[SOLVED] Enable "Isolate Clients" option on one interface but let two IPs able to communicate

I've set up my wireless network to be a guest one on a different subnet which can only retrieve DNS and DHCP and I also enabled the option "Isolate clients" in Advanced settings but I can't print with my Epson printer (WorkForce R8590; I initially did all of this because I noticed this printer was doing something strange...) whilst this option is checked.

Now, how can I make my computer (192.168.55.198) communicate with the printer (192.168.55.106) with the option "Isolate clients" activated?

Ummm...you can't if your printer is wireless...that's actually the point for the setting you enabled.

  • Make printer wired; or
  • Place it on another network and wireless SSID
1 Like

alright, I thought it'd be possible by adding a firewall rule. I don't know that much about networking so I was thinking about this:
what if I go to the wireless tab and add a network with the same SSID as the other one, set the channel to auto but allow different MAC addresses on them so I put them on different networks where one has the Isolate option on and the other doesn't?

You can't have two APs with the same SSID on the same radio. You should set up another SSID only for the printer, put the printer in its own network then firewall it as needed.

2 Likes

I did what I wrote in my previous post and it seems to be working. I placed them on different subnets and firewall settings, same SSID, MAC and radio. They have different MAC ACL settings though

1 Like

Nope, the Isolate button under the WiFi page is hardware-based, not firewall-based (at least on my Atheros ath9k-based chip).

It sound like you rigged it, and got the subnets to route.

:+1:

1 Like

lol finally got something working at first try... I have another question: I want to have LAN ports to act the same way as a wireless guest network (devices are only able to obtain DNS and IP via DHCP but not connect to the routers gateway) unless one uses a static ip, how would one do so?
I went to the interface page and pressed add, now I need to select which network to cover and I have eth or eth0.1 (lan), which one do I select?
Then I just need to disable the dhcp server for lan and add it to the new vlan network on a different subnet, right?
Also is there a way to make only certain mac addresses access the lan subnet where the gateway is located?

  • I would create INPUT ALLOW rules for the DNS and DHCP, then immediately under, a DROP or REJECT rule (or make the zone default to DROP or REJECT).

Ummm...I'm not sure what you're trying to further accomplish since you can print now.

  • If you wish for LAN to be statically addressed, then yes, disable it on LAN.

To be honest...I'm not sure, as I'm confused about how you rigged the SSID and have no clue why you're creating an interface now. In my suggestion, this would already exist and be configured for the LAN and Guest networks/SSIDs, respectively.

  • Which network/vlan did you create? That's the one you should cover.

Perhaps, you should post your /etc/config/network and /etc/config/wireless

I'm unable to assist further on the non-standard setup without seeing configs. Be sure to obscure your keys.

1 Like

yes it's a bit messy.
I can print so the wireless part is done.
Now when I plug an ethernet cable into the router it gets IP from DHCP server of the LAN1 subnet which can't access LAN subnet where the router gateway is.
What I want to do is limit the devices which can access the LAN subnet. I disabled DHCP for this interface so one has to manually use the correct IP to access it but do you know if there is a way to add a MAC filter or ipfilter so only my computer can access the router's gateway?

Yes.

  • You can use firewall rules by MAC or IP to prevent forward from LAN to another network (e.g. WAN). Obviously forwarding is handed by the router.

  • To prevent "access" to the router itself you make INPUT BLOCK rules.

Alright so to allow my computer to access the router I have to go into the firewall tab and select reject in the input voice of the LAN interface and then add two firewall rules to allow my computer's MAC to access the router's IP via port 443, 80, 22 over TCP right?

Can you describe more detail about what you want overall? Something like "I want LAN1 and LAN2 with mostly X computers in LAN1 and Y computers and printers etc in LAN2 and exactly a certain set of MAC addresses can access from LAN1 into LAN2 but no one can access from LAN2 back into LAN1 and LAN2 can't access the router itself, and a cherry on top." or whatever. Just give us more details what you want.

1 Like

I would like to have:
a computer and a printer in guest1 (192.168.55.1) whith the option "isolate clients" unchecked
All other wireless clients in guest (192.168.54.1) with option "isolate clients" checked
only my computer can access the LAN network with manual ip
all other LAN clients connect via DHCP to LAN1 which doesn't have access to LAN subnet

Right now I have 3 problems:
I can't browse the internet from any network (Lan, or guest)
LAN 1 doesn't work
DHCP doesn't work

am I correct in thinking you want 4 separate networks

  1. Guest
  2. Guest1
  3. LAN
  4. LAN1

Can I suggest better naming for less confusion? Maybe

  1. Guest (isolated wifi only?)
  2. Printers (unisolated wifi only?)
  3. Special (static LAN)
  4. LAN (regular DHCP LAN)

Now, basic outline of steps:

  1. Create VLANs on your switch for Special and LAN (there's already one for LAN probably).

  2. create 4 interfaces in Luci with these names, put the physical settings to be the VLANS for Special and LAN

  3. create 4 firewall zones in Luci with these names
    put each interface into its associated firewall zone

  4. set up forwarding rules between firewall zones, for example:
    allow forwarding from LAN to Printers and WAN
    allow forwarding from Special to LAN, Printers, and WAN
    allow forwarding from Guest to Printers and WAN
    allow forwarding from Printers to WAN only, or maybe nowhere
    allow input to router from Special (this is where you config your router I assume)

  5. Now create associated SSIDs for Guest and Printers, with isolated checked for Guest and unchecked for Printers

Hope that helps!

yes

my mind is messy my bad

yes

yes

this should be the regular LAN (which is created by default settings) but with no DHCP. I would like to have only my computer (MAC address) with static IP able to access this interface and the router's gateway. The other interfaces can only get IP via DHCP and DNS and surf the internet

I did create a new VLAN with the name LAN 1 but it says this (the phsyical settings are also shown):

done, the pictures in my previous post show that
I have only one radio (TP-Link WR841N V11.1) and the SSID is the same but ACL MAC list and the subnet is different

done

done, I didn't change the interface's names because I don't know how to do that in LuCI GUI, maybe it's possible via SSH... would this mess with the firewall zones?

I still can't access the internet nor get IPs via DHCP...

/etc/config/network

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0.1'
	option proto 'static'
	option netmask '255.255.255.0'
	option delegate '0'
	option ipaddr 'routerssubnet'

config interface 'wan'
wan settings

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '1 2 3 4 0t'

config interface 'guest'
	option proto 'static'
	option netmask '255.255.255.0'
	option delegate '0'
	option ipaddr 'isolatewifisubet'

config interface 'guest1'
	option proto 'static'
	option delegate '0'
	option ipaddr 'printers subnet'
	option netmask '255.255.255.0'

config interface 'lan1'
	option proto 'static'
	option ifname 'lan1'
	option ipaddr '"guest"'s lan subnet'
	option netmask '255.255.255.0'
	option delegate '0'

/etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option nonwildcard '1'
	option localservice '1'
	option noresolv '1'
	option allservers '0'
	option resolvfile '/etc/resolv-crypt.conf'
	list server 'dnscrypt'
	list server '/pool.ntp.org/xxxx'

config dhcp 'lan'
	option interface 'lan'
	option ignore '1'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config dhcp 'guest'
	option interface 'guest'
	option start '100'
	option limit '150'
	option leasetime '12h'

config host
	option name 'nameofdevice'
	option mac 'macaddressofdevice'

config dhcp 'guest1'
	option interface 'guest1'
	option start '100'
	option limit '150'
	option leasetime '12h'

config dhcp 'lan1'
	option start '100'
	option leasetime '12h'
	option limit '150'
	option interface 'lan1'

/etc/config/firewall


config rule
	option target 'ACCEPT'
	option proto 'tcp udp'
	option dest_port '53'
	option family 'ipv4'
	option src 'lan'
	option src_mac 'mycomputermac'
	option src_ip 'mycomputerip'
	option name 'DNSSpecial'

config rule
	option target 'ACCEPT'
	option proto 'tcp udp'
	option dest_port '53'
	option family 'ipv4'
	option src 'guest'
	option name 'DNSGuest'

config rule
	option target 'ACCEPT'
	option proto 'tcp udp'
	option dest_port '53'
	option family 'ipv4'
	option src 'guest1'
	option name 'DNSPrinters'

config rule
	option target 'ACCEPT'
	option proto 'tcp udp'
	option dest_port '53'
	option family 'ipv4'
	option src 'lan1'
	option name 'DNSLan1'

config rule
	option proto 'udp'
	option target 'ACCEPT'
	option family 'ipv4'
	option src 'guest'
	option dest_port '67-68'
	option name 'DHCPGuest'

config rule
	option target 'ACCEPT'
	option proto 'udp'
	option dest_port '67-68'
	option family 'ipv4'
	option src 'guest1'
	option name 'DHCPPrinters'

config rule
	option target 'ACCEPT'
	option proto 'udp'
	option dest_port '67-68'
	option family 'ipv4'
	option src 'lan1'
	option name 'DHCPlan1'

config rule
	option target 'ACCEPT'
	option proto 'tcp'
	option dest_port '443'
	option family 'ipv4'
	option src 'lan'
	option src_mac 'mycomputermac'
	option src_ip 'mycomputerip'
	option dest_ip 'mycomputerip'
	option name 'ForwardSpecialToRouter'
	option dest 'lan'

config rule
	option target 'ACCEPT'
	option src 'lan'
	option family 'ipv4'
	option src_mac 'mycomputermac'
	option src_ip 'mycomputerip'
	option name 'ForwardSpecialToWan'
	option dest 'wan'

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan'
	option family 'ipv4'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'wan'
	option family 'ipv4'

config include
	option path '/etc/firewall.user'

config zone
	option name 'guest'
	option forward 'REJECT'
	option output 'ACCEPT'
	option network 'guest'
	option input 'REJECT'
	option family 'ipv4'

config zone
	option name 'guest1'
	option forward 'REJECT'
	option output 'ACCEPT'
	option network 'guest1'
	option input 'REJECT'
	option family 'ipv4'

config forwarding
	option dest 'wan'
	option src 'guest'

config forwarding
	option dest 'wan'
	option src 'guest1'

config forwarding
	option dest 'wan'
	option src 'lan'

config zone
	option name 'lan1'
	option forward 'REJECT'
	option output 'ACCEPT'
	option network 'lan1'
	option family 'ipv4'
	option input 'REJECT'

config forwarding
	option dest 'wan'
	option src 'lan1'

config rule
	option target 'ACCEPT'
	option src 'lan1'
	option name 'ForwardLan1ToWan'
	option family 'ipv4'
	option dest 'wan'

config rule
	option target 'ACCEPT'
	option src 'guest1'
	option name 'ForwardPrintersToWan'
	option family 'ipv4'
	option dest 'wan'

config rule
	option target 'ACCEPT'
	option src 'guest'
	option name 'ForwardGuestToWan'
	option family 'ipv4'
	option dest 'wan'

config rule
	option target 'ACCEPT'
	option proto 'tcp udp'
	option family 'ipv4'
	option src 'lan'
	option src_mac 'mycomputermac'
	option src_ip 'mycomputerip'
	option name 'AllowSpecialInputAnything'

@lleachii

/etc/config/wireless
config wifi-device 'radio0'
	option type 'mac80211'
	option hwmode '11g'
	option path 'platform/qca953x_wmac'
	option htmode 'HT20'
	option country 'US'
	option legacy_rates '1'
	option channel 'auto'

config wifi-iface
	option device 'radio0'
	option mode 'ap'
	option network 'printers'
	option macfilter 'allow'
	option encryption 'psk2+ccmp'
	option wpa_disable_eapol_key_retries '1'
	option ssid 'ssid'
	option key 'pwd'
	list maclist 'macs'

config wifi-iface
	option device 'radio0'
	option mode 'ap'
	option network 'guest'
	option macfilter 'allow'
	option isolate '1'
	option encryption 'psk2+ccmp'
	option key 'samepwd'
	option wpa_disable_eapol_key_retries '1'
	option ssid 'samessid'
	list maclist 'diffrentmacs'

Make the relevant guest network a bridge and add an SSID. Then permit traffic to the printer.

aaah I had some mac addresses in both guest and printers network and some hostnames in dhcp with some spaces. Once I corrected that everything started working lol

Thanks @lleachii @dlakelan @mk24 for the help!!!

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.