I have a TP-Link TL-WDR3600 running 18.06.1 I have enabled Wifi "Isolate Clients", but after rebooting the router I can still ssh to a wifi connected server from my wifi connected laptop
To be extra safe, I have only one wifi radio with that SSID.
Is there a problem with this functionality, or is there something else I need to enable?
Notice that "isolate clients" only prevents communication between two clients on the same radio. If you bridge two radios on the router, clients from one radio will reach clients from the other one (unless you disable that).
In your bug report, you say "isolate clients not working on several routers." Only you are reporting an issue with a TP Link WR841n v13 device.
Can you list the other reports of people having this issue? (if they're all MT7628N chips, we may be able to identify the hardware the issue arises in)
and/or add a link to this thread on the bug report
Also, in your report, you say only 2.4 GHz was on. Your device only appears to have 2.4 WiFi.
To be clear, this means you only:
Used default settings
Enabled the OpenWrt SSID on LAN
Connected your 2 test devices
Enabled Isolate
YOU PERFORMED NO OTHER STEPS
At this point, I don't see anything to act upon in a bug report.
You also says it works on a C7 v2...that's totally different hardware.
wireless.isolate NOT working: TP Link WR841n v13
Version: OpenWrt SNAPSHOT, r9278-39273b8 (from roughly Feb 8)
wireless.isolate NOT working: TP Link TL-WDR3600 v1
Version: OpenWrt 18.06.02
This router has TWO radios; I used just 2.4GHz to ensure both clients were on same radio
Isolate DOES work on a TP Link C7 v2.
Version: OpenWrt 18.06.02
The bug report includes as the last step: SSh from one device to the other =⇒ (This step incorrectly works!)
Yes, problema is that both radios are bridged together, so any client on one radio can contact any client on the other radio. You need to install "ebtables" to fix this, and execute this command (for example at "/etc/firewall.user"):
Thank eduperez so much, I have tried your command and I can see the forwarded packets were blocked between SSID client, but cannot block packets between ETH client. Do you have any ideal to isolate all kind of interface in bridge?
Traffic between two ethernet clients happens in the switch, it does not even reach the CPU. You need to isolate the ethernet ports using VLANs, then bridge them together.
If your goal is to isolate, then I would actually suggest you do everything but not those last four words. You can then create a separate interface for each ethernet port, and then block FORWARDING between the interfaces.