Where is asus blocking ARP for guests?

[drinkingbird]

@RMerlin not sure if you know?

In playing around with this a lot, it seems that guest2/3 -> LAN isolation (and the other guest) relies heavily on blocking ARP requests/broadcasts (by setting a static ARP on guest and LAN machine, I can actually ping between them). Thing is, it isn't being done with ebtables, and it never hits iptables since it never leaves the BR0 interface.

Guest 1 makes sense, broadcasts don't get through due to being in separate bridges, but adding rules to EBTABLES and IPTABLES allows traffic to get through (it only has to arp for the default gateway, which does get a response, then passes through the rules fine).

Wondering if this is something buried in the code somewhere or if I'm just missing it. It does this whether AP isolation is enabled or not (makes sense as that only impacts wireless clients on the same SSID/virtual wireless interface).

In fact the ebtables rules blocking guests from hitting the LAN (other than the router's IP) don't really seem to actually do anything, until you set that static ARP, then you can see hits on the rules.

I was thinking it was because they were separate interfaces but they both sit under BR0 and that's the broadcast domain, I don't see anything on the interfaces that would be blocking ARP.

Mostly just out of curiosity.....

 

[drinkingbird]

Well at least I'm not the only one stumped

If I had a spare I'd be able to play with it more and maybe figure it out. But it does seem like something is blocking broadcasts between the VIFs and it isn't either of the firewalls. It seems to block it before it even hits EBTABLES so it must be right at the input of the WLx.x interface (I did check and the interface does show "broadcast" on it, but that has to be there for the router to be able to send and respond to ARPs for its own interface). Some hidden filter somewhere.