Topic: Need help to filter traffic that goes through an AP

The content of this topic has been archived on 26 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Page 1 of 1

Post #1

rtrimana

4 Feb 2016, 19:08

Hi All,

I am trying to filter traffics that go through my AP. I have, for example, 2 wireless clients. Client A pings client B as they are connected through WLAN0 interface on my OpenWRT router (I am using Raspberry Pi 2 for the router).
In this scenario, client A can certainly ping client B. Then I tried to deploy a netfilter rule: "iptables -A FORWARD -j REJECT -p icmp", but the traffics don't seem to be filtered by the iptables. I tried iptables to filter traffics between 2 interfaces, e.g. WLAN0 and LAN0, and it works just fine as expected because it filters the traffic that goes from one interface to another.

Does anyone know any method to filter this traffic from client A to B that are connected to the AP (only one interface)? Or do we have to hack iptables to do this?

Thank you!

Kind regards,
Rahmadi

Post #2

stas2z

4 Feb 2016, 20:20

rtrimana wrote:

Hi All,
I am trying to filter traffics that go through my AP. I have, for example, 2 wireless clients. Client A pings client B as they are connected through WLAN0 interface on my OpenWRT router (I am using Raspberry Pi 2 for the router).
In this scenario, client A can certainly ping client B. Then I tried to deploy a netfilter rule: "iptables -A FORWARD -j REJECT -p icmp", but the traffics don't seem to be filtered by the iptables. I tried iptables to filter traffics between 2 interfaces, e.g. WLAN0 and LAN0, and it works just fine as expected because it filters the traffic that goes from one interface to another.
Does anyone know any method to filter this traffic from client A to B that are connected to the AP (only one interface)? Or do we have to hack iptables to do this?
Thank you!
Kind regards,
Rahmadi

ebtables

Post #3

rtrimana

5 Feb 2016, 00:06

Thanks stas2z, I've just tried it but it doesn't seem to have any effects. I tried something like this:

ebtables -t broute -A BROUTING -p ipv4 -i wlan0 --ip-dst X.X.X.X -j DROP

Isn't it that ebtables is also for bridging? At the Wifi AP, it doesn't seem to me that it's bridging the clients because AFAIK a bridge is supposed to bridge 2 interfaces right?

Post #4

stas2z

5 Feb 2016, 07:46

rtrimana wrote:

Thanks stas2z, I've just tried it but it doesn't seem to have any effects. I tried something like this:
ebtables -t broute -A BROUTING -p ipv4 -i wlan0 --ip-dst X.X.X.X -j DROP
Isn't it that ebtables is also for bridging? At the Wifi AP, it doesn't seem to me that it's bridging the clients because AFAIK a bridge is supposed to bridge 2 interfaces right?

ok, my fault, ap clients are communicate with each other directly
but you can prevent it by enabling wireless ap isolation mode

Post #5

rtrimana

5 Feb 2016, 07:50

I see. I am aware of that ap isolation too, but for our case, we want to differentiate traffics based on IP addresses and port numbers too. So, we need something that's more fine-grained. Do you know anything like this?

Post #6

rtrimana

6 Feb 2016, 21:10

Okay I've got my answer. So, to do this we have to:

1) Set AP isolation (set option isolate '1' in wifi-iface of /etc/config/wireless).
2) Once the wireless clients are isolated, we deploy bridge hairpin mode: brctl hairpin br-wifi wlan0 on, that enables clients to talk again because our wlan0 is now a bridge between the wireless clients.
3) Use iptables/nftables etc. to set our filters.

Hope that helps anyone that has the same problem.

Post #7

rtrimana

6 Feb 2016, 21:15

And don't forget to set our wlan0 interface as a bridge (option type 'bridge') and also set net.bridge.bridge-nf-call-iptables = 1 in /etc/sysctl.conf to make iptables work in bridge mode.

The discussion might have continued from here.

Page 1 of 1