drinkingbird
Part of the Furniture
@RMerlin not sure if you know?
In playing around with this a lot, it seems that guest2/3 -> LAN isolation (and the other guest) relies heavily on blocking ARP requests/broadcasts (by setting a static ARP on guest and LAN machine, I can actually ping between them). Thing is, it isn't being done with ebtables, and it never hits iptables since it never leaves the BR0 interface.
Guest 1 makes sense, broadcasts don't get through due to being in separate bridges, but adding rules to EBTABLES and IPTABLES allows traffic to get through (it only has to arp for the default gateway, which does get a response, then passes through the rules fine).
Wondering if this is something buried in the code somewhere or if I'm just missing it. It does this whether AP isolation is enabled or not (makes sense as that only impacts wireless clients on the same SSID/virtual wireless interface).
In fact the ebtables rules blocking guests from hitting the LAN (other than the router's IP) don't really seem to actually do anything, until you set that static ARP, then you can see hits on the rules.
I was thinking it was because they were separate interfaces but they both sit under BR0 and that's the broadcast domain, I don't see anything on the interfaces that would be blocking ARP.
Mostly just out of curiosity.....
In playing around with this a lot, it seems that guest2/3 -> LAN isolation (and the other guest) relies heavily on blocking ARP requests/broadcasts (by setting a static ARP on guest and LAN machine, I can actually ping between them). Thing is, it isn't being done with ebtables, and it never hits iptables since it never leaves the BR0 interface.
Guest 1 makes sense, broadcasts don't get through due to being in separate bridges, but adding rules to EBTABLES and IPTABLES allows traffic to get through (it only has to arp for the default gateway, which does get a response, then passes through the rules fine).
Wondering if this is something buried in the code somewhere or if I'm just missing it. It does this whether AP isolation is enabled or not (makes sense as that only impacts wireless clients on the same SSID/virtual wireless interface).
In fact the ebtables rules blocking guests from hitting the LAN (other than the router's IP) don't really seem to actually do anything, until you set that static ARP, then you can see hits on the rules.
I was thinking it was because they were separate interfaces but they both sit under BR0 and that's the broadcast domain, I don't see anything on the interfaces that would be blocking ARP.
Mostly just out of curiosity.....