I am no networking expert but it seems to me that I should be able to create a wifi network isolated from the LAN by removing the wl.0 interface for example from br0 and assigning to to it's own subnet. I did just that via the web gui (without creating a VAP) and found I can still ping devices on the LAN from devices on wl.0. Should this be the case? I also enabled NetIsolation and the subnets were still reachable from one another.Is this behavior to be expected?
.
I have attached the outputs of:
ip -L
brctl show
itables -L
WebUI - Networking
WebUI - Wireless _________________ Netgear R7000 Updated ≈ Monthly Wireguard, PBR, VAP
Adblocking & Authoritative, Validating, Recursive Caching DNS Server with DNSSEC via Unbound Verified with ddwrt-dns-monitor.sh and dig Tutorial: How to monitor DNS traffic in real-time
Joined: 08 May 2018 Posts: 14249 Location: Texas, USA
Posted: Fri May 20, 2022 20:07 Post subject:
I think some people may not be aware of all the places the associated configurations apply. You can also do this with bridged interfaces, but a few more steps are required in proper order. _________________ "Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT Pogo - A minimal level of ability is expected and needed... DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)
----------------------
Linux User #377467 counter.li.org / linuxcounter.net
PostPosted: Fri May 20, 2022 12:10 Post subject:
Exactly how did you check reachability across the IP networks?
I used the pythonista stash shell on my iphone to ping my pc connected via lan (after allowing icmp through firewalld).
Code:
ping.py -c 10 10.xx.xx.xx
_________________ Netgear R7000 Updated ≈ Monthly Wireguard, PBR, VAP
Adblocking & Authoritative, Validating, Recursive Caching DNS Server with DNSSEC via Unbound Verified with ddwrt-dns-monitor.sh and dig Tutorial: How to monitor DNS traffic in real-time
You can essentially do same without creating a VAP, but TBH it works wonderfully well as is for me.
Thanks Joker, I thought I had attached these screenshots already, in any case, I believe my setup looks identical. Have struggled with VAPs for years, I thinks due to a Broadcom specific issue of some kind. I should add that if I also create VAPs, the networks are not pingable with or without Net Isolation. In that case I am then stuck with four (4) APs, two (2) of which are "guest" and two (2) of which are lan when I only need the two (2) guest APs at the moment. _________________ Netgear R7000 Updated ≈ Monthly Wireguard, PBR, VAP
Adblocking & Authoritative, Validating, Recursive Caching DNS Server with DNSSEC via Unbound Verified with ddwrt-dns-monitor.sh and dig Tutorial: How to monitor DNS traffic in real-time
Joined: 31 Jul 2021 Posts: 2146 Location: All over YOUR webs
Posted: Sat May 21, 2022 8:06 Post subject:
I have a Broadcom RT-AC68U and as per my screenshots EXACTLY anyone connected to the AP/NET isolated VAPS, can NOT access each other (AP isolation) or the LAN clients (Net Isolation) and are able to use internet.
No additional firewall anything required, my setup was achieved via UI purely and simply as depicted.
This was tested by connecting a device to the VAP and pinging the LAN clients (hosts unreachable) and other wifi devices on regular wifi and also the VAP (hosts unreachable) and pinging the internet google for instance (fully working). Real world usage also works fine and none can access my main subnet LAN NAS devices and other devices.
However I am always using the latest builds and have reset my nvram twice this year just because the firmware changes somehow caused gremlins without the reset even from this years builds.
Sadly Broadcom has quirks but nothing the nvram resets and reconfigure from scratch doesn't oust.
After that, it all works perfectly well.
So you know you need to setup the networking tab for the relevant VAP and add the extra DHCPD with another subnet different than the regular one.
clients connected to wlan0 and wlan1 are not isolated from each other!
works for me only with active PPPoE WAN connection.
If I disable the WAN interface no network isolation works at all.
Same if I set to "automatic DHCP" (no DHCP server on WAN side - so no WAN connection) = all subnets are fully reachable
Can be fixed with additional rules, but would be not bad if this would work correctly...
Joined: 31 Jul 2021 Posts: 2146 Location: All over YOUR webs
Posted: Sat May 21, 2022 9:56 Post subject:
AP isolation = isolates wifi clients on same network from seeing each other over wifi.
Net isolation = Prevents connected clients from accessing LAN clients on a different subnet.
Both require proper setup to fully work without issue, like another DHCPD assigning a different subnet to the unbridged VAP interface.
Of course Im not discounting the gremlins mainly existing because lack of nvram resets.
Joined: 31 Jul 2021 Posts: 2146 Location: All over YOUR webs
Posted: Sat May 21, 2022 10:16 Post subject:
Yea thats a different beast, thats atheros, both OP and I are on Broadcom
So Atheros may bugs apply to your platform, so who knows whats that about really. I have an Atheros, but old and already boxed up, so cant really test that scenario.
TLDR: Multiple attempts to follow the same process to find a repeatable cause of the connectivity between subnets resulted in an intermittent recurrence of the problem. Based on this and other similar issues I suspect failing nvram.
I just walked through the configuration again start to finish to document a repeatable way to see the undesired connectivity. I repeated the process using 3 slight variations of the order of operations/power cycling which had caused the problems. I could not get the issue to repeat until I had completed a write up on the topic and decided to follow the procedure one more time using the latest build. This time, after applying the final settings and power cycling, I again had connectivity but only with net isolation disabled. Applying the settings again fixed the issue. I attached the operations performed which actually resulted in no connectivity 3 x in a row with the build referenced in the original post. I then performed the operations again with the latest build, 48897, and the problem presented itself again. The intermittent issues I have experienced make me wonder if my nvram may not be reading/writing correctly on occasion...? I have flashed it perhaps 100+ times. _________________ Netgear R7000 Updated ≈ Monthly Wireguard, PBR, VAP
Adblocking & Authoritative, Validating, Recursive Caching DNS Server with DNSSEC via Unbound Verified with ddwrt-dns-monitor.sh and dig Tutorial: How to monitor DNS traffic in real-time
Joined: 31 Jul 2021 Posts: 2146 Location: All over YOUR webs
Posted: Thu May 26, 2022 20:11 Post subject:
Yes, so double apply cured it, right?
Ive notice some services/configs need double apply on Broadcom to actually take, I noticed this while testing another unrelated service for another issue.
I can confirm that snmp, tor, dnsmasq at the very least need double applies, haven't tested with VAPS yet but am not jumping at the chance to test the VAP scenario tonight.
Even if you confirm this, Brainslayer doesn't confirm any such issues (all miraculously works for him), and one cant fix what one cant duplicate.
However, my 5ghz VAPs work fine here and Im two maybe three builds ahead of you.