I have been experimenting with guest wifi isolation, and am wondering what the best way to properly separate all SSIDs on a single router would be. My XR500 running 22.03.0-rc6 is currently set up as follows: one 5 ghz SSID (wlan0, no client isolation), and two 2.4 ghz SSIDs on the same radio. The first of the 2.4 ghz ones (wlan1) is for general access and does not use client isolation. The second 2.4 ghz SSID (wlan1-1) is used as a guest network, set up with client isolation using this guide.
Devices in this guest SSID cannot ping each other, which is what I want. But if a device on wlan0 pings wlan1, they are able to communicate, and vice versa. I'd like to completely isolate SSIDs (including isolating the two 2.4 ghz SSIDs from each other) so that devices in wlan0 cannot interact or monitor devices in wlan1, wlan1-1, or any new SSIDs that I may make. What would be the best way of going about this?
I imagine this problem would involve a fairly simple firewall zone/rule, but I am still new to OpenWRT and am not certain of what it would be.
I understand how to make different interfaces and firewall zones, but I'm not sure about controlling flows with the the firewall. Would it be possible for you to point me to an example of these sorts of rules that would be applicable to this situation?
Create two new identical interfaces (one for 2.4g, one for 5g) in the same way as in the guest network guide (DHCP server enabled, static address, etc). I've named them 2g_iso_interfce and 5g_iso_interfce.
In the network->wireless tab->edit wireless, change only the network for both wlan0 and wlan1 from lan to their respective interfaces. The image below is wlan1 (2.4g network):
Please let me know if I should make a new thread for this, but I'm experiencing some incredibly strange behavior.
After I run through the steps from above, the interface separation works correctly until the router is restarted. The settings were saved through Luci at each point. After the restart, all zones start to be able to ping each other. The firewall zone rule that stops the original guest network (wlan1-1) from interacting with the router also ceases to work, and I can access Luci and SSH. To experiment, I reset everything from above back to when I only had the original guest network. I found that even adding one new zone and restarting the router made the input: reject zone rule for 'Guestzone' stop working.
This is the firewall config, with the last two entries about '5gIso' being the ones that make the reject rule stop working. If they are not present, the reject functionality works as expected:
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
option flow_offloading '1'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone
option output 'ACCEPT'
option forward 'REJECT'
option input 'REJECT'
option name 'Guestzone'
list network 'GUEST'
config forwarding
option src 'Guestzone'
option dest 'wan'
config rule
option enabled '0'
config rule
option name 'Guest DHCP and DNS'
option src 'Guestzone'
option dest_port '53 67 68'
option target 'ACCEPT'
config rule
option name 'Guest DHCP'
list proto 'udp'
option src 'Guestzone'
option dest_port '67 68'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Guest DNS'
option src 'Guestzone'
option dest_port '53'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Guest-Block-All'
option src 'Guestzone'
option target 'REJECT'
config zone
option name '5gIso'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
config forwarding
option src '5gIso'
option dest 'wan'
Could this new '5gIso' zone be overwriting 'Guestzone' somehow?
The only logical explanation I can see is that packet is classified as forward from wlan1-1 iifname "wlan1-1" jump forward_Guestzone comment "!fw4: Handle Guestzone IPv4/IPv6 forward traffic"
Then this forward_Guestzone has 2 jumps
jump accept_to_wan comment "!fw4: Accept Guestzone to wan forwarding"
jump reject_to_Guestzone
since the packet is not going to wan it goes to reject_to_Guestzone
which only blocks the packets going out of wlan1-1, not br-lan
So from chain forward it will jump handle_reject
which basically blocks only tcp meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic"
can you verify that only tcp doesn't work, but icmp or udp does work?