[Isolation not work][guest network][5G]

[rseiler]

The definition in the wiki here though is:

Wireless Client Isolation

If this is enabled, wireless clients will be able to interact with the router, but not other clients that have connected wirelessly. This option is disabled by default.

So, isn't that exactly the same as what OpenWRT offers? And how does that tie in with isolation from the gateway?

[Lantis]

In addition, they can't interact with wired clients.

[rseiler]

Yes, amazingly, that seems to be the case in testing here with 1.9.2 (not 5Ghz). Additionally, the router page doesn't come up, and the gateway (same IP) doesn't even ping, which is interesting considering that Internet works. Clearly there's some kind of behind-the-scenes magic happening here.

This is seriously under-the-radar news.

[fengchen_gf]

Yes related fix.
There was a mixup in translation I expect.
When I hear "isolation" I think the openwrt built in isolation.

The error was in the Gargoyle form of isolation which is slightly different.

Now that I understand wha tproblem we were referring to, easy fix.

Thanks for your work.

[fengchen_gf]

Yes, amazingly, that seems to be the case in testing here with 1.9.2 (not 5Ghz). Additionally, the router page doesn't come up, and the gateway (same IP) doesn't even ping, which is interesting considering that Internet works. Clearly there's some kind of behind-the-scenes magic happening here.

This is seriously under-the-radar news.

/usr/lib/gargoyle_firewall_util/gargoyle_firewall_util.sh:

Code: Select all

initialize_firewall()
{
	iptables -I zone_lan_forward -i br-lan -o br-lan -j ACCEPT
	insert_remote_accept_rules
	insert_dmz_rule
	create_l7marker_chain
	block_static_ip_mismatches
	force_router_dns
	add_adsl_modem_routes
        isolate_guest_networks
}


guest_mac_from_uci()
{
	local is_guest_network
	local macaddr
	config_get is_guest_network "$1" is_guest_network
	if [ "$is_guest_network" = "1" ] ; then
		config_get macaddr "$1" macaddr
		echo "$macaddr"
	fi
}
get_guest_macs()
{
	config_load "wireless"
	config_foreach guest_mac_from_uci "wifi-iface"
}
isolate_guest_networks()
{
	ebtables -t filter -F FORWARD
	ebtables -t filter -F INPUT
	local guest_macs=$( get_guest_macs )
	if [ -n "$guest_macs" ] ; then
		local lanifs=`brctl show br-lan 2>/dev/null | awk ' $NF !~ /interfaces/ { print $NF } '`
		local lif
		
		local lan_ip=$(uci -p /tmp/state get network.lan.ipaddr)

		for lif in $lanifs ; do
			for gmac in $guest_macs ; do
				local is_guest=$(ifconfig "$lif"	2>/dev/null | grep -i "$gmac")
				if [ -n "$is_guest" ] ; then
					echo "$lif with mac $gmac is wireless guest"
					
					#Allow access to WAN but not other LAN hosts for anyone on guest network
					ebtables -t filter -A FORWARD -i "$lif" --logical-out br-lan -j DROP
					
					#Only allow DHCP/DNS access to router for anyone on guest network
					ebtables -t filter -A INPUT -i "$lif" -p ARP -j ACCEPT
					ebtables -t filter -A INPUT -i "$lif" -p IPV4 --ip-protocol UDP --ip-destination-port 53 -j ACCEPT
					ebtables -t filter -A INPUT -i "$lif" -p IPV4 --ip-protocol UDP --ip-destination-port 67 -j ACCEPT
					ebtables -t filter -A INPUT -i "$lif" -p IPV4 --ip-destination $lan_ip -j DROP

				fi
			done
		done
	fi
}

Look here:
#Allow access to WAN but not other LAN hosts for anyone on guest network