AP Isolation for Guest isn't working

Routers
1

I am on a Flint 2. I have another OpenWRT AP as well. I set up the Guest network on my Flint 2 and changed the settings to make it a full-blown VLAN. AP Isolate is enabled within the Gl.Inet Networking→Guest menu. I also see under Firewall Zone in Luci that Guest Intra zone forward is disabled.

Nonetheless, devices on Guest can talk to each other (tested with ping as well as hitting a self-hosted website). After using Gemini for 2 hours, the only thing I was able to figure out how to block the cross communication was to create the following script to add a layer 2 bridge rule:
nft add table bridge isolation
nft add chain bridge isolation forward '{ type filter hook forward priority -100; policy accept; }'
nft flush chain bridge isolation forward
nft add rule bridge isolation forward ether type vlan vlan id 100 counter drop

Is this an issue with the router firmware or perhaps it’s broken because I converted the subnet into a full blown vlan?

FWIW, I also disabled Flow offloading and wed via /etc/modules.d/mt7915e to no avail (flow offloading was disabled because it was causing other issues with smoothly transitioning between APs w/o dropping packets – a different problem that I don’t want to get hung-up on in this thread.

I also tried a Traffic rule to drop guest-guest zone packets but that didn’t do anything w/o the above nft rule.

2

Hi,

The AP Isolation function only applies to devices on the Guest Wi-Fi. If you have added Ethernet (ETH) ports to the Guest network, this isolation will not be effective for those wired devices.

Furthermore, if you wish to implement isolation that includes Ethernet ports, you must manually add nft (nftables) rules to block forwarding at the bridge level, rather than at the IP level where firewall rules are typically created in Luci.

image
image1116×586 61.9 KB

1 Like
IoT issues on MT6000 Flint 2
4

I was only testing communication of devices that are on guest wifi. Perhaps however this is a problem because I do have a tethered AP to an ethernet port and some devices are connected to that AP's wifi which shows up on the Flint2 as an ethernet connected device. If that's the case, is the nft table rule I applied my only solution?

Also, I had to create a script to apply that rule at start-up because I couldn't figure out a way for it to save between reboots. Is there a better way to do this?

5

In this situation, nftables firewall rules are likely the only solution.

You can place your custom rules in the /etc/nftables.d/ directory.

1 Like