Joined: 18 Mar 2014 Posts: 12922 Location: Netherlands
Posted: Sun May 29, 2022 10:03 Post subject:
As far as I know it is like this:
Net Isolation is designed for a guest network.
The guest network is isolated from the main network.
So when connected to the VAP/Guest Network with Net isolation enabled you should not be able to connect to clients on the main network and you should not be able to connect to the router itself (FORWARD and INPUT chain).
From the main network you can connect to the VAP (as -m state --state NEW is used)
Other VAPS can connect to other VAPS
I have not tested if that is really working on recent builds but it was on older builds.
Joined: 31 Jul 2021 Posts: 2146 Location: All over YOUR webs
Posted: Sun May 29, 2022 11:47 Post subject:
VAPS connecting to other VAPS and communicating with each other is not possible with ap/net isolation enabled with unbridged setups plus additional independent subnets set under Multiple DHCP Server on Networking tab.
Joined: 18 Mar 2014 Posts: 12922 Location: Netherlands
Posted: Mon May 30, 2022 7:58 Post subject:
on my router (this is the travel router EA6900 running 48954) it does seem possible.
Main network is 192.168.1.1
VAP wl0.1 on 192.168.21.0/24
VAP wl1.1 on 192.168.22.0/24
Net isolation and AP isolation enabled, these are the firewall rules which are set because net isolation is enabled:
Code:
root@EA6900:~# iptables -vnL FORWARD
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP all -- wl0.1 * 0.0.0.0/0 192.168.1.0/24 state NEW
0 0 DROP all -- wl1.1 * 0.0.0.0/0 192.168.1.0/24 state NEW
635 186K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
I can happily ping from clients connected to wl0.1 to clients on wl1.1 and the other way around
Not surprising as the the firewall rules only isolate the VAPS from the main network and not from each other and AP isolation isolates wifi clients from each other on the same interface.
Joined: 18 Mar 2014 Posts: 12922 Location: Netherlands
Posted: Mon May 30, 2022 8:33 Post subject:
Thanks for confirming.
About the bridged VAPs being able to reach the router is interesting, the bridge should isolate the attached VAPs from the router if net isolation is enabled on the bridge, not sure why this is not working.
There is a third point in the first link.
The network isolation only works when the WAN connection is activated.
If the WAN is inactive because the ISP may have a network fault, then no network isolation will work at all.
Quote:
works for me only with active PPPoE WAN connection.
If I disable the WAN interface no network isolation works at all.
Same if I set to "automatic DHCP" (no DHCP server on WAN side - so no WAN connection) = all subnets are fully reachable
I also tested it by simply unplugging my modem from the telephone socket
Joined: 31 Jul 2021 Posts: 2146 Location: All over YOUR webs
Posted: Mon May 30, 2022 9:52 Post subject:
egc wrote:
on my router (this is the travel router EA6900 running 48954) it does seem possible.
Main network is 192.168.1.1
VAP wl0.1 on 192.168.21.0/24
VAP wl1.1 on 192.168.22.0/24
Net isolation and AP isolation enabled, these are the firewall rules which are set because net isolation is enabled:
Code:
root@EA6900:~# iptables -vnL FORWARD
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP all -- wl0.1 * 0.0.0.0/0 192.168.1.0/24 state NEW
0 0 DROP all -- wl1.1 * 0.0.0.0/0 192.168.1.0/24 state NEW
635 186K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
I can happily ping from clients connected to wl0.1 to clients on wl1.1 and the other way around
Not surprising as the the firewall rules only isolate the VAPS from the main network and not from each other and AP isolation isolates wifi clients from each other on the same interface.
Of course the clients are on different subnets and might have their own firewall not allowing other subnets but this is not something you can rely on
I would consider that a bug of sorts, Net isolation is suppose to isolate one subnet from another, end of story, if it only isolates VAP clients from wired LAN, then the design is incomplete and not accounting for the other possibilities.
That is not surprising, given some implementations are simplest possible at time of inception. Clearly in 2022 the relevant code needs to account for more situations. This code is likely last been touched in 80 BC.
You cannot rely on any clients having any firewalls like you mentioned most user mobile devices if not all dont have any a user can access or any at all. These ACLS are configured router level on any sane networks, either main gateway or any other routers within route depends on the complexity of network.
Joined: 18 Mar 2014 Posts: 12922 Location: Netherlands
Posted: Tue May 31, 2022 7:00 Post subject:
Small addition, Net isolation isolates not only VAP clients from wired LAN but also from Wireless clients on the main network.
For now I propose to alter the text in the setting to reflect this behavior so something like:
Quote:
Net Isolation (from main network)
Of course it is possible to automatically isolate VAPs from other VAPs but how to determine what is a VAP?
You do not want to isolate the VAP automatically from e.g. an WG or VPN interface.
Joined: 31 Jul 2021 Posts: 2146 Location: All over YOUR webs
Posted: Tue May 31, 2022 10:51 Post subject:
Well, the interface identifiers determine what is a VAP or dont they?
Im sure there are firewall rules that can be used and input manually, but should be nice that enabling Net isolation on the VAPS would do this automatically also when subnets are different between VAPS. Again different subnets being a key determination weather Net isolation should apply.
But those are my brain farts. I've no idea about the code changes necessary.
And also when WAN is down, Net isolation should still work (apparently it does not), in fact there are quite a few issues that affect the UI when WAN is down, e.g. Reboot.asp either loads the HTML and no CSS, or doesn't load ANY HTML at all and then there is no such page displayed even if address bar shows the Reboot.asp.