Given the following setup:
How can I achieve client isolation, in a way that a very advanced malware on a client could not contaminate the other?
I can see 2 options:
option isolate to its configWhat are the pros and cons of each? How does option 1 work technically?
Thank you for that link. I had seen it, but it mainly deals with the issue of ethernet. So the discussion evolves a lot around VLANs. In my case it is not appropriate, since my scenario only has wifi. This thread also does not help me understand how option isolate actually works.
I do understand, that client isolation works in a network where openwrt is the gateway, so for example within the guest wifi of an openwrt ap.
But would this isolate also work within the lan wifi of an openwrt access point ? I very much doubt that, as I would expect that there the clients can still ping each other. I will try it out in the next days...
Hmm, I do not see the difference between a guest wifi and a lan. To me they are just different network, but they could be configured exactly the same way. So I would not expect what you describe.
Isolation works in any wifi. The strange thing is, that this is a per wifi setting. So you can for example isolate clients in your 2.4ghz wifi but not in your 5ghz wifi. If they belong to the same network, funny effects happen based on whether both clients are connected to 2.4ghz or 5ghz wifi or mixed... .
But yes, it works in the same wifi and both clients still can connect to other members in lan but not to each other, whereas other lan members can see both clients.
You likely need to enable bridge firewall and restrict forwarding to isolate clients on different bands:
This should also apply to the LAN-WLAN traffic filtering which is relevant for APs.
yes, because only clients within the same wifi are isolated. So even if you have 2 different ssids on the same band in the same network, their clients cannot be isolated against the other ssid.
So this isolate setting really only works within same band and same ssid.
Considering only the Wireless aspect of a network, is there any security advantage of creating a separate SSID for guest, rather than simply setting option isolate to my lan?
I am not aware of any. Given that I am ok using the same dns resolver for guest and lan (I don't see much value in differentiating), I am tempted to simply use option isolate, and share my lan's wifi key with my guest. Does that reduce the security?
What does the guest network do:
What you will loose by only using isolate is:
The isolate option entirely disables client-to-client traffic over the Wi-FI interface.
While using a separate SSID, you can still utilize client-to-client connectivity on the same SSID and manage SSID-to-SSID traffic with a firewall.
However, an extra SSID requires support by the driver and may negatively affect the bandwidth.
Say someone has the key for an SSID that has option isolate enabled, can they easily eavesdrop on the traffic?
Apparently you can still capture the isolated Wi-Fi traffic using the monitor mode:
https://osqa-ask.wireshark.org/questions/20177/can-wireshark-get-around-ap-isolation/
To protect against this threat requires EAP which is a feature of WPA enterprise.
They discuss 2 different approaches how client isolation could be or is implemented, and how it could be possible to overcome that.
I do not know what is correct here and whether the broadcast mac trick would work...
Ah right. That makes sense. Thanks for the link.
@Stefan1 Thanks for the link as well. I do not know what implementation openWrt does...