How to prevent Guest Network clients to communicate with each other?

This is another example where a luci app for guest wireless would really help a lot of users.

2 Likes

No argument there!

I have just run one more test between a client connected to a 5GHz AP and one connected to a 2.4GHz one: they can only ping each other if Forward is set to accept. So at this time I am not sure why ebtables is needed here.
Not sure if that makes a difference, but all my APs have unique names and I set up each one with an interface name under Advanced Settings, but these should not matter.

Firewall only affects bridged traffic if you force bridge to call firewall using a sysctl. I guess you must have that sysctl turned on

https://wiki.libvirt.org/page/Net.bridge.bridge-nf-call_and_sysctl.conf

Only my LAN is bridged. From https://wiki.openwrt.org/doc/uci/firewall (the last statement about FORWARD)

Zones

A zone section groups one or more interfaces and serves as a source or destination for forwardings, rules and redirects. Masquerading (NAT) of outgoing traffic is controlled on a per-zone basis. Note that masquerading is defined on the outgoing interface.

INPUT rules for a zone describe what happens to traffic trying to reach the router itself through an interface in that zone.
OUTPUT rules for a zone describe what happens to traffic originating from the router itself going through an interface in that zone.
FORWARD rules for a zone describe what happens to traffic passing between different interfaces in that zone.

That page does not mention anything about using sysctrl and I have not done that.

The default in the kernel is for those sysctl to be on, I have seen on my OpenWRT install the following in sysctl.conf:

# disable bridge firewalling by default
net.bridge.bridge-nf-call-arptables=0
net.bridge.bridge-nf-call-ip6tables=0
net.bridge.bridge-nf-call-iptables=0

so it turns off those sysctls, if you don't have that in your /etc/sysctl.conf, or you set them to 1, then the firewall code will be called on your bridges.

If your 2.4 and 5ghz wifis are not bridged together, then are they in separate firewall zones? If they're in the same firewall zone but different networks, then it goes through normal routing, and you can turn off forward within your firewall zone, and it will also shut down the forwarding. If in different firewall zones you just disable forwarding between the zones.

Normally all the networks with same ESSID are bridged together, so that if you roam from AP to AP you can use the same IP address and don't lose all your ongoing TCP connections. That's why I assumed bridged.

This explains it then. My APs are not bridged, they are in different networks, and are in the same firewall zone. That is why it is working, thx for clarification.

This moved those from sysctrl to kernel module https://git.openwrt.org/?p=openwrt/openwrt.git;a=commitdiff;h=445682c07d0669984f2cc8acb1fba5e1a5e3bc27

I guess I will see this issue when I put a bridge int a firewall zone...

UPDATE: No, I will not. Those settings are in /etc/sysctl.d/11-br-netfilter.conf and I do not have it installed, so it should all work with bridges as well. Why is the OP having issues then? Unless netfilter is installed...

I've locked myself out of the router this morning, so i had to reset it anyway.
Now starting from the scratch... hopefully i'll get it done, it's really driving me crazy ! :wink:

Here's what I'd do:

  1. Set up the two radios with a single ESSID "myguest" (for example)
  2. Bridge the two radios into a single guest network so roaming works.
  3. Turn on isolation mode
  4. Use either the ebtables fix to prevent bridging between the two radios as highlighted in the linked articles above, or turn on the sysctls to allow firewalling in the bridge and adjust the firewall settings

This will give you the advantage of roaming working, but still isolated.

1 Like

Thanks, I'll give that a try...

Do you mean 2.4+5GHZ guest AP with the same ESSID ?
So insteand of 5ghz-guest and 2.4-guest just "guest-wlan" for both ?

Sadly i dont find any guide to double check my config... i set everything up via Luci.
I've tried it with ebtables yesteday but i didn't work out for me.
Why do this have to be so complicated... :confused:

Yes just do "guest-wlan" not separate SSIDs for each band. Devices are getting better about preferring 5ghz when it's available, because 5ghz offers significant performance improvements now, whereas under 802.11n it was mostly just "a different band" now it's got .ac stuff like 40mhz and 80mhz channel widths and MU-MIMO and soforth and so device manufacturers are actually setting up their roaming to prefer it. My moto 5g phone and Kindle HD8 tablet for example always connects to 5ghz even when 2.4 is available with the same ESSID

The ebtables rule will only work when the networks are bridged which is why it didn't work for you yesterday, since you didn't have them bridged.

So, my suggestion is put the same ESSID (network name) on both bands, bridge the two wifi SSIDs into a single bridge, and then set up the ebtables rule. all of it is doable by LUCI, most of it in the gui, and the ebtables rule in the user.firewall script.

1 Like

guest_bridge

Ok, i thought that i allready had them bridged before...
Does this look allright ?
2.4 and 5 ghz guest wlan got same SSID now and roaming seems to work, thanks for the tip !

Yes that looks right.

now make sure the wireless config has the "isolate" option checked, and add the commands to the user firewall script:

ebtables -A FORWARD --logical-in br-guest -j DROP

or replace br-guest with whatever the name is of the bridge

then reload your firewall.

Yes, both guest AP's got the "isolate option" checked, i also double checked at my wireless config file.
Both config wifi-iface's got option isolate '1' set....
I'll try that ebtable rule now, to be honest im kinda scared that it wont work again.

backup your config. if you get locked out again, you can reset and upload the config from before ebtables.

br-guest is correct with my setup...
I've put the ebtable rule into "Firewall" >> "custom rules" and rebooted to make sure it got loaded...
Same result, i can still ping my android phone (2.4ghz) from my Laptop (5ghz) :confused:

firewall1
Anything wrong here ?

did you actually install ebtables ?

Dammit... Im such a silly billy... it's not even installed. :roll_eyes:
I thought it was allready included in davidc's build.

Do i need ebtables + ebtables-utils or just the ebtables package ?

edit: These are the avalible ebtables packages....
ebt

you need ebtables for sure, and kmod-ebtables, I'm not sure what ebtables-utils contains but it's tiny, so get that too. Since you don't need any ip level filtering, you can avoid kmod-ebtables-ipv4 etc

once you install that, reboot, I bet it'll work.

1 Like