How to prevent Guest Network clients to communicate with each other?

I've allready enabled client isolation in the GUI and its also present in my wifi config.
I got an 5 an 2.4ghz Guest AP and both got this option ticked.

config wifi-iface
	option device 'radio0'
	option mode 'ap'
	option ssid '5G-guest'
	option isolate '1'
	option encryption 'psk2+ccmp'
	option key ''
	option network 'guest'

config wifi-iface
	option device 'radio1'
	option mode 'ap'
	option ssid '2.4G-guest'
	option isolate '1'
	option encryption 'psk2+ccmp'
	option key ''
	option network 'guest'

So the problem must lay somewhere else...

Is it clients on opposite bands can talk to each other but clients on same band are isolated? If so you need to firewall and turn on the sysctls for bridge iptables.

And ensure that "hairpin" bridging is off. See, for example:

1 Like

I can ping and see clients within the 5ghz guest ap when connected to 2.4 and vice versa.
It's really driving me crazy as i don't know where the problem lays...

But 5 can't ping 5 and 2.4 can't ping 2.4 right? This was covered in a recent thread on wifi isolation...

1 Like

Nope, that works also... i've just tried it.
Was connected to my 5ghz guest AP with a win 10 laptop and could ping my Android phone connected to the 2.4ghz guest AP.
Oh btw, I'm using a WRT3200acm@ latest davidc build.

I feel like there should be an easy fix for this and i find it kinda essential to get something like this to work with OpenWRT.

That's not what I said, test ping from same band as dest

Sorry, misunderstanding.
I can't ping from a client which is connected to my 2.4ghz guest AP to another client which is connected on the same 2.4ghz guest AP

Was that what u asking for ?

I guess, each of your APs is an interface in the same firewall zone. I think you just need to disable forward between interfaces in the same zone. It is on the Firewall page: choose Drop instead of Accept.

UPDATE: it will be at the bottom where you guest firewall zone is displayed.


I think it's already like this...

edit: maybe ebtables could help here...?

ebtables -I FORWARD -i wlan0-1 -o wlan1-1 -j DROP
ebtables -I FORWARD -i wlan1-1 -o wlan0-1 -j DROP

1 Like

Can your guests can ping LAN IPs? I think they can because the Input rule on LAN is accept.

The LAN Interface within the guest zone is my vlan link to my Tomato AP.
I can try to put a lan client into my guest network (i have a guest vlan because of the tomato AP) and see if i can ping it from a wireless guest client...

Yes that's the expected behavior, see the thread I linked above it solves this exact problem.

Esit: Yes an ebtables rule is easiest, see that thread

I have a very similar setup with several APs and one wired port in the same guest zone and I only used AP isolation and disabled forward within the zone. Why does it work for me then without using ebtables? No one can ping anyone within the zone. And they cannot access LAN because the input rule for LAN is drop.

So i've just tested and yes a guest-LAN client is able to ping a guest-wifi client and vice versa....

I would love to know that as well... Maybe my setup is wrong from the beginning on.
I'll need to reconfigure everything tomorrow, because i got no more energy today.
Are ur lan clients within the guest network also isolated ?

Can i follow this tutorial for the basic setup ??:

Choose drop for Input for LAN and guest and that will fix it.

I do not think so; you are almost there. Having said that, I have just tested my setup and clients connected to different APs in the same guest firewall zone can only see each other is accept is chosen for the Forward rule. If I set it to drop, they cannot see each other.

No, this is a very different problem and I only have a single wired client that deserves this kind of treatment. But it is isolated from all the WiFi client.

I do not know. I used this one:

Here is my setup:


Line #1 is LAN and line #3 is the guest firewall zone.

This is another example where a luci app for guest wireless would really help a lot of users.


No argument there!

I have just run one more test between a client connected to a 5GHz AP and one connected to a 2.4GHz one: they can only ping each other if Forward is set to accept. So at this time I am not sure why ebtables is needed here.
Not sure if that makes a difference, but all my APs have unique names and I set up each one with an interface name under Advanced Settings, but these should not matter.