Thank you for that link. I had seen it, but it mainly deals with the issue of ethernet. So the discussion evolves a lot around VLANs. In my case it is not appropriate, since my scenario only has wifi. This thread also does not help me understand how option isolate actually works.
I do understand, that client isolation works in a network where openwrt is the gateway, so for example within the guest wifi of an openwrt ap.
But would this isolate also work within the lan wifi of an openwrt access point ? I very much doubt that, as I would expect that there the clients can still ping each other. I will try it out in the next days...
Hmm, I do not see the difference between a guest wifi and a lan. To me they are just different network, but they could be configured exactly the same way. So I would not expect what you describe.
Isolation works in any wifi. The strange thing is, that this is a per wifi setting. So you can for example isolate clients in your 2.4ghz wifi but not in your 5ghz wifi. If they belong to the same network, funny effects happen based on whether both clients are connected to 2.4ghz or 5ghz wifi or mixed... .
But yes, it works in the same wifi and both clients still can connect to other members in lan but not to each other, whereas other lan members can see both clients.
yes, because only clients within the same wifi are isolated. So even if you have 2 different ssids on the same band in the same network, their clients cannot be isolated against the other ssid.
So this isolate setting really only works within same band and same ssid.
Considering only the Wireless aspect of a network, is there any security advantage of creating a separate SSID for guest, rather than simply setting option isolate to my lan?
I am not aware of any. Given that I am ok using the same dns resolver for guest and lan (I don't see much value in differentiating), I am tempted to simply use option isolate, and share my lan's wifi key with my guest. Does that reduce the security?
The isolate option entirely disables client-to-client traffic over the Wi-FI interface.
While using a separate SSID, you can still utilize client-to-client connectivity on the same SSID and manage SSID-to-SSID traffic with a firewall.
However, an extra SSID requires support by the driver and may negatively affect the bandwidth.
They discuss 2 different approaches how client isolation could be or is implemented, and how it could be possible to overcome that.
I do not know what is correct here and whether the broadcast mac trick would work...