Posted: Fri Oct 14, 2022 15:50 Post subject: Net Isolation Function seems to have no effect?
Hello!
I have several Archer C7/A7 running and all seem to have a similar behavior but let me first describe my setup:
wlan0 is my privat WiFi network
wlan0.1 (VAP) is my guest WiFi which is set to be unbridged and set the IP to 10.0.35.1/24 and Net Isolation was enabled.
I have created a bridge br30 and set also the IP to 10.0.35.1/24. --> Net Isolation also enabled!
Then I have assigned wlan0.1 to br30
then I have created a new DHCP Server and assigned br30 to this new dhcp.
clients on the guest VAP will get assigned to 10.0.35.x all good so far, BUT the Net Isolation function takes no real effect because all clients on the guest VAP are able to contact the router ip (10.0.10.1) and I suppose all other IPs in my privat subnet.
used firmware r50274 but i whitenessed the same behavior on earlier betas.
Anybody able to assist?
Thanks in advance! _________________ VLANs, Wireguard Site to Site, OpenVPN Client, WDS
TP-Link Archer C7 V4, V5
TP-Link Archer A7 V5
TP-Link WR1043 V4
Unifi UAP-AC-M
Net Isolation disabled --> network access to all clients on the gateway subnet
Net Isolation enabled --> network access to Gateway still possible, can be turned off by the above mentioned WiFi setting
Is this intended that the router IP is still accessible from another bridge?
Thanks
Tom _________________ VLANs, Wireguard Site to Site, OpenVPN Client, WDS
TP-Link Archer C7 V4, V5
TP-Link Archer A7 V5
TP-Link WR1043 V4
Unifi UAP-AC-M
Joined: 15 Aug 2016 Posts: 223 Location: Melbourne, Australia
Posted: Sun Oct 16, 2022 23:27 Post subject:
Further to what is recommended by egc, i'd like to add the following.
My understanding of DDWRT is that Net Isolation means the nominated vAP is isolated from private VLAN. However, your vAP is placed on a bridge, it (i.e. br30) 'takes over' the controls of the vAP.
And if bridge br30 does not specifically block traffic from other bridges, a host on vAP can reach the router's web UI, despite the host's home vAP settings.
In firewall:
iptables -I FORWARD -i br30 -o br+ -m state --state NEW -j REJECT
The above firewall would block traffic from/to br30 to other bridges. Except the Internet. _________________ Life is a journey; travel alone makes it less enjoyable and lonely.
Joined: 15 Aug 2016 Posts: 223 Location: Melbourne, Australia
Posted: Sun Oct 16, 2022 23:51 Post subject:
egc wrote:
@DWCruiser, a bridge also has a net isolation setting which should isolate that bridge from br0.
So no need to do that manually
Yeah. You're right. I forgot about that on the bridge settings. Thanks. _________________ Life is a journey; travel alone makes it less enjoyable and lonely.