When I set it to 1, I have to manually enter the SSID in order to connect to the wireless network. 0 makes it visible.
ebtables -I FORWARD -i wl0.1 -o ! [wan interface] -j DROP
ebtables -I FORWARD ! -i [wan interface] -o wl0.1 -j DROP
Yes. You do need to configure ebtables. I use merlin's firmware and I wouldn't say that the ebtables are a very secure way to block intranet access but they work. The commands to allow access only to the wan interface and no other device on the same guest network are these:
Code:ebtables -I FORWARD -i wl0.1 -o ! [wan interface] -j DROP ebtables -I FORWARD ! -i [wan interface] -o wl0.1 -j DROP
Just replace the interfaces with those that correspond to your router. This says to drop layer 2 frames in the wl0.1 interface that are not destined for the wan interface and the same vice versa. I hope this helps and works. Good luck.
ebtables -I FORWARD -i wl0.3 -o ! vlan1 -j DROP
ebtables -I FORWARD ! -i vlan1 -o wl0.3 -j DROP
wl0.3_ap_isolated
wl0.3_lanaccess
wl -i wl0.1 ap_isolate 1
wl -i wl0.2 ap_isolate 0
wl -i wl0.3 ap_isolate 1
ebtables -I FORWARD -i wl0.1 -o ! vlan1 -j DROP
ebtables -I FORWARD ! -i vlan1 -o wl0.1 -j DROP
ebtables -I FORWARD -i wl0.3 -o ! vlan1 -j DROP
ebtables -I FORWARD ! -i vlan1 -o wl0.3 -j DROP
wl -i wl0.3_lanaccess 1
ebtables -I FORWARD -i wl0.3 -o ! vlan1 -j DROP
ebtables -I FORWARD ! -i vlan1 -o wl0.3 -j DROP
wl -i wl0.3_lanaccess 1
nvram show | grep lanaccess
ebtables -I FORWARD -i wl0.1 -o ! vlan1 -j DROP
ebtables -I FORWARD ! -i vlan1 -o wl0.1 -j DROP
Code:
wl -i wl0.1 ap_isolate 1
wl -i wl0.2 ap_isolate 0
wl -i wl0.3 ap_isolate 1
ebtables -I FORWARD -i wl0.1 -o ! vlan1 -j DROP
ebtables -I FORWARD ! -i vlan1 -o wl0.1 -j DROP
ebtables -I FORWARD -i wl0.3 -o ! vlan1 -j DROP
ebtables -I FORWARD ! -i vlan1 -o wl0.3 -j DROP
This works really well it seems. I can't ping, access a webpage or see a network share on wl0.2 or eth1 from either wl0.1 or wl0.3.
Try running this and see if the variable exists in nvram.
Code:nvram show | grep lanaccess
This is exactly what I was saying in my previous post and I apologize if it was hard to understand me. This setup should work to block clients from communicating with other clients and traffic from crossing wireless networks. I hope this helps. Good luck.
wl -i wl0.1 ap_isolate 1
wl -i wl0.2 ap_isolate 0
wl -i wl0.3 ap_isolate 1
wl -i wl1.1 ap_isolate 1
wl -i wl1.2 ap_isolate 1
wl -i wl1.3 ap_isolate 1
ebtables -F
ebtables -I FORWARD -i wl0.1 -o ! vlan1 -j DROP
ebtables -I FORWARD ! -i vlan1 -o wl0.1 -j DROP
ebtables -I FORWARD -i wl0.3 -o ! vlan1 -j DROP
ebtables -I FORWARD ! -i vlan1 -o wl0.3 -j DROP
ebtables -I FORWARD -i wl1.1 -o ! vlan1 -j DROP
ebtables -I FORWARD ! -i vlan1 -o wl1.1 -j DROP
ebtables -I FORWARD -i wl1.2 -o ! vlan1 -j DROP
ebtables -I FORWARD ! -i vlan1 -o wl1.2 -j DROP
ebtables -I FORWARD -i wl1.3 -o ! vlan1 -j DROP
ebtables -I FORWARD ! -i vlan1 -o wl1.3 -j DROP
I use merlin's firmware and I wouldn't say that the ebtables are a very secure way to block intranet access but they work.
Now that I've gotten this far and can relax a little and contemplate new things, can any of you tell me more about the potential insecurity of these methods I've chosen to employ?
How would one attack with these ebtables and SSID isolation set? Is there more that can be done?
ebtables -I FORWARD -i wl0.1 -o br0 ! AA:BB:CC:DD:EE:FF -j DROP
ebtables -I FORWARD -i wl0.2 -s ! AA:BB:CC:DD:EE:FF -p ipv4 --ip-source 10.1.1.1 -j DROP
Welcome To SNBForums
SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.
If you'd like to post a question, simply register and have at it!
While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!