What's new

Isolating guest network in AP mode

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

bobley

Occasional Visitor
I'd like to isolate my guest SSID. I'm using AP mode in front of an Edgerouter. Will this work or do I need more in terms of brouting? I'm new to this scripting process.

Do I need to do anything on the Edgerouter?

/jffs/scripts/firewall-start
Code:
#!/bin/sh

#vlan1 is LAN
#wl0.1 is guestSSID#1

#Isolate guestSSID#1
wl -i wl0.1 ap_isolate 1

#Flush ebtables
ebtables -F

#Drop connections for guestSSID#1
ebtables -I FORWARD -i wl0.1 -o vlan1 -j DROP
ebtables -I FORWARD -i vlan1 -o wl0.1 -j DROP
With those rules, from the main network, I can't ping the guestSSID#1, but it seems that devices on guestSSID#1 can ping devices on the main network. What do I need to change?

I have br0 across vlan1, eth1, eth2, and some regular WiFi if I'm understanding the brctl show output.

How many times can one format the jffs partition? Or is that use ok versus log files and such?
 
Last edited:
If I understand your setup correctly; the Edgerouter is the router and provides all your wired LAN connections; the Asus is just a wireless access point connected to one of the Edgerouter's LAN ports.

Then this won't work. It doesn't matter what you do on the access point, the problem is that the Edgerouter has no way of differentiating between guest and non-guest traffic coming into it's LAN port.
 
Last edited:
If I understand your setup correctly; the Edgerouter is the router and provides all your wired LAN connections; the Asus is just a wireless access point connected to one of the Edgerouter's LAN ports.

Then this won't work. It doesn't matter what you do on the access point, the problem is that the Edgerouter has no way of differentiating between guest and non-guest traffic coming into it's LAN port.
It seems others have tried this, but it's not clear if it works.

I could setup a second LAN on the Edgerouter and split the physical ports on the Asus. The problem is whether I can isolate the wireless networks on the Asus. If not, do I use a second Asus or a better quality AP that can handle VLANs? In the meantime, my network is a shared mess.
 
Will this work or do I need more in terms of brouting?
You will need the ebtables brouting rules to un-bridge the traffic you want dropped.
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top