Suggestions for getting started with filtering WAP traffic

Hello,

I'm setting up a small network that covers a large enough physical area it needs multiple WAPs. I'm trying to create a single LAN where all devices connected to all WAPs can see each other. The WAPs will all connected to a central router that will do DHCP/DNS/firewall. However, I'd like to do some firewalling on the WAPs as I don't want to allow all traffic from one of the WAPs but allow anything from the others. I've looked over the OpenWRT documentation but I'm still not sure the best approach to doing this. Since my WAPs only have a lan zone and therefore aren't doing IP routing, is there a way to do IP filtering on the WAP. Alternatively, is there a way for the central router to see which WAP a client connected to and use that to apply different filter rules?

Any pointers where to start on this much appreciated.

Joel

Surely you can just use a separate section of private address for the specific WiFi AP, and don't do masquerade at wan or whatever lan port that connects with your main router.

At the main router side, you can configure a static route for the section of the specific WiFi AP, gateway ip set to the ip (of the WiFi AP) gave by the DHCP of the main router.

Since this way the main router knows the source ip range, you can set whatever rules you want with them.

Other catch is that, if you need to restrict the devices connecting to the WiFi AP access servers in the lan, you will have to set specific rules at the WiFi AP, since these packets don't have to get through the main router.

Surely you can just use a separate section of private address for the specific WiFi AP, and don't do masquerade at wan or whatever lan port that connects with your main router.

The only way I know to be able to do that is to run a DHCP server on the WAP as well as the main router. I don't think the DHCP server on the main router would know which WAP the DHCP request was coming from to be able to assign from a different range of addresses. It seems like your suggestion would work as long as the two DHCP servers had different portions of the address space to draw from.

I could try that but I'm not sure what behaviour to expect if a device roams from one AP to another.

Other catch is that, if you need to restrict the devices connecting to the WiFi AP access servers in the lan, you will have to set specific rules at the WiFi AP, since these packets don't have to get through the main router.

That isn't a problem in my setup. I'm just trying to restrict access out of the lan. However, when I do set rules on the WAP, they don't seem to ever get matched and I assume the reason is that the packets are not going from one zone to another since both my WLAN device and Ethernet device are connected in the br-lan interface and so no packets are changing zones but perhaps I'm not understanding correctly how the system works.

I just sat down to try this and realized I can't setup a DHCP server on my WAP since my ethernet and WLAN ports are bridged and I'll start answering DHCP requests from any devices on the lan and not just those connecting through this WAP.