I've created a virtual interface wlan0.1 that is set to use subnet 192.168.12.x (main router is 192.168.11.x)
Even after setting the wlan0.1 to be unbridged with AP and net isolation I can still ping from the .11 network to the .12 network and vice verca.
I am using TP link archer-C7 V2 with dd-wrt v3.0-r62036 std (08/08/25)
attached the relevant config screens:
If you want to only have the VAP/bridge to have internet access and not access to the rest of the network
Replace with the appropriate interface of your VAP, e.g. wl0.1, wlan0.1 etc:
Code:
GUEST_IF="wlan1.1"
#Net Isolation does not work on a WAP so keep it disabled, add for isolating VAP from main network:
iptables -I FORWARD -i $GUEST_IF -d $(nvram get lan_ipaddr)/$(nvram get lan_netmask) -m state --state NEW -j REJECT
To make it simple and isolate the VAP/bridge from all know private subnets which isolate it not only from the main network but also from other bridges:
Code:
iptables -I FORWARD -i $GUEST_IF -d 192.168.0.0/16 -m state --state NEW -j REJECT
iptables -I FORWARD -i $GUEST_IF -d 10.0.0.0/8 -m state --state NEW -j REJECT
iptables -I FORWARD -i $GUEST_IF -d 172.16.0.0/12 -m state --state NEW -j REJECT
