Hi!
Is it possible to set Layer 2 isolation in AP?
Do connected clients not discover each other with software like Fing or Wifiman?
For other products it is possible to disable MAC forwarding, for Ruckus MAC whitelist, for Mikrotik disable default forwarding, or for Zyxel enable layer 2 isolation.
Thank you!
There is isolation in cnpilot home
You can do pretty much anything you want in cnpilot enterprise
Can you show me how I can do this setup?
I would be grateful
I have made this setting, here is my config:
That is what you should expect. The way wifi works is that every client and AP need to see each other so that the contention mechanism works…otherwise, RF collisions would hurt capacity. But not being able to communicate between clients is expected.
Mikrotik simple wifi settings, ping and device discover works:
If neighbor device discovery mechanism is either using Multicast or broadcast packets, yes you will still see the neighbors but you cannot pass any traffic between clients.
However, with client isolation enabled, do enable drop multicast and this will help reduce neighbour devices. Please follow steps below:
Thank you for your efforts, it seems we are on the right track, but it did not bring the desired result.
Here is the Zyxel solution:
Zyxel Knowledge Base Article: How to isolate guest wifi from accessing main resource on NAP series?
It is working very well.
Found an older post by firefly from Cambium.
I think this is the solution:
| Rule | Description |
|---|---|
acl deny mac 17 any ff:ff:ff:ff:ff:ff out |
deny L2 broadcast packets going on air |
acl permit mac 24 any any any |
allow all other packets in both the directions |
but something is missing, because this rule blocks communication between clients, but it also blocks the Internet connection.
Where did I make a mistake with the setting?
Please apply below rules in WLAN profile in addition to Client Isolation and Drop multicast:
| Rule | Description |
|---|---|
acl permit proto 5 tcp any any any any any |
Allow all TCP connections in both the direction |
acl permit proto 6 udp any 68 and 67 in |
Allow incoming DHCP discover packets |
acl permit proto 7 udp any 67 any any out |
Allow DHCP offer packet in WLAN out bound direction |
acl deny proto 8 udp any 137 any any any |
Block Windows NetBios packets in both the direction |
acl deny proto 9 udp any 138 any any any |
Block Windows NetBios packets in both the direction |
acl deny ip 10 any 224.0.0.0/240.0.0.0 in |
Block all incoming multicast packets |
acl deny proto 11 udp any 68 any 67 out |
Block DHCP Discover going on air |
acl deny mac 12 any 11:11:11:11:11:11 out |
Block Cambium AP Multicast packet going on air |
acl deny mac 13 any ff:ff:ff:ff:ff:ff out |
Block ARP packets going on air |
acl permit ip 14 any any any |
Allow all other IP packets in both the direction |
Thanks for the help!
Now it works as I want, the discovery software shows that I am alone.
I analysed the traffic with the wire shark and disabling the broadcast packets solved the problem.
It works perfectly with the correct ACL rules.
