Joined: 04 Aug 2018
Location: Appalachian mountains, USA
|Posted: Sun Jul 28, 2019 21:56 Post subject:
|Your VAP ath0.1 is effectively completely separate from ath0, except that they share radio parameters other than SSIDs. Things like isolation, inclusion in bridges, and presence in firewall commands are completely separate for the two. So we can speak of your br0 devices as those devices connected to either your ethernet lan interface eth1 or to the SSID associated with ath0.
So, your br0 devices can see and interact with each other. Your ath0.1 devices can see and interact with each other. But your ath0.1 devices and your br0 devices are isolated from each other in that no packet from either of br0 or ath0.1 will be passed to the other. So your ath0.1 devices and your br0 devices are isolated from each other.
Enabling net isolation on an interface isolates it from br0. However, if you have two interfaces that are not in br0 and enable net isolation on each of them, each will be isolated from br0 but they will not be isolated from each other. To isolate them from each other, you have to add explicit iptables commands to the firewall. This appears to be left over from early dd-wrt days when no one apparently considered that having more than a main network and a guest network would ever be of interest.
I believe AP isolation is implemented in the wifi interface itself, but I am not truly certain. Net isolation is implemented in the firewall, which I believe is one level up from the interfaces. Can't help you regarding how those are numbered Lthis or Lthat, etc. (My network education is minimal.)
Five Linksys WRT1900ACSv2 routers on BS 42926:
VLANs, multiple VAPs, NAS, QoS, client-mode travel router, OpenVPN client/PBR (AirVPN), two DNSCrypt servers (incl Quad9) routed through vpn.