Page 2 of 2
Re: [Isolation not work][guest network][5G]
Posted: Fri Mar 24, 2017 1:58 am
by rseiler
The definition in the wiki here though is:
Wireless Client Isolation
If this is enabled, wireless clients will be able to interact with the router, but not other clients that have connected wirelessly. This option is disabled by default.
So, isn't that exactly the same as what OpenWRT offers? And how does that tie in with isolation from the gateway?
Re: [Isolation not work][guest network][5G]
Posted: Fri Mar 24, 2017 4:43 am
by Lantis
In addition, they can't interact with wired clients.
Re: [Isolation not work][guest network][5G]
Posted: Fri Mar 24, 2017 3:11 pm
by rseiler
Yes, amazingly, that seems to be the case in testing here with 1.9.2 (not 5Ghz). Additionally, the router page doesn't come up, and the gateway (same IP) doesn't even ping, which is interesting considering that Internet works. Clearly there's some kind of behind-the-scenes magic happening here.
This is seriously under-the-radar news.
Re: [Isolation not work][guest network][5G]
Posted: Sun Mar 26, 2017 2:51 am
by fengchen_gf
Lantis wrote:Yes related fix.
There was a mixup in translation I expect.
When I hear "isolation" I think the openwrt built in isolation.
The error was in the Gargoyle form of isolation which is slightly different.
Now that I understand wha tproblem we were referring to, easy fix.
Thanks for your work.
Re: [Isolation not work][guest network][5G]
Posted: Sun Mar 26, 2017 2:53 am
by fengchen_gf
rseiler wrote:Yes, amazingly, that seems to be the case in testing here with 1.9.2 (not 5Ghz). Additionally, the router page doesn't come up, and the gateway (same IP) doesn't even ping, which is interesting considering that Internet works. Clearly there's some kind of behind-the-scenes magic happening here.
This is seriously under-the-radar news.
/usr/lib/gargoyle_firewall_util/gargoyle_firewall_util.sh:
Code: Select all
initialize_firewall()
{
iptables -I zone_lan_forward -i br-lan -o br-lan -j ACCEPT
insert_remote_accept_rules
insert_dmz_rule
create_l7marker_chain
block_static_ip_mismatches
force_router_dns
add_adsl_modem_routes
isolate_guest_networks
}
guest_mac_from_uci()
{
local is_guest_network
local macaddr
config_get is_guest_network "$1" is_guest_network
if [ "$is_guest_network" = "1" ] ; then
config_get macaddr "$1" macaddr
echo "$macaddr"
fi
}
get_guest_macs()
{
config_load "wireless"
config_foreach guest_mac_from_uci "wifi-iface"
}
isolate_guest_networks()
{
ebtables -t filter -F FORWARD
ebtables -t filter -F INPUT
local guest_macs=$( get_guest_macs )
if [ -n "$guest_macs" ] ; then
local lanifs=`brctl show br-lan 2>/dev/null | awk ' $NF !~ /interfaces/ { print $NF } '`
local lif
local lan_ip=$(uci -p /tmp/state get network.lan.ipaddr)
for lif in $lanifs ; do
for gmac in $guest_macs ; do
local is_guest=$(ifconfig "$lif" 2>/dev/null | grep -i "$gmac")
if [ -n "$is_guest" ] ; then
echo "$lif with mac $gmac is wireless guest"
#Allow access to WAN but not other LAN hosts for anyone on guest network
ebtables -t filter -A FORWARD -i "$lif" --logical-out br-lan -j DROP
#Only allow DHCP/DNS access to router for anyone on guest network
ebtables -t filter -A INPUT -i "$lif" -p ARP -j ACCEPT
ebtables -t filter -A INPUT -i "$lif" -p IPV4 --ip-protocol UDP --ip-destination-port 53 -j ACCEPT
ebtables -t filter -A INPUT -i "$lif" -p IPV4 --ip-protocol UDP --ip-destination-port 67 -j ACCEPT
ebtables -t filter -A INPUT -i "$lif" -p IPV4 --ip-destination $lan_ip -j DROP
fi
done
done
fi
}
Look here:
#Allow access to WAN but not other LAN hosts for anyone on guest network