Vlans in non-bridged wifi networks

A recent thread about the advantages of using vlans in a bridged wifi<-->lan network left me wondering whether there are any security/isolation benefits to using vlans in a non-bridged wifi network with a single radio? I'm unclear as to whether vlans would do anything whatsoever in this case, since there is only one device.

For reference, here is my non-bridged guest-wifi config:

network.guest=interface
network.guest.proto='static'
network.guest.ipaddr='192.168.100.1'
network.guest.netmask='255.255.255.0'
wireless.guest=wifi-iface
wireless.guest.device='radio0'
wireless.guest.mode='ap'
wireless.guest.network='guest'
wireless.guest.ssid="$ssid"
wireless.guest.encryption='sae-mixed'
wireless.guest.key="$wifi_password"
wireless.guest.isolate='1'
dhcp.guest=dhcp
dhcp.guest.interface='guest'
dhcp.guest.start='10'
dhcp.guest.limit='10'
dhcp.guest.leasetime='1h

What exactly are you trying to achieve here?

If you're setting up a wifi only network on a single band (using just one built-in radio), you don't need to use a bridge. If you intend to use multiple physical interfaces (i.e. ethernet + wifi, multiple wifi radios, possible multiple ethernet ports), you needa bridge, but this doesn't really impact security as long as it's properly configured.

Wifi client isolation is fine, and will isolate all wifi clients on that SSID from each other. The firewall is responsible for all other allow/prohibit rules with respect to routing (including inter-network and internet).

What exactly are you trying to achieve here?

The aim is to provide isolation between wifi clients on the same SSID (on a single radio).

I'm currently using the "isolate" option, but I haven't investigated how it works or whether it has any weaknesses.

The recent thread about vlans in bridged wifi<->lan networks led me to wonder whether vlans might provide better isolation between wifi clients than the existing "isolate" method?

Wifi client isolation is fine, and will isolate all wifi clients on that SSID from each other.

That answers the question. Thanks for responding.

VLANs (when paired with appropriate firewall rules) will successfully isolate devices on one network from devices on another network. VLANs do not isolate devices in the same network, though, since VLAN routing/firewall operations are Layer 3 and connections between devices on the same network happen at L2 (the router is not involved)..

Wifi isolation will isolate wifi clients from each other on the same SSID that are on a single AP. This method does not isolate wifi from wired devices on the same L2 network, and it doesn't isolate wifi devices that are attached to one AP from wifi devices on another AP that is servicing the same network (from the perspective of the wifi AP, everything connected to another AP basically looks like a set of wired devices since they're not directly connected to the local AP).

1 Like

I should have mentioned that the thread I referenced previously includes the following,

/etc/hostapd.wpa_psk needs to specify which passphrase should be go into which VLAN ID (in this example, clients connecting with the passphrase "supersecret" will go into VLAN ID 101):

  vlanid=101 00:00:00:00:00:00 supersecret

/etc/hostapd.vlan needs to specify the wifi interface created for each (possible) VLAN ID. This can be named anything, but for consistency I choose to name it like a VLAN-tagged interface:

  101 wlan0.101

This will result in:

    creation of the wifi interface wlan0.101 as specified in /etc/hostapd.vlan 

This led me to think that clients attached to a given SSID would have not only their own vlan (101) but also their own interface (wlan0.101).

The firewall should then provide isolation unless FORWARD was set to ACCEPT by default.

I'm assuming that hostapd automatically creates the interface wlan0.101, but I could well be deeply confused.

Almost. That new wlan0.101 interface itself is not VLAN-tagged (it is just named like a VLAN-tagged interface in that example, that name is arbitrary, it can also be "refrigerator" if you feel like it).

The VLAN comes into play when hostapd then creates a bridge containing that new (untagged) wifi interface and an actually VLAN-tagged interface built using the VLAN ID and the vlan_tagged_interface parameter.

Alternatively, hostapd can put that wifi interface into an existing bridge using the optional third parameter in the respective line in vlan_file. (In this case I'm not entirely sure what the given VLAN ID actually does other than provide separate identifications.)

Also note that, apparantly, it works slightly differently if one doesn't directly use the wpa_psk_file et al, and instead defines everything using UCI. Then the new wifi interface actually seems to get VLAN-tagged although I really have no idea how, for all the world it looks like the UCI parameters are just parsed into temporary wpa_psk_file and vlan_file files with the same parameters in hostapd's configuration. Maybe some detail causes hostapd to behave slightly differently, more investigation is required.

As nice and convenient all of this is, documentation about its behaviour is still not 100% exhaustive, we are still finding out things by trial and error.

2 Likes