[tomron]

Hello!

I have several Archer C7/A7 running and all seem to have a similar behavior but let me first describe my setup:

wlan0 is my privat WiFi network
wlan0.1 (VAP) is my guest WiFi which is set to be unbridged and set the IP to 10.0.35.1/24 and Net Isolation was enabled.

I have created a bridge br30 and set also the IP to 10.0.35.1/24. --> Net Isolation also enabled!

Then I have assigned wlan0.1 to br30
then I have created a new DHCP Server and assigned br30 to this new dhcp.

clients on the guest VAP will get assigned to 10.0.35.x all good so far, BUT the Net Isolation function takes no real effect because all clients on the guest VAP are able to contact the router ip (10.0.10.1) and I suppose all other IPs in my privat subnet.

used firmware r50274 but i whitenessed the same behavior on earlier betas.

Anybody able to assist?
Thanks in advance!

[the-joker]

Much newer firmware has proper Net Isolation.

[egc]

If you add a VAP to a bridge the VAP has to be left Bridged (as it is bridged to br30)

Net isolation works for me, so it should for you too

(Unless you have setup your router as a WAP Wireless access point)

[tomron]

So I have to correct my self a little from my first post.

ONLY the Gateway IP on the private net is accessible (10.0.10.1) other access requestes to my other routers get blocked.


so I updated to r50500 (latest) and I am still able to access the gateways (10.0.10.1) WebUI....

is this intended??

Thanks!

[egc]

My Bridge br1 (with VAP attached) is on 192.168.14.1/24

My main network is 192.168.13.1/24

When connected to my VAP (IP address 192.168.14.69)

I cannot reach 192.168.14.1 nor anything on 192.168.13.1/24

So I have full net isolation (build 50505, on Linksys EA6900).

I have to switch back not my main network to see iptables:

[tomron]

ok this was a hard to find low hanging fruit.

It's a setting in the in the WiFi Basic Settings...



with disabled WebUI access a 401 Bad Request message appears

[egc]

IF this is the VAP you have made a mistake in setting up.

The VAP must be left bridged as it is bridged to br30 in your case.

Then Net isolation is set on br30.

[tomron]

major fail on my side

I always thought unbridging is necessary for just unbridging br0.
but then.... where is unbridging necessary?




Thanks for the enlightenment, will try it out!

[tomron]

So I bridge wlan0.1 again

bridging table displays
br30 wlan0.1

Net Isolation disabled --> network access to all clients on the gateway subnet
Net Isolation enabled --> network access to Gateway still possible, can be turned off by the above mentioned WiFi setting

Is this intended that the router IP is still accessible from another bridge?

Thanks
Tom

[egc]

No the router is not accessible from a proper setup isolated bridge.

Attached my notes how I do it and when I follow my setup the router is not accessible if Net isolation is enabled, at least on the routers I have.

You probably should start over.

It is easy to see the isolation in action with:
iptables -vnL INPUT

You should see the DROP rule in action

Note:
1. You need a recent build.
2. The router must be in normal gateway mode with its WAN enabled.
3. You have rebooted the router after setting up (normally if you took your time setting up this is not necessary)

[tomron]

Hello egc

thanks for sharing your document.

this is the result of the command " iptables -vnL INPUT"

[egc]

Compare it with my router.

It looks like there is something wrong with you router.

You are missing a lot of rules.

Are you sure this is a normal gateway router with wan enabled and firewall enabled?

Otherwise consider resetting to defaults and start fresh do not restore from a backup.

[DWCruiser]

Further to what is recommended by egc, i'd like to add the following.

My understanding of DDWRT is that Net Isolation means the nominated vAP is isolated from private VLAN. However, your vAP is placed on a bridge, it (i.e. br30) 'takes over' the controls of the vAP.

And if bridge br30 does not specifically block traffic from other bridges, a host on vAP can reach the router's web UI, despite the host's home vAP settings.

In firewall:

iptables -I FORWARD -i br30 -o br+ -m state --state NEW -j REJECT

The above firewall would block traffic from/to br30 to other bridges. Except the Internet.

[egc]

@DWCruiser, a bridge also has a net isolation setting which should isolate that bridge from br0.

So no need to do that manually

[DWCruiser]