Posted: Tue Nov 28, 2023 17:25 Post subject: iptables/ebtables for AP Isolation
I want to automate turning on/off "AP Isolation" from a bash script.
Can you tell me what iptables/ebtables commands are executed to turn-on/turn-off "AP Isolation"?
Are there any other changes made beyond iptables/ebtables?
Joined: 26 Mar 2013 Posts: 1858 Location: Hung Hom, Hong Kong
Posted: Wed Nov 29, 2023 13:21 Post subject: Re: iptables/ebtables for AP Isolation
puterboy2 wrote:
I want to automate turning on/off "AP Isolation" from a bash script.
Can you tell me what iptables/ebtables commands are executed to turn-on/turn-off "AP Isolation"?
Are there any other changes made beyond iptables/ebtables?
Following command should list all NVRAM values related to AP and Net Isolation for various network interfaces:
You should just flip the value between 1 and 0 then restart some processes which I dunno, instead of directly manipulating the firewall. Unless you use your own custom iptables and/or ebtables rules to enforfce isolation, which makes Wildlion's suggestion a starting point. _________________ Router: Asus RT-N18U (rev. A1)
Drink, Blink, Stretch! Live long and prosper! May the Force and farces be with you!
Just as you cannot isolate LAN clients in the same subnet from each other via iptables.
They communicate directly with each other via layer2 and iptables is layer3
For WLAN this is done using low level stuff in the driver/hostap.
You should just flip the value between 1 and 0 then restart some processes which I dunno, instead of directly manipulating the firewall. Unless you use your own custom iptables and/or ebtables rules to enforfce isolation, which makes Wildlion's suggestion a starting point.
Of course the million dollar question is to know what "processes" to run or restart
Just as you cannot isolate LAN clients in the same subnet from each other via iptables.
They communicate directly with each other via layer2 and iptables is layer3
For WLAN this is done using low level stuff in the driver/hostap.
I'm not familiar with the Broadcom NAS stuff, but on the other routers that use hotsapd "ap_isolate=1" is written to hostap.conf.
Ahhh that makes sense.
I recall that at least with Kong's version, if I wanted full isolation between clients, in addition to enbabling "AP Isolation", I needed to add a line to ebtables to prevent communication between clients on wl0.1 and wl1.1
Not sure if that is still necessary...
Indeed, the Wiki page for ebtables says:
Quote:
While iptables operates at the Network Layer (Layer 3), ebtables operates at the Data Link Layer (Layer 2), enabling a more granular level of traffic control
Is it possible that ebtables is used also for AP Isolation?
If not, does anyone know what code is executed to turn on/off AP Isolation?
Yes, probably if you have bridged the two VAPs and they are in the same subnet then you can control what data is exchanged between the two network interfaces via ebtables.