How to isolate WLAN clients in OpenWRT?

I'm currently setting up a public wireless network. I want to prevent the clients from talking to each other.

Here's my current setup.

Graphically with LuCi

/etc/config/firewall without anything related to lan:

config 'zone'
    option 'name' 'wan'
    option 'input' 'REJECT'
    option 'output' 'ACCEPT'
    option 'forward' 'REJECT'
    option 'masq' '1'
    option 'mtu_fix' '1'
    option 'network' 'wan'

config 'rule'
    option 'src' 'wan'
    option 'proto' 'udp'
    option 'dest_port' '68'
    option 'target' 'ACCEPT'
    option 'family' 'ipv4'

config 'rule'
    option 'src' 'wan'
    option 'proto' 'icmp'
    option 'icmp_type' 'echo-request'
    option 'target' 'ACCEPT'

config 'zone'
    option 'name' 'public'
    option 'network' 'public'
    option 'output' 'ACCEPT'
    option 'input' 'REJECT'
    option 'forward' 'DROP'

config 'forwarding'
    option 'dest' 'wan'
    option 'src' 'public'

config 'rule'
    option 'target' 'ACCEPT'
    option 'src' 'public'
    option 'proto' 'tcpudp'
    option 'dest_port' '53'
    option '_name' 'public dns'

config 'rule'
    option 'target' 'ACCEPT'
    option '_name' 'public dhcp'
    option 'src' 'public'
    option 'proto' 'udp'
    option 'src_port' '67-68'
    option 'dest_port' '67-68'

Somehow clients are still able to communicate with each other. Why is that and what can I do against it?

Georg Schölly

Posted 2011-04-18T12:05:25.863

Reputation: 1 146

Answers

Luci does not offer all settings all the time. If it is available isolate will be available as an Additional field for the wireless interface. Add the field and check the box. However, as I read the script, the default is to enable isolation.

If not you will need to edit /etc/config/wireless and add option isolate 1 to the wifi-iface section. The directory /lib/wireless as the wireless startup scripts where you can find the supported options.

Firewalling may be an issue as you may be allowing routing between all IPs on the switch. You should modify these rules to limit the accessible addresses. Do allow connections to the router itself, but you may not want to enable access to any other addresses.

BillThor

Posted 2011-04-18T12:05:25.863

Reputation: 9 384

AFAIK, OpenWRT supports AP isolation natively. The NVRAM settings wl0_ap_isolate and wl_ap_isolate can be enabled by setting them to 1. However, a quick Google search does show that a lot of people experience inconsistent results depending on the firmware revision. I can't account for that as I've never tried it myself.

As far as why your clients can communicate with each other, inter-LAN traffic may not be hitting the firewall.

Bacon Bits

Posted 2011-04-18T12:05:25.863

Reputation: 6 125

Inter LAN traffic? Is that a feature of the WLAN standard? That would explain the 20% package drop. – Georg Schölly – 2011-04-18T12:58:07.743

It looks like OpenWRT abandonned nvram settings in favor of /etc/config/ long ago anyway. – Georg Schölly – 2011-04-18T13:05:51.093

Sorry, that should be intra-LAN. But if you're some packets dropped and not others with this configuration, I don't know. It looks like my OpenWRT knowledge is too far out of date. – Bacon Bits – 2011-04-18T21:26:09.477