroom" on 192.168.1.0/24 and "myhouse-backroom" on 192.168.2.0/24 and "myhouse-garage" on 192.168.3.0/24 and "myhouse-guest-frontroom" on 192.168.4.0/24 and "myhouse-guest-backroom" on 192.168.5.0/24 .... etc, it makes much more sense to do "myhouse" and "myhouse-guest". This is the point of ESSID (extended service set ID they identify an extended service set... multiple APs that are on the same network).