Topic: Guest VLAN - IP isolation?

Hi,
I have a network with multiple AP and a guest sepearte VLAN (over all APs).

On most APs it's possible to use "isolate"-option effectively prohibiting communication between wifi clients. But that doesn't affect wifi clients connected on an different AP.


Is there any way to prevent client-to-client communication in an VLAN?


kind regards

Re: Guest VLAN - IP isolation?

iptables -I FORWARD -j DROP -i $QUEST_VLAN -o $NON_QUEST_VLAN

if you wanted both direction

iptables -I FORWARD -j DROP -i $NON_QUEST_VLAN -o $QUEST_VLAN

Re: Guest VLAN - IP isolation?

The way I understand the question:

* There are at least two access points.
* The access points are connected by wire to share at least a guest vlan.
* Those access points span individual Wifi SSIDs for that guest network.
* The "client isolation" feature joky has already working: A client connected to Guest-Wifi on AP1 is unable to communicate to a client to connect to GuestWifi on the very same AP1.
* The "client isolation" feature joky wants to have is: A client connected to Guest-Wifi on AP1 should not be able to communicate to a client to connect to GuestWifi on a different AP2.

My answer: No.

The point is: The "client isolation" feature you're referring to is a mechanism of the wifi configuration which does not work as soon as there is one communication partner involved which is not connected by wifi but by wire. This forces the traffic to leave the domain of wifi and to enter the domain of the switch. And (at least in the world of OpenWRT) there is no such thing as client isolation on switches.

As soon as at least one communication partner is connected not by Wifi but by wire, there is no such thing as client isolation.
This goes for
* All clients are connected by wire
* One client is connected by wire and another one is connected by Wifi
* Both are connected by Wifi on different APs but the APs are connected by wire

Given the scenario of having
* Client1 connected to AP1 by Wifi,
* Client2 is connected to AP2 by wifi and
* AP1 and AP2 are connected by wire.
In that situation, AP1 sees Client2 to be connected by wire, so "from Client1 to Clint2" means 1 is wifi but 2 is wire, as well as AP2 sees Client1 to be connected by wire, so "from Client2 to Client1" means 2 is wifi but 1 is wire. In both situations, one of the communication partners appears to the other as "by wire".

And "client isolation" only works for Wifi.

Regards,
Stephan.

(3x) TP-Link WDR4900 ; (2x) TP-Link WR1043N ; (1x) TP-Link WDR4300 ; (1x) Netgear WNR3500L ; (1x) Virtual on ESX ; (1x) Virtual on Virtualbox on OS-X
6 VLANs and 3 SSIDs power my home

4 (edited by webtron 2017-02-17 03:05:08)

Re: Guest VLAN - IP isolation?

You'll need to use ebtables because AP's use bridged interfaces. So install ebtables on your AP's and then something like this should work.

#change the IP to your gateway LAN IP and ping it to get an entry in ARP
ping -c 2 192.168.0.1
#this will extract the mac address of the gateway
GATEMAC=$(cat /proc/net/arp | grep -e "$GATEWAY[[:space:]]" | awk '{print $4 }')
#change to match your vlan
GUEST_VLAN="eth0.x"
#flush the ebtables
ebtables -F
#drop anything not coming from the gateway mac address and heading for the guest vlan
ebtables -A FORWARD -s ! "$GATEMAC" -o "$GUEST_VLAN" -j DROP

5 (edited by joky 2017-02-17 12:24:02)

Re: Guest VLAN - IP isolation?

Hi,

@milankocvara: thanks for your input, but iptables doesn't affect bridged interfaces

@golialive: that's absolutely correct. In fact I'm always quite shocked when using a public wifi and very 3rd client is an unpatched Android 4.1 or Windows XP.


@webtron: thank you, I didn't even know about ebtables. The router is OpenWRT, the APs are central managed Unifi from Ubiquiti. But they have busybox & ebtables as well.


I'm not sure if the ingoing and outgoing interface (-o/-i) needs to be interchanged. I did it and it seems to work:

$ cat /etc/firewall.user
# our gateway:
GATEWAY=10.11.12.254

# change to match your vlan
GUEST_VLAN="eth0.1234"

#change the IP to your gateway LAN IP and ping it to get an entry in ARP
ping -c 2 $GATEWAY

#this will extract the mac address of the gateway
GATEMAC=$(cat /proc/net/arp | grep -e "$GATEWAY[[:space:]]" | awk '{print $4 }')

#flush the ebtables
ebtables -F

#drop anything not coming from the gateway mac address and heading for the guest vlan
ebtables -A FORWARD -s ! $GATEMAC -i $GUEST_VLAN -j DROP
ebtables -A FORWARD -d ! $GATEMAC -o $GUEST_VLAN -j DROP

I also added the resulting ebtables rule to the unifi controller:

$ cat /usr/lib/unifi/data/sites/default/config.properties
config.system_cfg.1=ebtables.1.cmd=-A FORWARD -s ! 00:01:02:03:04:05 -o eth0.1234 -j DROP
config.system_cfg.2=ebtables.2.cmd=-A FORWARD -d ! 00:01:02:03:04:05 -o eth0.1234 -j DROP


I'll confirm if everything works when I'm on the site again. I'm quite scared how easy that is - so why do other WiFi-provider doesn't isolate clients that way?!


regards and THANK YOU!