Guest Network working?

[cmillar6]

How exactly does the guest network work? I have guests assigned to my guest network and I see they have a 192.168.1.X IP address putting them in same subnet and their PC's showing up in my network discovery? My old linksys would assign guest network PC's a 192.168.2.X IP address putting them on a different subnet therefore eliminating intranet communication. Using the latest Merlin build on a AC66u

 

[RMerlin]

Guest network is mostly meant to allow people to use a different access key, so you don't need to give them your main one. There is also an option on the Guest Network configuration where you can prevent them from accessing the rest of the LAN.

 

[cmillar6]

My word, I didn't even see that setting, I misread it as access internet. Thank-you!

 

[Trent Bates]

There is also an option on the Guest Network configuration where you can prevent them from accessing the rest of the LAN.

RMerlin,
Can you tell me how ASUS firmware (and your builds) sets this state on the guest networks?
I'm aware of:
wl0_ap_isolate=0 or 1
wl1_ap_isolate=0 or 1
wl_ap-isolate=0 or 1

I'm wondering if there is an nvram setting for each guest SSID as well? I haven't found anything yet. Is it something other than an nvram setting?

I was hoping that wl0.1_ap_isolate=1 would do it, but I don't think that works.

 

[RMerlin]

RMerlin,
Can you tell me how ASUS firmware (and your builds) sets this state on the guest networks?
I'm aware of:
wl0_ap_isolate=0 or 1
wl1_ap_isolate=0 or 1
wl_ap-isolate=0 or 1

I'm wondering if there is an nvram setting for each guest SSID as well? I haven't found anything yet. Is it something other than an nvram setting?

I was hoping that wl0.1_ap_isolate=1 would do it, but I don't think that works.

No idea. Why not configure it through the webui, on the Guest Network page? There's an option there for each Guest SSID to enable/disable isolation. It's definitely not wl0_* (which relates to the main 2.4 GHz) or wl1_* (which relates to the main 5 GHz). There are a bunch of sub-interfaces that are related to the Guest SSIDs, but I don't remember their actual names. Was something like wl0.1_, wl0.2_ if I remember.

 

[Trent Bates]

Thanks for your response!

I am trying to achieve the same thing in Tomato which currently doesn't have guest interface isolation it seems.

I have tried wl0.1_ap_isolate=1, wl0.2_ap_isolate=1, etc. but that doesn't seem to accomplish anything but setting a string.

Since you have worked with ASUS firmware so much, I hoped you might have come across the method that ASUS uses to enable isolation on the guest interfaces.

I plan to:
1) Go back to ASUS firmware, clear nvram, and set the basic settings.
2) Save nvram and iptables (I'm fuzzy on that step)
3) turn on guest isolation
4) Save nvram and iptables again
5) Compare the saves

I'm new to some of this so I'm not sure what I'm looking for. I hoped you might have that info easily accessible somehow.

 

[RMerlin]

Thanks for your response!

I am trying to achieve the same thing in Tomato which currently doesn't have guest interface isolation it seems.

I have tried wl0.1_ap_isolate=1, wl0.2_ap_isolate=1, etc. but that doesn't seem to accomplish anything but setting a string.

Since you have worked with ASUS firmware so much, I hoped you might have come across the method that ASUS uses to enable isolation on the guest interfaces.

I plan to:
1) Go back to ASUS firmware, clear nvram, and set the basic settings.
2) Save nvram and iptables (I'm fuzzy on that step)
3) turn on guest isolation
4) Save nvram and iptables again
5) Compare the saves

I'm new to some of this so I'm not sure what I'm looking for. I hoped you might have that info easily accessible somehow.

It's not just a matter of fiddling with nvram values. If the firmware code doesn't do anything with these values, then you won't get any results once you switch firmware.

 

[dodava]

As you have already seen the guest wireless network is in the same ip subnet as the non-guest networks. This is because the guest wireless network interfaces are added to the br0 ethernet bridge instance which also contains the wired lan ports and the non-guest wireless interfaces. If you run "brctl show" you can see this. Since the interfaces are all in the same bridge instance traffic is passed between them at layer 2. This means the traffic is not subject to the ip netfilter rules which iptables manages. Running iptables before and after will show you no differences. The traffic is subject to ethernet bridging netfilter rules. These rules are managed used ebtables. If you run "ebtables -L" you will see the applicable rules. Basically two rules are added to the FORWARD chain for each guest wireless network. The FORWARD chain affects traffic which traverses between bridged interfaces. One rule to drop all traffic incoming from the guest network interface and the other drops all traffic destined for the guest network interface. Now you just need to write the required code for tomato to implement.

 

[Trent Bates]

It's not just a matter of fiddling with nvram values. If the firmware code doesn't do anything with these values, then you won't get any results once you switch firmware.

Oh, I kind of see. I have gotten the impression that the issue I'm trying to work with is sort of a Broadcom driver internal feature.
In discussions with others, there's been talk about using iptables or ebtables (like ASUS appears to use for some of these functions).

It has been said that it might not matter if iptables or ebtables are used because the virtual interface (wl0.1, wl1.1 etc.) might still allow communication among clients on that particular interface at the driver level. It has been implied that the virtual interface may have a setting that can be activated.

This whole idea might be a dead end, but it doesn't hurt to try and understand it, whether it works or doesn't.
Any ideas or thoughts about this would be appreciated!

 

[Trent Bates]

As you have already seen the guest wireless network is in the same ip subnet as the non-guest networks. This is because the guest wireless network interfaces are added to the br0 ethernet bridge instance which also contains the wired lan ports and the non-guest wireless interfaces. If you run "brctl show" you can see this. Since the interfaces are all in the same bridge instance traffic is passed between them at layer 2. This means the traffic is not subject to the ip netfilter rules which iptables manages. Running iptables before and after will show you no differences. The traffic is subject to ethernet bridging netfilter rules. These rules are managed used ebtables. If you run "ebtables -L" you will see the applicable rules. Basically two rules are added to the FORWARD chain for each guest wireless network. The FORWARD chain affects traffic which traverses between bridged interfaces. One rule to drop all traffic incoming from the guest network interface and the other drops all traffic destined for the guest network interface. Now you just need to write the required code for tomato to implement.

Thank you, I'm new to iptables and ebtables so I'm not getting it yet, but I'm going to study your post!

 

[Trent Bates]

Thank you, I'm new to iptables and ebtables so I'm not getting it yet, but I'm going to study your post!

Thanks again for your post! I have a very basic understanding of ebtables now and it was suggested (as I think I mentioned above) that ebtables is how ASUS is accomplishing this feature. (Maybe it's more than that.)

One thing that keeps getting brought up is that ebtables probably doesn't isolate clients on the same guest SSID from each other.

I thought (running ASUS 4.112 to 4.270) that guest clients were isolated from each other. It has been suggested that there is something else occurring to isolate devices on a guest interface before ebtables acts on the interfaces.

I'm obviously confused and not entirely sure what the chain of events are for a guest SSID interface when it is in isolation mode.

I think it works like this: (Please correct me!)
Guest SSID 1 in isolation mode:
MAC 1 can talk to router services
MAC 2 can also talk to router services, etc.
MAC 1 and MAC 2 can't talk to each other.

ebtables then isolates Guest SSID 1 from other interfaces so that they can't talk to each other.

Do I have this right?

 

[RMerlin]

Doesn't Toastman have a MultiSSID build of Tomato BTW, or it it just missing LAN isolation?

 

[Trent Bates]

Doesn't Toastman have a MultiSSID build of Tomato BTW, or it it just missing LAN isolation?

I've been working with Shibby's version, but some others are using Toastman (or Teaman, etc.) I believe and no-one has mentioned having isolation features on multiSSID.

Honestly, the whole subnet concept; main interface at 192.168.1.1/24 and guest interface at 192.168.2.1/24 or 10.0.0.1/24, etc. is probably fine for most people. That's how it's working now.
Isolating a guest interface from the private main interfaces can be accomplished with subnet/VLANs/br1,2,3 or ebtables, the problem still seems to be that within a guest interface, individual clients might be/still are able to see each other which seems to indicate that the isolation feature isn't activated for the guest interfaces.

That's what I'm trying to track down. But I might very well be missing something obvious.

 

[RMerlin]

I've been working with Shibby's version, but some others are using Toastman (or Teaman, etc.) I believe and no-one has mentioned having isolation features on multiSSID.

Honestly, the whole subnet concept; main interface at 192.168.1.1/24 and guest interface at 192.168.2.1/24 or 10.0.0.1/24, etc. is probably fine for most people. That's how it's working now.
Isolating a guest interface from the private main interfaces can be accomplished with subnet/VLANs/br1,2,3 or ebtables, the problem still seems to be that within a guest interface, individual clients might be/still are able to see each other which seems to indicate that the isolation feature isn't activated for the guest interfaces.

That's what I'm trying to track down. But I might very well be missing something obvious.

Subnet-based isolation is worthless if what you're after is security, but you probably already know that

I never looked at how the Guest SSID worked, but I would think that to achieve isolation between each clients, ebtables would have to be set so any client is only allowed to communicate with the WAN interface (i.e. wl0.x to eth0 or ppp, based on the WAN interface type you are using), and any packet sent from br0 to br0 would have to be dropped.

 

[dodava]

ebtables can't provide wireless client isolation because the traffic between wireless clients on the same wireless network is switched in hardware. The only way to implement client isolation is through the driver. With asuswrt and asuswrt-merlin this is done using the wl command. "wl -i eth1 ap_isolate 1" enables it on the 2.4Ghz network. "wl -i eth2 ap_isolate 1" dos the same for the 5Ghz network. It also works for guest networks. You just need to use the appropriate interface. For example "wl -i wl0.1 ap_isolate 1" works. Even though it can be controlled per interface enabling AP isolation through the gui on the 2.4Ghz or 5Ghz configuration enables and disables it for all interfaces including guest networks.

Another interesting thing is that enabling AP isolation will block traffic between clients on the 5Ghz wireless or clients on the 2.4Ghz wireless, but doesn't block a client on the 2.4Ghz wireless from sending traffic to a client on the 5Ghz wireless or vice versa. I think most people who enable AP isolation would also want the traffic between wireless clients on the different frequencies blocked. This would require that ebtables rules to block traffic between eth1 and eth2 also get enabled when AP isolation is enabled.

 

[Trent Bates]

You just need to use the appropriate interface. For example "wl -i wl0.1 ap_isolate 1" works.

I really appreciate your entire post and the post earlier in the thread as well! The command above is what I was looking for! (I have yet to actually test it, but that's what I was trying to figure out)

So, as I understand it now, these are the steps I might take: (Tomato firmware)
1) Enable isolation on desired physical and virtual interfaces
2) Set up ebtables to block traffic between interfaces
3) ?

Again, I'm really new at this aspect of routers and I first heard of ebtables a week ago. I've worked with nvram commands infrequently for 12 or so years. I've heard of iptables but never worked with them.
The information you have provided has given me a concept that I can build on!

 

[bird333]

ebtables can't provide wireless client isolation because the traffic between wireless clients on the same wireless network is switched in hardware. The only way to implement client isolation is through the driver. With asuswrt and asuswrt-merlin this is done using the wl command. "wl -i eth1 ap_isolate 1" enables it on the 2.4Ghz network. "wl -i eth2 ap_isolate 1" dos the same for the 5Ghz network. It also works for guest networks. You just need to use the appropriate interface. For example "wl -i wl0.1 ap_isolate 1" works. Even though it can be controlled per interface enabling AP isolation through the gui on the 2.4Ghz or 5Ghz configuration enables and disables it for all interfaces including guest networks.

Another interesting thing is that enabling AP isolation will block traffic between clients on the 5Ghz wireless or clients on the 2.4Ghz wireless, but doesn't block a client on the 2.4Ghz wireless from sending traffic to a client on the 5Ghz wireless or vice versa. I think most people who enable AP isolation would also want the traffic between wireless clients on the different frequencies blocked. This would require that ebtables rules to block traffic between eth1 and eth2 also get enabled when AP isolation is enabled.

I'm sure you are probably right but I have a question. Is there anyway with (ebtables or arptables) to manipulate traffic between clients on the same interface? Is there some PREROUTING rule or something that can be used? I have wondering the same thing about wired clients on the same subnet i.e does traffic between them at least go through PREROUTING in iptables? Also do you have link to all the 'wl' commands somewhere?

 

[jobongo]

I don't know if this will work but I use Merlin's firmware I changed the NVRAM variable (ex. guest network 1 on the 2.4 radio for an RT-N66U)

wl0.1_closed

I have not used the tomato firmware so the variables may be named something else entirely.

 

[Trent Bates]

I don't know if this will work but I use Merlin's firmware I changed the NVRAM variable (ex. guest network 1 on the 2.4 radio for an RT-N66U)

wl0.1_closed

I'll try that on Tomato and see if it does anything! Thanks!

 

[Trent Bates]

I've tried it on Tomato, but I don't see any direct corrolation with isolation. I looked it up and found these:

http://wiki.cacert.org/OpenWRT
To disable SSID broadcasts:
nvram set wl0_closed=1

https://sites.google.com/site/robinlee05/faq-openwrt
3.12. How do I disable ESSID broadcast?
This can be done easily with
nvram set wl0_closed=1 /sbin/wifi
To keep the settings over a reboot run:
nvram commit

What effects do you notice when you use that command?