Port Isolation on the same VLAN with Hotspot captive portal setup and Openwrt, Possible?

Hi, I don't know if I will be able to explain this but I hope I'll be able to. So my setup is using a raspberrypi4b with a hotspot captive portal that provides DHCP of 10.0.0.0/20 and uses tagged VLAN22. I am also using Newifi-D2 router with Openwrt installed which manages the connection of raspberrypi4 through VLAN15 and also to my 2 Access Points that is connected in LAN2 and LAN3 of Openwrt.

My question is, can port isolation be possible between LAN2 and LAN3 so that both of them are isolated to each other even though they are part of VLAN22? I don't want to expose the client's mac address to atleast prevent mac spoofing. Both WIFI isolation are enabled in both AP and it's working but the problem is devices from the first AP can see the devices from the second AP and vice versa so is port isolation possible with this setup without letting them use different VLAN?

Here's an attached pic for my want to be setup:

My current configuration which I use vlan22 on first AP and vlan33 which supplies 30.0.0.0/20 for 2nd(extended AP):

/etc/config/network:

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'
	option multicast '0'
	option igmp_snooping '1'

config interface 'lan'
	option device 'br-lan.5'
	option proto 'static'
	option ipaddr '192.168.100.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'
	option hostname '*'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'
	option reqaddress 'force'
	option reqprefix 'auto'

config bridge-vlan
	option device 'br-lan'
	option vlan '15'
	list ports 'lan1:u*'

config interface 'vendo'
	option proto 'static'
	option device 'br-lan.15'
	option ipaddr '192.168.101.1'
	option netmask '255.255.255.0'

config bridge-vlan
	option device 'br-lan'
	option vlan '22'
	list ports 'lan1:t'
	list ports 'lan2:u*'

config bridge-vlan
	option device 'br-lan'
	option vlan '33'
	list ports 'lan1:t'
	list ports 'lan3:u*'

config interface 'vlan33'
	option proto 'static'
	option device 'br-lan.33'
	option ipaddr '30.0.0.2'
	option netmask '255.255.240.0'

config interface 'vlan22'
	option proto 'static'
	option device 'br-lan.22'
	option ipaddr '10.0.0.2'
	option netmask '255.255.240.0'

I'm wondering this myself too, as right now I have a single VLAN for IoT devices but have recently begun enabling that on multiple APs. So now the situation is IoT devices on one router can't reach each other due to "Isolate clients" on that instance of the SSID, but then they can reach devices that happen to be connected to any of the other APs.

As far as I've been able to ascertain, the solution for this is probably to set up a separate "IoT" VLAN for each access point. So it'd be:

  • AP #1 trunks IoT traffic onto VLAN 661
  • …while AP #2 uses VLAN 662
  • …AP #3 uses VLAN 663, etc.

So on my main router I would need three separate "Static address" interfaces [or, actually four in my case to cover its own VLAN 660 as "AP #0"] to keep each AP separate network-wise. I believe I could share one firewall zone for all these which might help with some of the rest of the setup, but that's a bit tbd as far as I've been able to research and so don't take my word for it.

1 Like

Appreciate your response, I guess VLAN is the only solution for this setup. It would have been better if this could work with the same VLAN for smooth transfer of client devices from one AP to another AP rather than letting them visit the captive portal for synchronization everytime they change AP due to different VLAN and different IP address assignment. Anyway, Thank you.