Block guest to lan

Technical Support for Routers
1

I have setup the AX1800 router with OpenVPN Client.

The Firmware is on the latest 4.6.8

  • VPN policy base on VLAN with Private VLAN Enable VPN ON
  • Guest VLAN Enable VPN OFF.

Also AP isolation is ON.

  • Network > Guess Network > AP isolation is ON

There are no other network equipment involved.

With this setup, Guest network 192.168.9.0/24 should not have access to the Private network 192.168.8.0/24 right?

But in my setup, they can ping each other although they should not be able to.

  • 192.168.8.210 can ping 192.168.8.230.

And 2 machines that are connected to the Guest wifi can ping each other when AP isolation is ON.

  • 192.168.9.210 can ping 192.168.9.211

How would I block the Guest network from being able to talk to the Private network and vice versa? Do I need to do this using iptables?

  • Guest <-block-> Private wired LAN and Private wifi

  • Private LAN and Private wifi SSID <-block-> Guest

And also block computers connected to the Guest wifi from being able to talk to each other

  • Guest <-block-> Guest
2

With guest isolation only the wireless segment should be isolated (it uses hostapds isolation feature), however creating a fw rule like this won't work, you need firewall filtering inside the bridge which can be done with ebtables, or ebtables-nft (i think this one is not recommend due flint 1 still using iptables).

ebtables -A FORWARD --logical-in yournetworkinterface -j DROP

Then make the rule apply at each restart.

However since Flint 1 uses the openwifi/wlanap sdk it is possible these features for wireless isolation are very limited and may not work, i think someone from GL-iNet knows this better.