[Solution]
After writing this post I discovered my problem, but I thought i'd include it here for future users that have the same problem. The DROP rule on BROUTING was ignored if it was created after I connected to the network. I had to reconnect to the wireless network for the BROUTING rule to be used. All I needed for the guest isolation to block the local network from guests was:
-------
I just bought an ASUS ZenWiFi AX6600 which is running the up-to-date stock firmware 3.0.0.4.386_46061 and is in access point mode. My ultimate goal is to create a guest network that cannot access my local LAN. I have banged my head on this for over 4 hours and have read dozens of posts in these forums to no avail.
I have a guest network set up and it is on the network interface wl1.1. I am trying to create rules for this in ebtables. The problem seems to be that BROUTING might not be used when the router is in access point mode.
I have added the following rules to ebtables. The broute rule is to break up the guest network interfaces that are slaved to bridge (br0).
Then I run the following to check the packet count:
I can see that there are some packets that are hitting the output for filter.FORWARD, but it doesn't show any packets that are hitting the broute chain. And the filter.FORWARD packets do not seem to correspond to actual traffic through the interface. I have used ebtables packet/byte counting to watch eth0 and wl1.1 interfaces in ALL chain tables and there doesn't appear to be anything of use. The wl1.1 packets that are shown on some chains also do not seem to correspond to actual traffic through the interface.
Further, when I have the input packets dropped on brouting, dhcp is blocked, but nothing else. Adding DROP on any other chain tables that show activity on wl1.1 does nothing either.
Is it possible that the BROUTING table might not be used the same when in access point mode?
After writing this post I discovered my problem, but I thought i'd include it here for future users that have the same problem. The DROP rule on BROUTING was ignored if it was created after I connected to the network. I had to reconnect to the wireless network for the BROUTING rule to be used. All I needed for the guest isolation to block the local network from guests was:
Code:
ebtables -t broute -A BROUTING -i wl1.1 -p IPv4 --ip-dst 192.168.1.0/24 -j DROP
-------
I just bought an ASUS ZenWiFi AX6600 which is running the up-to-date stock firmware 3.0.0.4.386_46061 and is in access point mode. My ultimate goal is to create a guest network that cannot access my local LAN. I have banged my head on this for over 4 hours and have read dozens of posts in these forums to no avail.
I have a guest network set up and it is on the network interface wl1.1. I am trying to create rules for this in ebtables. The problem seems to be that BROUTING might not be used when the router is in access point mode.
I have added the following rules to ebtables. The broute rule is to break up the guest network interfaces that are slaved to bridge (br0).
Code:
ebtables -A FORWARD -i wl1.1 -j ACCEPT;
ebtables -A FORWARD -o wl1.1 -j ACCEPT;
ebtables -t broute -A BROUTING -i wl1.1 -j DROP
Then I run the following to check the packet count:
Code:
ebtables -L --Lc; ebtables -t broute -L --Lc
I can see that there are some packets that are hitting the output for filter.FORWARD, but it doesn't show any packets that are hitting the broute chain. And the filter.FORWARD packets do not seem to correspond to actual traffic through the interface. I have used ebtables packet/byte counting to watch eth0 and wl1.1 interfaces in ALL chain tables and there doesn't appear to be anything of use. The wl1.1 packets that are shown on some chains also do not seem to correspond to actual traffic through the interface.
Further, when I have the input packets dropped on brouting, dhcp is blocked, but nothing else. Adding DROP on any other chain tables that show activity on wl1.1 does nothing either.
Is it possible that the BROUTING table might not be used the same when in access point mode?
Last edited: