Client Mode - Isolation Subnets

Post new topic   Reply to topic    DD-WRT Forum Index -> Atheros WiSOC based Hardware
Author Message
Alister
DD-WRT Novice


Joined: 16 Oct 2015
Posts: 19

PostPosted: Mon Jun 21, 2021 13:18    Post subject: Client Mode - Isolation Subnets Reply with quote
I'm using Netgear r7800 with build 06/05/2021 - r46885

When setting up client mode on a different subnet then the host AP, is there any benefit of turning on AP Isolation or using Unbridged with Masquerade / NAT and Net Isolation?

I believe these shouldn't be used when setting up client mode, and normally only apply when setting up a VAP or AP. However i simply want to make sure the client is completely isolated from the host AP.

I've seen 1 or 2 posts where someone was hinting at been confused about this, however it wasn't addressed.

Appreciate all advice.
Sponsor
DWCruiser
DD-WRT User


Joined: 15 Aug 2016
Posts: 223
Location: Melbourne, Australia

PostPosted: Wed Jun 23, 2021 22:35    Post subject: Re: Client Mode - Isolation Subnets Reply with quote
Alister wrote:
I'm using Netgear r7800 with build 06/05/2021 - r46885

When setting up client mode on a different subnet then the host AP, is there any benefit of turning on AP Isolation or using Unbridged with Masquerade / NAT and Net Isolation


My understanding of UNBRIDGED is that it effectively creates a different network which is separate from your router's wired network. Hence it is referred to as unbridged. (Otherwise, hosts on AP would share same network with wired ones, via a bridge).

On the other hand, AP isolation refers to the isolation of traffic from one host to another on AP. In other words, it prevents one wireless client from communicating with another wireless client.

It stands to reason that AP isolation becomes less of a concern on your home network since hosts (e.g. family members or shared devices such as 'home' NAS, printer) are IMPLICITLY trusted for sharing purposes, whereas it is NOT the case of your different guests (visiting your home or IoT devices) on a separate network.
Alister
DD-WRT Novice


Joined: 16 Oct 2015
Posts: 19

PostPosted: Thu Jun 24, 2021 12:09    Post subject: Re: Client Mode - Isolation Subnets Reply with quote
DWCruiser wrote:
Alister wrote:
I'm using Netgear r7800 with build 06/05/2021 - r46885

When setting up client mode on a different subnet then the host AP, is there any benefit of turning on AP Isolation or using Unbridged with Masquerade / NAT and Net Isolation


My understanding of UNBRIDGED is that it effectively creates a different network which is separate from your router's wired network. Hence it is referred to as unbridged. (Otherwise, hosts on AP would share same network with wired ones, via a bridge).

On the other hand, AP isolation refers to the isolation of traffic from one host to another on AP. In other words, it prevents one wireless client from communicating with another wireless client.

It stands to reason that AP isolation becomes less of a concern on your home network since hosts (e.g. family members or shared devices such as 'home' NAS, printer) are IMPLICITLY trusted for sharing purposes, whereas it is NOT the case of your different guests (visiting your home or IoT devices) on a separate network.


Thanks yep that's exactly my understanding of these settings also, it stands to reason there never would be a reason to use Unbrided for client mode specifically, as there is no wireless connection to separate seen as only the lan ports have internet.

Normally you would turn on Unbridged and put it on a different subnet with net isolation when you add a Virtual Access Point to Unbridge it from the lan and AP Isolation to prevent those wireless devices seeing each other, same would apply adding Access Point, with dual band router using 2.4ghz for client and 5ghz as AP.

Say the host AP providing the internet to client mode is on 192.168.1.1 and you set the client mode on another subnet 192.168.2.1, this alone should be enough for isolation i think... However when you choose Unbridged it lets you specify another subnet like 192.168.3.1, i'm trying to work out if there's any purpose to use that with client mode specifically.

I don't think there is, but considering the firmware doesn't prevent you turning on AP Isolation or Unbridged with client mode, it becomes confusing as presumably you would never need to turn AP Isolation or Unbridged on with client mode so it's gotta make you wonder what happens on client mode when your already using 192.168.2.1 and you turn Unbridged on and set it to 192.168.3.1 and turn on Net Isolation.

I don't no if it's redundant and what the consequences of doing that would be keeping in mind only the lan ports have internet access there is no wireless ssid to Unbridge technically. Assume AP isolation does nothing as it wouldn't prevent the lan communicating and anything on 192.168.1.1 isn't effected by it, there's a reason to use it when adding a Virtual Access Point along side client mode either that or Access Point with the dual band router, this is when using Unbridged on separate subnet with net isolation makes sense to me.

I dunno about that everything on your network been safe even if you trust people you share it with, any infections on your computer or there's that may slip through is suddenly a way for other devices to be compromised also.

Hopefully this makes sense tried to be as detailed as possible.
DWCruiser
DD-WRT User


Joined: 15 Aug 2016
Posts: 223
Location: Melbourne, Australia

PostPosted: Sun Jun 27, 2021 4:01    Post subject: Reply with quote
You’re right. Under Client mode, the wireless function of the second router (R2) is used exclusively for traffic to/from the primary router (R1). As a result, R2 provides only wired connections to devices behind it.

Unbridged and AP isolation features, consequently, become dormant on R1 when R2 is connected in Client mode.

But the fact that they still appear as options under this scenario can be confusing. You raised a good valid point. If I had to make a guess it would be a redundant GUI object (left over from AP section) with a very low priority for clean up by DD-WRT developer (read BS). The firmware you and I are using is called Beta for obvious reasons.

I should add that DD-WRT firmware is far more superior to stock firmware that left the manufacturer's factory floor. I have done Beta testing for an IT manufacturer, so I know a thing or two. I also have a lot of respect for Germans in the field of engineering.

As for the potential of virus spreading through file sharing. It’s a valid point. Though related, I don’t think it is why AP isolation becomes an option. Sticking close to the topic at hand helps shorten the path to resolution. I would suggest.

Wishing you a good day.
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Atheros WiSOC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum