How to isolate WLAN clients in OpenWRT?
Solution 1
Luci does not offer all settings all the time. If it is available isolate will be available as an Additional field for the wireless interface. Add the field and check the box. However, as I read the script, the default is to enable isolation.
If not you will need to edit /etc/config/wireless and add option isolate 1 to the wifi-iface section. The directory /lib/wireless as the wireless startup scripts where you can find the supported options.
Firewalling may be an issue as you may be allowing routing between all IPs on the switch. You should modify these rules to limit the accessible addresses. Do allow connections to the router itself, but you may not want to enable access to any other addresses.
Solution 2
AFAIK, OpenWRT supports AP isolation natively. The NVRAM settings wl0_ap_isolate and wl_ap_isolate can be enabled by setting them to 1. However, a quick Google search does show that a lot of people experience inconsistent results depending on the firmware revision. I can't account for that as I've never tried it myself.
As far as why your clients can communicate with each other, inter-LAN traffic may not be hitting the firewall.
Related videos on Youtube
08 : 46
05 : 36
02 : 33
22 : 32
09 : 19
Georg Schölly
I'm currently studying Communication Systems at the EPFL in Switzerland.
Updated on September 18, 2022Comments
-
Georg Schölly over 1 year
I'm currently setting up a public wireless network. I want to prevent the clients from talking to each other.
Here's my current setup.
/etc/config/firewall without anything related to lan: config 'zone' option 'name' 'wan' option 'input' 'REJECT' option 'output' 'ACCEPT' option 'forward' 'REJECT' option 'masq' '1' option 'mtu_fix' '1' option 'network' 'wan' config 'rule' option 'src' 'wan' option 'proto' 'udp' option 'dest_port' '68' option 'target' 'ACCEPT' option 'family' 'ipv4' config 'rule' option 'src' 'wan' option 'proto' 'icmp' option 'icmp_type' 'echo-request' option 'target' 'ACCEPT' config 'zone' option 'name' 'public' option 'network' 'public' option 'output' 'ACCEPT' option 'input' 'REJECT' option 'forward' 'DROP' config 'forwarding' option 'dest' 'wan' option 'src' 'public' config 'rule' option 'target' 'ACCEPT' option 'src' 'public' option 'proto' 'tcpudp' option 'dest_port' '53' option '_name' 'public dns' config 'rule' option 'target' 'ACCEPT' option '_name' 'public dhcp' option 'src' 'public' option 'proto' 'udp' option 'src_port' '67-68' option 'dest_port' '67-68'Somehow clients are still able to communicate with each other. Why is that and what can I do against it?
-
Georg Schölly about 13 yearsInter LAN traffic? Is that a feature of the WLAN standard? That would explain the 20% package drop.
-
Georg Schölly about 13 yearsIt looks like OpenWRT abandonned nvram settings in favor of /etc/config/ long ago anyway.
-
Bacon Bits about 13 yearsSorry, that should be intra-LAN. But if you're some packets dropped and not others with this configuration, I don't know. It looks like my OpenWRT knowledge is too far out of date.
