I am planning to buy a hap ax3 for my house.
The main thing I want is to be able to fully isolation nearly all devices on the wifi. So no talking to each other, only internet access.
Everything I've read about this is talking about VLANs. Is that the only option? To put every single device on its own vlan?
Most forum posts and articles I've read were talking about the physical ports. I just want to confirm, can I have each wifi device on its own vlan?
If VLANs are the way to go, is there an automated way so that every new device will auto be put in a new vlan or do I have to do that manually?
Re: Full wifi device isolation
VLANS are extremely useful in preventing groups of users from accessing each other and are recommended.
For users within a VLAN, then firewall rules are useless.
In the old way of WIFI one could use access lists ............... however all i can find on my hapax3 is clien-isolation.
Here is a quote for Datapath Function TAB in Wifi....
client-isolation (no | yes) Determines whether client devices connecting to this interface are (by default) isolated from others or not.
This policy can be overridden on a per-client basis using access list rules, so a an AP can have a mixture of isolated and non-isolated clients.
Traffic from an isolated client will not be forwarded to other clients and unicast traffic from a non-isolated client will not be forwarded to an isolated one.
Default: no
For users within a VLAN, then firewall rules are useless.
In the old way of WIFI one could use access lists ............... however all i can find on my hapax3 is clien-isolation.
Here is a quote for Datapath Function TAB in Wifi....
client-isolation (no | yes) Determines whether client devices connecting to this interface are (by default) isolated from others or not.
This policy can be overridden on a per-client basis using access list rules, so a an AP can have a mixture of isolated and non-isolated clients.
Traffic from an isolated client will not be forwarded to other clients and unicast traffic from a non-isolated client will not be forwarded to an isolated one.
Default: no
-
-
gotsprings
Forum Guru
- Posts: 2183
- Joined:
Re: Full wifi device isolation
It used to be in caps-man, client to client forwarding. Also under datapath.
Re: Full wifi device isolation
I just read that I can't have more than 1 VLAN per virtual/SSID. If that is the case, I guess that client-isolation is the way to go.
Is there some way to have firewall rules between WIFI devices? So for example to allow one specific IP to connect to another IP over port 80 and nothing else?
Is there some way to have firewall rules between WIFI devices? So for example to allow one specific IP to connect to another IP over port 80 and nothing else?
Re: Full wifi device isolation
Mikrotik QuickSet config use a bridge filter that block forwarding. So that's another way to do client isolation:
Code: Select all
/interface bridge filter
add action=drop chain=forward in-interface=wifiXX
add action=drop chain=forward out-interface=wifiXXRe: Full wifi device isolation
Sorry, I posted this on the wrong thread, so I have removed it and put it on the correct thread.
Kind regards
Chris
Kind regards
Chris
Last edited by ChrisN1 on Sun May 19, 2024 1:22 pm, edited 1 time in total.
Re: Full wifi device isolation
On wireless chip, enable client isolation, then VLANs (Main VLAN, Guest VLAN etc), and finally on the layer 3-sub interface VLAN, you enable local-proxy-arp.
Re: Full wifi device isolation
No, wifi client isolation only (enough for wifi) + bridge filter.enable local-proxy-arp
Who is online
Users browsing this forum: No registered users and 8 guests