Full wifi device isolation

mhost · May 6, 2024, 9:54pm

I am planning to buy a hap ax3 for my house.

The main thing I want is to be able to fully isolation nearly all devices on the wifi. So no talking to each other, only internet access.

Everything I’ve read about this is talking about VLANs. Is that the only option? To put every single device on its own vlan?

Most forum posts and articles I’ve read were talking about the physical ports. I just want to confirm, can I have each wifi device on its own vlan?

If VLANs are the way to go, is there an automated way so that every new device will auto be put in a new vlan or do I have to do that manually?

anav · May 6, 2024, 10:10pm

VLANS are extremely useful in preventing groups of users from accessing each other and are recommended.
For users within a VLAN, then firewall rules are useless.

In the old way of WIFI one could use access lists … however all i can find on my hapax3 is clien-isolation.

Here is a quote for Datapath Function TAB in Wifi…
client-isolation (no | yes) Determines whether client devices connecting to this interface are (by default) isolated from others or not.
This policy can be overridden on a per-client basis using access list rules, so a an AP can have a mixture of isolated and non-isolated clients.
Traffic from an isolated client will not be forwarded to other clients and unicast traffic from a non-isolated client will not be forwarded to an isolated one.
Default: no

gotsprings · May 6, 2024, 11:13pm

It used to be in caps-man, client to client forwarding. Also under datapath.

mhost · May 6, 2024, 11:58pm

I just read that I can’t have more than 1 VLAN per virtual/SSID. If that is the case, I guess that client-isolation is the way to go.

Is there some way to have firewall rules between WIFI devices? So for example to allow one specific IP to connect to another IP over port 80 and nothing else?

Amm0 · May 7, 2024, 12:55am

Mikrotik QuickSet config use a bridge filter that block forwarding. So that’s another way to do client isolation:

/interface bridge filter
add action=drop chain=forward in-interface=wifiXX
add action=drop chain=forward out-interface=wifiXX

ChrisN1 · May 17, 2024, 3:08pm

Sorry, I posted this on the wrong thread, so I have removed it and put it on the correct thread.

Kind regards
Chris

DarkNate · May 17, 2024, 3:52pm

On wireless chip, enable client isolation, then VLANs (Main VLAN, Guest VLAN etc), and finally on the layer 3-sub interface VLAN, you enable local-proxy-arp.

UkRainUa · May 26, 2024, 7:57pm

No, wifi client isolation only (enough for wifi) + bridge filter.