2

How can I keep a wireless client of hostapd from talking to a wired client on the same network or another wireless client on the same network?

Here's my network topology:

[wired client] --> [router/cable modem] 
                      ^
                      |
    [access point running hostapd] <-- [wireless client 1]
                               ^
                                `--- [wireless client 2]

e.g. from [wireless client 1], I should not be able to ping [wired client] or [wireless client 2].

I believe what I want is wireless client isolation but I haven't figured out if/how hostapd implements this.

There is a suspect flag in hostapd.conf

# Client isolation can be used to prevent low-level bridging of frames between
# associated stations in the BSS. By default, this bridging is allowed.
#ap_isolate=1

But I believe this just keeps multiple access points from talking to eachother, but would not necessarily restrict all wireless clients from talking to other devices on the network.

In any case, after enabling this flag and restarting hostapd, I'm still able to ping [wired client] from [wireless client 1]

mkirk
  • 643
  • 1
  • 5
  • 7
  • on linux-enabled router I would suggest to use separate ip subnets for wired/wireless clients and restrict routing from one net to another with iptables/nftables (forward chain, check src-ip and dst-ip) — since traffic from wireless clients to wired and vice-versa must be routed between interfaces. – Alexander Sergeyev Nov 27 '15 at 08:07

0 Answers0