I have been searching and also, testing but never got a clear vision on how this is supposed to be done.
My current setup (working, but only on one AP):
192.168.0.1 - “Main" x86 router.
192.168.0.2 - Dumb AP #1
192.168.0.3 - Dumb AP #2
192.168.0.4 - Dumb AP #3
Everything is connected and fed power trough managed PoE switch (so yes, I can use VLAN’s)
My current way of doing guest WiFi is as follows (please don't laugh):
Main router: I created interface “guest_wifi” with its own IP (192.168.5.1), DHCP etc (according to old guide for setting up guest WiFi on main router). It worked fine as guest WiFi.
Main router: Connected interface “guest_wifi” to eth0.5 instead
Dumb AP3: created two bridges: br-lan.1 and br-lan.5
Dumb AP3: connected GuestWiFi to Network: vlan.5 + lan
Dumb AP3: connected WiFi to Network: lan
Switch: configured port to main router to VLAN5: tagged
Switch: configured port to AP3 to VLAN5: untagged
To make everything more complicated, I have IoT device connected via cable to port lan2 on AP3 which I also tagged to VLAN5 (so it does not mix with LAN traffic).
All this works. I have Guest WiFi. But my attempts to reuse this (probably flawed) concept to multiple AP’s result with loss of isolation: guests can ping each other across AP’s.
So the main question is:
What is the optimal way to build a system where I can have both ordinary WiFi and Guest WiFi across three dumb AP's?
I also have two extra needs;
Guest WiFi should be buttoned down so devices cannot ping each other (client isolation only works as long as you have one AP), only talk to Internet and nothing else.
If possible, I would like to be able to tag one of physical ports on dumb AP's so it belongs to this "isolated guest_wifi" network (If I happen to have IoT device that does not use WiFi.
I thought about it but my current solution is different subnets/DHCP/DNS for each VLAN, which would make roaming between AP’s very cumbersome. Do you have any input on how to merge three VLAN’s together on same subnet while keeping the devices separated?
This is the holy grail of OpenWRT: how to build proper Guest WiFi with OWRT where clients can roam but still not ping each other.
I can tag Guest traffic from AP’s with different VLAN’s. But how do I merge those three different VLAN in router under “same roof”/subnet but not let them talk to each other but only talk to Internet?
Or is there a better way than VLAN to tag/tunnel this traffic to router?
I am aware of “client isolation” option within Wireless device configuration, but that only isolates clients that are connected to that particular radio.
If you have one client on AP#1 and another on AP#2 on same virtual interface, they will be able to ping each other trough router instead. I do not see any such option on my “guest_wifi” interface configuration?
I don’t think so. Well for me i was this testing this on my batman-adv setup and i know that devices are connected on the same vlan ssid over different ruters.
I couldn’t ping them or scan network, Maybe this can depend on your network setup.
There is nothing in this guide https://openwrt.org/docs/guide-user/network/wifi/guestwifi/guestwifi_dumbap that indicates that setup would work on multiple dumb AP’s while still retaining isolation between clients on two different AP’s. So I guess that setup using multiple VLAN’s is still the only way to try to solve it?
There are two different concepts here... client isolation and VLANs. They do different things.
If your goal is to have a guest/iot/other network that is isolated from the main/trusted network(s), VLANs are the way to achieve it.
Client isolation is a wifi specific approach and is all-or-nothing. Specifically, it prevents wifi devices from communicating with each other, but when engaged, it blocks all wifi-to-wifi connections. This is, however, only effective for devices on the same AP. If you have multiple APs, a client on one of them would 'see' a client on another AP as if they were connected via ethernet.
VLANs, by contrast, create entirely separate networks. The isolation is handled at both L2 (switching) by means of VLAN aware infrastructure (routers, APs, switches) to keep the flows separate via 802.1q tags, and L3 (routing) where you can control -- as broadly or as granularly as desired -- the permissions to route from one network to another via the firewall.
The two can be used together so that, for example, guests on the guest network+SSID cannot connect to other guest devices (at least those that are connected to the same AP) -- this is useful for public places like cafes and hotels, but not usually as important for home networks where your guests may actually want to be able to connect between their own devices.
All of that said, if you go with the VLAN approach, it all starts with the main router.
Have you configured VLANs on the main router?
Additionally, how are the APs connected -- is it a direct connection from the router to the AP(s), or is there a switch in between? And if there is a switch, is it a managed switch?
First of all, thanks for involving yourself into my question.
My goal is to have guest/iot/other network spanning across multiple AP’s whose clients are isolated from the main/trusted network(s) and from each other.
Yes, I am aware of that. I tried to expand my (single) VLAN concept towards multiple AP's but never solved the issue of clients being able to see each other across AP's.
This is exactly what I am trying to achieve. Basically a guest WiFi with client isolation, but able to span across multiple AP's and still retain isolation.
Yes I did. I have VLAN 5 handling "guest Wifi". It is currently routing Guest WiFi traffic originating from one of three AP's.
There is a managed switch between routers and AP's.
I have tagged the ports on managed switch accordingly, in order for it to properly forward VLAN5 traffic from AP3 to router where it is handled by separate interface. (I am not fully sure what I did and if I did it correctly, but it is working)
So my question is:
How do I expand this concept to additional AP's while keeping clients isolated?
I can create multiple VLAN's ... but how do I tie them together into same subnet (in my case 192.168.5.x) but still keep clients from talking to each other?
This is the hint I got couple of years ago:
But it involves additional package "ebtables" which is somewhat scary for a noob like me.