How do I isolate wireless clients from my LAN?

Fritz

Well-Known Member
Apr 6, 2015
2,766
827
113
68
OK, I've been fighting this problem for way too long. I've Googled til I'm blue in the face and have come up with nothing but gibberish and info that has nothing to do with my issue.

I want to allows wireless clients to access the Internet ONLY. NO local computers and NO local resources. INTERNET only.

I'm currently using PFSense as my router and I have 2 AP's available for usage, a Ruckus 7372 and a Aruba IAP 225.

I google how to us an AP with PFSense and all google returned was how to use PFSense AS AN AP. :mad:

If someone could point me in the right direction I'd mucho appreciate it.

For starters, what is it that will actually do the blocking, PFSense or the AP?

The Ruckus has it's own DHCP server and I can put the wireless clients into whatever subnet I want but they still have access to the LAN. So what's the point?

The Aruba is far far more complicated and I'm still experimenting with it. I thought I could just set up a guest network and that would do the trick but hell no, the guest network has full access to the LAN

Somebody please help.
 

klui

Active Member
Feb 3, 2019
545
240
43
You want to let the AP do it if it can--then it's just a "checkbox." Otherwise create a firewall rule to prevent clients on the WiFi VLAN to only access the internet. Having a separate VLAN for WiFi clients will be easier to create your rule otherwise you'd have to differentiate between wired and wireless clients.


Question

Is there a way to enable Client Isolation on standalone AP?

Customer Environment

Standalone AP

Resolution

We do have some form of client isolation on standalone APs. However, there has never been full client isolation on Standalone APs. Standalone APs do not have layer 3/layer4 isolation filters.

rkscli : set ap-bridge <wlan name> [enable|disable]
rkscli : get ap-bridge <wlan name>

set ap-bridge : set ap-bridge <wlan name> {enable|disable}

-- Modify AP WLAN's wireless bridge mode

Example :

rkscli : get ap-bridge wlan0
wlan0 AP-Bridge Mode: Disabled
OK
rkscli : set ap-bridge wlan0 enable
OK


The ‘set ap-bridge disable’ disables the inter BSS relay that permits clients associated to the same WLAN to intercommunicate directly via Layer 2 (MAC forwarding). Disabling this feature will not block users from directly communicating if associated to other WLANs on the same AP or across APs.

The full isolation feature is only available with ZoneDirector that manages layer 3 filter, implemented on each AP, that uses a destination Layer3/layer4 filter to block traffic on the locally defined subnets. However, it will not block L2 port snooping, ARP resolution, or other L2 communications across Access Points.
 
  • Like
Reactions: Fritz

Fritz

Well-Known Member
Apr 6, 2015
2,766
827
113
68
Thank you sir. Looks like the Ruckus can't do it so I need to pursue the Aruba. Funny this is, I always thought that different subnets can't talk to each other. Guess I was wrong. :(
 

klui

Active Member
Feb 3, 2019
545
240
43
It depends on the device. Some enable inter-VLAN routing by default, some don't.
 

i386

Well-Known Member
Mar 18, 2016
2,977
946
113
33
Germany
Not sure if this is what you're looking for and if it works with your ruckus ap...
Screenshot 2022-04-17 at 23-04-24 Unleashed Dashboard.png

 

Fritz

Well-Known Member
Apr 6, 2015
2,766
827
113
68
Not sure if this is what you're looking for and if it works with your ruckus ap...
View attachment 22557

Thanks. I believe this applies to Ruckus Unleashed which I don't have and can find nothing on in regards to compatibility. The Ruckus website has about a hundred versions for a long list of AP's but not for the one I have.

EDIT - Just read where this Ruckus isn't compatible with Unleashed and will brick it if you try it.
 
Last edited:

Sean Ho

seanho.com
Nov 19, 2019
270
117
43
Vancouver, BC
seanho.com
Your original post specified all wireless clients should be isolated from the LAN -- if that's really what you want, you can accomplish it even without VLAN support on your APs by just plugging your APs into a switch port that's on a separate VLAN. Trunk that VLAN (together with your regular LAN) back to pfsense, let pfsense be the default gateway (and DHCP server) for that VLAN, and then pfsense firewall rules can control what the wifi VLAN can access.

If you don't have a managed switch that can do VLANs, you can wire the APs via a dedicated dumb switch to a dedicated NIC port on pfsense -- physically separated LANs rather than VLANs.

In either case, both APs would be running in AP/bridge mode, not as routers in their own right.

The value of getting your AP to do VLANs is so you can broadcast multiple SSIDs mapping to different VLANs. So you can have trusted wifi clients hop on the LAN, and untrusted wifi clients go on the guest VLAN. (Also good for firewalling wifi IoT devices from either your LAN, or the internet, or both.)

AP client isolation is a different thing, but also handy for guest wifi -- it prevents wifi clients from talking directly to one another.
 
  • Like
Reactions: Fritz

gvdwerf

New Member
Apr 20, 2022
4
2
3
Germany
You're looking for VLANs.
Also, I'm guessing the PFSense is your one-and-only router and a convenient place for DHCP. Switch all other DHCP servers (as in services) off in your network.

In the AP, create a VLAN and assign a SSID to it for authorised client devices.
Assuming your AP is connected to the router, create the same VLAN in the router, and allow it on the port to the AP.
Use firewall rules to control the VLAN traffic e.g. VLAN 10 only allowed to WAN. This is essentially "guest" access.

Controlling who gets access to the VLAN and where the VLAN traffic may go is the basis of (VLAN) network control and security.
Another "guest" variation: a second VLAN may only allow your IoT devices and home automation server, and traffic to the Internet, but nothing coming in.

The rest is up to your imagination.

BTW - AP client isolation helps within the AP assuming it's the only router, but don't rely on it when you have L3 switches and/or routers upstream which can circumvent the function.

Hope this helps.
 
  • Like
Reactions: Rock and Fritz

Fritz

Well-Known Member
Apr 6, 2015
2,766
827
113
68
You're looking for VLANs.
Also, I'm guessing the PFSense is your one-and-only router and a convenient place for DHCP. Switch all other DHCP servers (as in services) off in your network.

In the AP, create a VLAN and assign a SSID to it for authorised client devices.
Assuming your AP is connected to the router, create the same VLAN in the router, and allow it on the port to the AP.
Use firewall rules to control the VLAN traffic e.g. VLAN 10 only allowed to WAN. This is essentially "guest" access.

Controlling who gets access to the VLAN and where the VLAN traffic may go is the basis of (VLAN) network control and security.
Another "guest" variation: a second VLAN may only allow your IoT devices and home automation server, and traffic to the Internet, but nothing coming in.

The rest is up to your imagination.

BTW - AP client isolation helps within the AP assuming it's the only router, but don't rely on it when you have L3 switches and/or routers upstream which can circumvent the function.

Hope this helps.
Thank you sir. This removed a great deal of the mud.
 
  • Like
Reactions: gvdwerf