Page 1 of 1

client isolation on mesh for clients -need help

Posted: Wed Jul 17, 2013 8:50 pm
by Ehman
hello, can someone help me with some firewall rules for my 4 mesh ap's so that I can use client isolation on them all, because I can access the following with option set "disable default forward on the wireless interface"

pc1<--wireless-->mesh ap 1<----WDS---->mesh ap 2<--wireless-->pc2
---boooom I can access pc1 from pc2 and verse visa, but 2 pc's on same ap is blocked :shock:

Re: client isolation on mesh for clients -need help

Posted: Thu Jul 18, 2013 4:15 pm
by Ehman
Hi folks... is this to difficult to pull off? :?

Re: client isolation on mesh for clients -need help

Posted: Thu Jul 18, 2013 8:11 pm
by Feklar
Default forward only applies to devices connected to the same radio, so what you are seeing is expected.

Without knowing your configuration, it's a bit hard to tell you how to setup the firewall. Most likely your interfaces are brigged correct? If so, set "use IP firewall" to yes on your birdge settings, and you should be able to block them on the forward chain of the firewall filter.

Re: client isolation on mesh for clients -need help

Posted: Thu Jul 18, 2013 8:22 pm
by Ehman
Default forward only applies to devices connected to the same radio, so what you are seeing is expected.

Without knowing your configuration, it's a bit hard to tell you how to setup the firewall. Most likely your interfaces are brigged correct? If so, set "use IP firewall" to yes on your birdge settings, and you should be able to block them on the forward chain of the firewall filter.
Your 100% correct, I've done that all, but I'm not sure what IP's to block on the forward rule, or should I just block all local lan ranges and I should be fine?

Re: client isolation on mesh for clients -need help

Posted: Thu Jul 18, 2013 10:35 pm
by Feklar
Block all src and dst addresses for local ranges except the default gateway for the network. You might need to also allow the broadcast IP in case you want to allow broadcast traffic to work. If you are on the mesh network while doing this, be sure to have safe mode enabled in case you mess something up!

Re: client isolation on mesh for clients -need help

Posted: Fri Jul 19, 2013 12:45 pm
by Ehman
Block all src and dst addresses for local ranges except the default gateway for the network. You might need to also allow the broadcast IP in case you want to allow broadcast traffic to work. If you are on the mesh network while doing this, be sure to have safe mode enabled in case you mess something up!
Thx good idea :) Its working like a charm