How to prevent Guest Network clients to communicate with each other?

I'm facing a serious problem with my Guest network.
Basicly I've used the following guide to set up my guest network: https://blog.doenselmann.com/gaeste-wlan-auf-openwrt-access-point/
I was running a different setup before but i didn't saved my old config...

So for some reason Clients can still ping each other and probing the network for clients with my android phone also works, so I can discover any active host on my guest network using an app called Port Authority...

"My Setup"
LAN Router IP: 192.168.1.1
Guest Network IP: 192.168.55.1
option isolate '1' @both of my guest wifi AP's

Firewall Rules (without the default-rules):
..........................

config rule
	option src 'wifi_guest'
	option dest 'lan'
	option name 'Disable Guest Lan Access'
	option target 'REJECT'
	option dest_ip '192.168.1.0/24'

config rule
	option target 'DROP'
	option src 'wifi_guest'
	option dest 'wan'
	option dest_ip '192.168.254.0/24'
	option name 'Disable Modem Access'

config rule
	option src 'wifi_guest'
	option dest 'wifi_guest'
	option name 'Block Guest to Guest [ISOLATE]'
	option target 'REJECT'

config rule
	option src 'wifi_guest'
	option name 'Disable Router Access [HTTP]'
	option dest_port '80'
	option target 'DROP'

config rule
	option src 'wifi_guest'
	option dest_port '443'
	option target 'DROP'
	option name 'Disable Router Access [HTTPS]'

config rule
	option src 'wifi_guest'
	option name 'Disable Router Access [SSH]'
	option dest_port '22'
	option target 'DROP'

config rule
	option src 'wifi_guest'
	option name 'Disable Router Access [Telnet]'
	option dest_port '23'
	option target 'DROP'

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option network 'lan'
	option forward 'REJECT'

config zone
	option name 'wan'
	option output 'ACCEPT'
	option masq '1'
	option mtu_fix '1'
	option input 'DROP'
	option forward 'DROP'
	option network 'wan wan6 Modem'

config forwarding
	option src 'lan'
	option dest 'wan'

config include
	option path '/etc/firewall.user'

config include 'miniupnpd'
	option type 'script'
	option path '/usr/share/miniupnpd/firewall.include'
	option family 'any'
	option reload '1'

config zone
	option name 'wifi_guest'
	option input 'ACCEPT'
	option forward 'REJECT'
	option output 'ACCEPT'
	option network 'guest'
	option masq '1'

config redirect
	option target 'SNAT'
	option src 'wifi_guest'
	option dest 'lan'
	option proto 'all'
	option src_dip '192.168.1.1'
	option name 'Allow-Guest-Internet'

config forwarding
	option dest 'wan'
	option src 'wifi_guest'

config redirect 'adblock_dns'
	option name 'Adblock DNS'
	option src 'lan'
	option proto 'tcp udp'
	option src_dport '53'
	option dest_port '53'
	option target 'DNAT'

Custom Firewall rules:

iptables -t nat -I PREROUTING -i br-lan -p udp --dport 53 -j REDIRECT --to-port 53
iptables -t nat -I PREROUTING -i br-lan -p tcp --dport 53 -j REDIRECT --to-port 53
iptables -t nat -I PREROUTING -i br-guest -p udp --dport 53 -j REDIRECT --to-port 53
iptables -t nat -I PREROUTING -i br-guest -p tcp --dport 53 -j REDIRECT --to-port 53

I don't know what i'm doing wrong here and I would appreciate a helping hand.
Basically all i want is completely isolated guest clients, they should only get access to the internet and nothing more...

What you want is client isolation, as long as there's just one AP all you have to do is enable isolation, look in docs for that option or maybe it's just a check box in luci

In LUCI in wireless under Advanced Settings : Isolate Clients.

I've allready enabled client isolation in the GUI and its also present in my wifi config.
I got an 5 an 2.4ghz Guest AP and both got this option ticked.

config wifi-iface
	option device 'radio0'
	option mode 'ap'
	option ssid '5G-guest'
	option isolate '1'
	option encryption 'psk2+ccmp'
	option key ''
	option network 'guest'

config wifi-iface
	option device 'radio1'
	option mode 'ap'
	option ssid '2.4G-guest'
	option isolate '1'
	option encryption 'psk2+ccmp'
	option key ''
	option network 'guest'

So the problem must lay somewhere else...

Is it clients on opposite bands can talk to each other but clients on same band are isolated? If so you need to firewall and turn on the sysctls for bridge iptables.

And ensure that "hairpin" bridging is off. See, for example:

1 Like

I can ping and see clients within the 5ghz guest ap when connected to 2.4 and vice versa.
It's really driving me crazy as i don't know where the problem lays...

But 5 can't ping 5 and 2.4 can't ping 2.4 right? This was covered in a recent thread on wifi isolation...

1 Like

Nope, that works also... i've just tried it.
Was connected to my 5ghz guest AP with a win 10 laptop and could ping my Android phone connected to the 2.4ghz guest AP.
Oh btw, I'm using a WRT3200acm@ latest davidc build.

I feel like there should be an easy fix for this and i find it kinda essential to get something like this to work with OpenWRT.

That's not what I said, test ping from same band as dest

Sorry, misunderstanding.
I can't ping from a client which is connected to my 2.4ghz guest AP to another client which is connected on the same 2.4ghz guest AP

Was that what u asking for ?

I guess, each of your APs is an interface in the same firewall zone. I think you just need to disable forward between interfaces in the same zone. It is on the Firewall page: choose Drop instead of Accept.

UPDATE: it will be at the bottom where you guest firewall zone is displayed.

I think it's already like this...

edit: maybe ebtables could help here...?

ebtables -I FORWARD -i wlan0-1 -o wlan1-1 -j DROP
ebtables -I FORWARD -i wlan1-1 -o wlan0-1 -j DROP

1 Like

Can your guests can ping LAN IPs? I think they can because the Input rule on LAN is accept.

The LAN Interface within the guest zone is my vlan link to my Tomato AP.
I can try to put a lan client into my guest network (i have a guest vlan because of the tomato AP) and see if i can ping it from a wireless guest client...

Yes that's the expected behavior, see the thread I linked above it solves this exact problem.

Esit: Yes an ebtables rule is easiest, see that thread

I have a very similar setup with several APs and one wired port in the same guest zone and I only used AP isolation and disabled forward within the zone. Why does it work for me then without using ebtables? No one can ping anyone within the zone. And they cannot access LAN because the input rule for LAN is drop.

So i've just tested and yes a guest-LAN client is able to ping a guest-wifi client and vice versa....

I would love to know that as well... Maybe my setup is wrong from the beginning on.
I'll need to reconfigure everything tomorrow, because i got no more energy today.
Are ur lan clients within the guest network also isolated ?

Can i follow this tutorial for the basic setup ??: https://medium.com/openwrt-iot/openwrt-multiple-ssids-f43169945890

Choose drop for Input for LAN and guest and that will fix it.

I do not think so; you are almost there. Having said that, I have just tested my setup and clients connected to different APs in the same guest firewall zone can only see each other is accept is chosen for the Forward rule. If I set it to drop, they cannot see each other.

No, this is a very different problem and I only have a single wired client that deserves this kind of treatment. But it is isolated from all the WiFi client.

I do not know. I used this one: https://wiki.openwrt.org/doc/recipes/guest-wlan-webinterface

Here is my setup:

Line #1 is LAN and line #3 is the guest firewall zone.