Hi Folks, I am in the process of setting up my Omnia and am observing an issue with guest network isolation. I have created a guest network on each radio (T5-G & T2-G) and each AP has option isolate 1, which is expected. Now I have two wireless clients each connected to a separate Wi-Fi guest AP but they can still ping each other. Is that an expected behaviour?
While the same two clients are connected to either guest WiFi simultaneously, they cannot ping each other: they can only see the other one if connected to separate radios.
The forward rule on guest_turris is set to reject, but that rule only applies to forwarding between interfaces. I only see a single network interface guest_turris, so option isolate 1 does the trick within a single AP, but there seems to be nothing to block communications between individual APs in the guest_turris firewall zone.
Have I made a configuration mistake?
UPDATE: I am trying to stay as close as possible to what Foris configures…
That is for the clients on the same wlan iface and handled by the wlan chip and not the OS. If both wlan ifaces are in the same firewall zone it is expected that they can ping each other.
I am using v3.11.4 and the workaround is working by default. br_netfilter is not available in the current OpenWRT release: kmod-br-netfilter became its own package in 18.06 so it needs to be installed separately as per that link I provided.
Having said that, broken guest network isolation is a big deal in my mind.
A neat thing about using this approach is that I can now greatly simplify my configuration: I no longer need to create an interface for each wired VLAN and an interface each guest WiFi AP. I can now use two interfaces only: lan and guest. Everything trusted goes in lan and all untrusted WiFi APs and untrusted wired VLANs are going into guest.
This obviously does not isolate wired devices connected to a single VLAN port with a dumb switch, but that is a different problem.
As far as the wireless clients are concerned, I can have an AP without isolation for those devices that need to talk to each other, but only within that AP. And I can have APs with isolation where devices cannot reach each other. And as long as they are all in the same guest zone with forwarding disabled, there is no inter-VLAN (wired or wireless) cross-talk possible even though they are all in the same bridge.
I am a bit rusty with iptables since the OpenWRT boxes are the only ones left with it, else using the more convenient nftables. But that is another matter and rather off-topic
The point I am trying to make is that a working solution should be a part of the default config. When I saw one guest interface, one firewall zone, and two guest AP’s I assumed that it would just work. And then the test showed it not be the case.
I saw Turris people read the forum so I am hoping they will chime in shortly.
I do but the problem is that is does not stick with sysctl upon boot.
from the cli sysctl -w /sys/class/net/br-guest/bridge/nf_call_ip6tables=1 works as expected but /sys/class/net/br-guest/bridge/nf_call_ip6tables=1 in a /etc/sysctl.d/10 - bridge-filter.conf file does not for some reason, whilst all other files in the same directory work.
So ebtables is already installed as a part of v3.11.4, so the router is already incurring the cost of running it. Yeah, it makes sense to use it instead of adding something new. I will give it a shot later.
This did not work for Wireless AP Client to Wired VLAN Client: they could still communicate. Am I missing any additional config? (I did replace the bridge name with a correct one).
