I have a TP-Link TL-WDR3600 running 18.06.1 I have enabled Wifi "Isolate Clients", but after rebooting the router I can still ssh to a wifi connected server from my wifi connected laptop
To be extra safe, I have only one wifi radio with that SSID.
Is there a problem with this functionality, or is there something else I need to enable?
Working on 18.06.1 using a Meraki MX60W.
Process I performed:
- Enabled an SSID
- Added 2 laptops
- Pinged laptop b with laptop a
- Enabled "Isolate Clients"
- Cannot ping anymore
Please confirm you're not doing anything odd, like routing two subnets on the same SSID/VLAN.
Ensure that the lan zone firewall forward policy is also set to reject/drop
uci set wireless.default_radio0.isolate='1'
uci commit wireless
Works for me, D-Link DIR-620 D1.
Router to client ping OK, client to client - FAIL.
$ uci get firewall.@zone.forward
Notice that "isolate clients" only prevents communication between two clients on the same radio. If you bridge two radios on the router, clients from one radio will reach clients from the other one (unless you disable that).
I noticed that too. So in this case I have the ssid set up only on one radio (no 5Ghz)
Your first message made me think that, even if you had considered this factor, perhapsd different SSIDs. I see this is not the case.
I have tried resetting to default settings, and then creating the one test network (on a single band). I still can not get "isolate clients" to work
I tried it again, steps as outlined below, and still does not work.
- Reset router to default settings in luci.
- Edited the existing disabled 2GHz Openwrt network to change the ssid, give it a password, and enable it
- Check that wifi is only enabled on 2GHz
- Connect my laptop to the new wifi network
- Connect my server to the new wifi network
- Checked that I could connect from my laptop to the server by wifi (Works!)
- Enabled Wifi "Isolate Clients", as pictured in my first post on this thread.
- Confirmed that I can still connect (new connection) from my laptop to the server by wifi
- Restarted the router to ensure everything no runtime tracking is avoiding the block
- Confirm that I can still connect to the server from my laptop
Is there a command line way to have the device driver show whether isolation is active?
I have created a bug tracker report for this.
I am happy to try any additional testing that anyone can recommend
In your bug report, you say "isolate clients not working on several routers." Only you are reporting an issue with a TP Link WR841n v13 device.
- Can you list the other reports of people having this issue? (if they're all MT7628N chips, we may be able to identify the hardware the issue arises in)
- and/or add a link to this thread on the bug report
Also, in your report, you say only 2.4 GHz was on. Your device only appears to have 2.4 WiFi.
To be clear, this means you only:
- Used default settings
- Enabled the OpenWrt SSID on LAN
- Connected your 2 test devices
- Enabled Isolate
- YOU PERFORMED NO OTHER STEPS
At this point, I don't see anything to act upon in a bug report.
You also says it works on a C7 v2...that's totally different hardware.
The formatting of the bug report is strange.
wireless.isolate NOT working: TP Link WR841n v13
Version: OpenWrt SNAPSHOT, r9278-39273b8 (from roughly Feb 8)
wireless.isolate NOT working: TP Link TL-WDR3600 v1
Version: OpenWrt 18.06.02
This router has TWO radios; I used just 2.4GHz to ensure both clients were on same radio
Isolate DOES work on a TP Link C7 v2.
Version: OpenWrt 18.06.02
The bug report includes as the last step:
SSh from one device to the other =⇒ (This step incorrectly works!)
Hi, do you know how to isolate clients between different radio?
Yes, problema is that both radios are bridged together, so any client on one radio can contact any client on the other radio. You need to install "ebtables" to fix this, and execute this command (for example at "/etc/firewall.user"):
ebtables -A FORWARD --logical-in br-lan -j DROP
Thank eduperez so much, I have tried your command and I can see the forwarded packets were blocked between SSID client, but cannot block packets between ETH client. Do you have any ideal to isolate all kind of interface in bridge?
Traffic between two ethernet clients happens in the switch, it does not even reach the CPU. You need to isolate the ethernet ports using VLANs, then bridge them together.
If your goal is to isolate, then I would actually suggest you do everything but not those last four words. You can then create a separate interface for each ethernet port, and then block FORWARDING between the interfaces.