Preventing guest clients from communicating

To prevent guest network clients from communicating in a multiple AP setup (multiple 2.4 radios, but no 5 radios) what steps are necessary? Is:

ebtables -A FORWARD --logical-in br-guest -j DROP

still appropriate/needed with the new nftables firewall?

Or can I just enable client isolation on each of the 2.4 radios?

Nftables handles bridge filtering differently so you wouldn't use ebtables.

You can't use isolation because it works only for two clients on the same AP.

Thanks. No tick box option in LuCi then?

Has anyone else implemented this and could share a recipe?

Assume you haven

  • an AP 1
  • and a client 1 conected to AP 1,
  • as well as an AP 2
  • and a client 2 connected to that AP 2.
  • AP 1 and AP 2 are wired

In the eyes of AP 1, the client 2 is not a wifi device but just another address on the wire.
In the eyes of AP 2, the client 1 is not a wifi device but just another address on the wire.

Now add your primary router to the network by connecting an actual wire, and add a printer by wire as well.

How would AP 1 know its wifi connected client 1 is allowed to connect to both, router and printer on the wire, but not to client 2, which is just on the wire as well?

Client isolation goes like:

  1. Traffic from wifi to wire is allowed because wifi clients need to access the router.
  2. Traffic from wire to wifi is allowed because wifi clients need to receive the routers responses.
  3. Traffic from wifi to wifi is denied

Traffic from client 1 to client 2 hits rule 1 on AP 1, so it gets allowed on AP 1. And it hits rule 2 on AP 2 so it gets allowed on AP 2. Response traffic from client 2 to requests from client 1 hit rule 1 on AP 2 so it gets allowed on AP 2, and it hts rule 2 on AP 1 so it gets allowed on AP 1. Which makes 4 rules on 2 APs, all allowing this very traffic.

You might get away with those rules on both APs:

  1. Allow traffic to the routers MAC address
  2. Allow traffic from the routers MAC address
  3. Allow broadcast traffic that goes to the wire
  4. Block everything else


  1. I don't know if this really works and
  2. since you need to type in the MAC address of your router in both of your APs, this won't be a checkbox thing.
  3. this requires you to actually whitelist every wired MAC address in your guest network, otherwise wifi clients won't be able to access them.

Thanks. So with etables it was as simple as:

ebtables -A FORWARD --logical-in br-guest -j DROP

I was hoping for something as easy with nftables. Or at least a recipe.

Guest isolation seems like a fairly bog standard thing to want to do.