i want to isolate my wifi clients using the DEFAULT FORWARD tick.
Just to be sure:
DEFAULT FORWARD ticked == CLIENT isolation
DEFAULT FORWARD unticked == CLIENT can communicate with each other.
Using WIFI with a unique dedicated bridge (WIFIBRIDGE) worked this way.
I changed last week my network structure, using just ONE bridge with multi vlans and linked wifi to VLAN70 (DHCP, FW rules work).
Now the behaviour is completetely different:
DEFAULT FORWARD ticked == CLIENT can communicate with each other.
DEFAULT FORWARD unticked == CLIENT isolation.
Checking the wiki: default-forwarding (yes | no; Default: yes) This is the value of forwarding for clients that do not match any entry in the access-list
I thought default forward was for allowing all those who access the AP to be automatically allowed to have their traffic forwarded (ie to the internet or to other lans).
This has nothing to do with wifi client to wifi client isolation??? That is another feature of access points.
Reading further in the wiki found: forwarding (yes | no; Default: yes)
no - Client cannot send frames to other station that are connected to same access point.
yes - Client can send frames to other stations on the same access point.
Now this seems to address the question being asked.
However you can see the confusion caused by wording that is almost duplicated.
Perhaps my interpretation is wrong.
Perhaps it should be.
The default forwarding for Access Points (Radios) is allow, which means wifi clients can talk to wifi clients.
Forwarding in the AP access list is NOT for allowing access to the internet or LAN but ONLY for talking to other wifi clients on the same radio???
What I was mistaking by forwarding in the first wiki link is properly handled on firewall rules…???
OR DO I STILL HAVE IT WRONG AND IT SHOULD BE.
forwarding on by default allows a client on an AP to communicate with all devices connected to AP, be it other wifi connected devices or wired connected devices (switches routers pcs) etc. In which case we still dont have a feature that ONLY ISOLATES wifi client to wifi client on the same AP???