Devices in guest network...

[Cr00zng]

Trying the command line option had interesting results...

Shutdown both the iPhone and Roku stick, ran the commands in SSH and rebooted the router and reconfigured the 5Ghz guest network #2, with "Access Intranet" disabled. Powered on both the iPhone and Roku stick and connected them to guest network #2.

Test #1:

The DHCP IP address for both devices changed from the #1 guest network's 192.x.x.x to the intranet assigned 172.x.x.x address range. Trying to use Airplay and Screen Sharing from the iPhone to the Roku stick failed. Ping to the router IP address from the iPhone was successful, but pinging the Roku stick failed. Basically, the same condition as prior to issuing the commands on the router.

Enabling "Access Intranet" with isolation disabled for guess network #2 is where the interesting results were...

Test #2

iPhone pinging the Roku stick and router worked, so did Airplay and Screen Sharing. On the other hand, pinging hosts from the guess network #2 in the intranet timed out, so did the host in the intranet pinging the iPhone in the guest network #2, with the message of "Destination host is unreachable".

Disabling "Access Intranet" for guest network #2 resulted in the same as test #1.

I may have overlooked some of the settings yesterday, when the "Access Intranet" was enabled. I'll run some more test tomorrow with:

• Enable isolation for guest network #2 via the command nvram set wl1.2_ap_isolate=1
• Enable "Access Intranet" for guest network #2
• Test ping, Airplay and Screen Sharing

It's doubtful that it'll work without the isolation disabled, but I have to double check...

 

[ColinTaylor]

ran the commands in SSH and rebooted the router and reconfigured the 5Ghz guest network #2, with "Access Intranet" disabled.

This is wrong. You need to run the nvram commands after all changes have been made to the guest network in the GUI. If you don't then the nvram changes will be wiped out when you hit Apply in the GUI.

 

[Cr00zng]

This is wrong. You need to run the nvram commands after all changes have been made to the guest network in the GUI. If you don't then the nvram changes will be wiped out when you hit Apply in the GUI.

I didn't think that the order had been incorrect initially, but you are correct. (Why am I doubting??? )

After changing the order the system is configured, the issue had been resolved without needing to enable the "Access Intranet", thanks Colin...

One question...

I've noticed that the ping time between the iPhone and the Roku stick starts out around 10ms and settles in at around 5-6ms in the 5GHz network. both devices are about 20' from the routers. The two devices are the only ones with WiFi connections, both intranet and guest network, most of the times, especially after business hours. Are the ping times normal for WiFi devices? TIA...

 

[ColinTaylor]

Are the ping times normal for WiFi devices? TIA...

What is "normal" will vary for different devices. The pings between my two laptops is about 2ms. Pings from the same laptop to my Samsung phone varies wildly between 5ms and 200ms.

 

[eibgrad]

Yes, WiFi clients can bypass the router's Ethernet firewall by talking directly to each other via the wireless interface, similar to how wired clients talk directly to each other via the LAN switch. The problem is there is no fine-grained control of this setting for guest networks in the GUI. The "AP Isolated" option only applies to the primary WiFi networks. For guest networks the isolation mirrors what is set for "Access Intranet". So it has to be overridden from the command line. Of course both clients have to be connected to the same VAP.

Side note: John added an extra option in his firmware to each of the guest network settings to individually control the isolation.

I wanted to revisit this topic because while working on an unrelated problem to the OP in this thread, it seems to me this is NOT the way it works.

When I have both AP isolation and intranet access disabled for guest #2 (2.4GHz), I can NOT ping between wireless devices connected to that guest network. The only way I can ping is if I enable intranet access, which removes the following ethernet firewall rules that are blocking access from wl0.2 to the private network.

admin@lab-merlin1:/tmp/home/root# ebtables -t broute -L
Bridge table: broute

Bridge chain: BROUTING, entries: 18, policy: ACCEPT
-p IPv4 -i wl0.2 --ip-dst 192.168.1.1 --ip-proto icmp -j ACCEPT
-p IPv4 -i wl0.2 --ip-dst 192.168.1.0/24 --ip-proto icmp -j DROP
-p IPv4 -i wl0.2 --ip-dst 192.168.1.0/24 --ip-proto tcp -j DROP

IOW, when two wireless clients are allowed to communicate w/ each other by the wireless adapter, they are NOT communicating directly via the wireless adapter. The wireless adapter only involves itself when you want to block access w/ AP isolation enabled. But otherwise, the traffic just continues its normal path through the ethernet and IP firewalls.

AFAICT, the wireless adapter *is* subject to the ethernet firewall w/ AP isolation disabled. In fact, it makes sense it would work this way since normally you'd want AP isolation disabled for the benefit of the private network, but still have guests isolated from each other. And the only way to enforce isolation between guests is to deny them access to *all* devices (wired and wireless) by disabling intranet access. That is in fact what I believe the following user is experiencing (this is what got me back on this issue). He can't enable access between wireless users without enabling access to the private network at the same time.

GT-AC2900 - Subnetting to segregate Blink cameras?

I have a GT-AC900 running on vanilla firmware 3.0.0.4.386_45956-g23134c9 Is it possible to segregate clients from the rest of the network, but still have them able to communicate with each other? I have a Blink camera and the Blink Sync Module, and they need to communicate with each other via...

www.snbforums.com

What I'm about to suggest to him is to use Merlin + YazFi, but NOT because it offers AP isolation control at the guest level. It's because YazFi offers IP level isolation control between the guest and private networks.

Of course, I can see where *enabling* AP isolation specifically on the guest network (as seen w/ YazFi) probably does avoid accessing the ethernet firewall. But you can NOT avoid it when AP isolation is disabled.

 

[eibgrad]

Ok, I can see where I probably went wrong here. I was assuming that enabling/disabling intranet access was NOT messing w/ the AP isolation at the guest level. So I associated changes to the ethernet firewall as being the sole reason for the changes in behavior. My system is down at the moment, so I can't verify it here. But when things return, I suspect that will be the case.

 

[trumpone]

I have a Wi-Fi guest network with Intranet access not allowed, and I managed to make a specific device visible to another computer on an Ethernet port. For your issue with IPhone and Roku on a Wi-Fi guest network, maybe this could fix it?

ebtables -t broute -I BROUTING -p ARP -i wl1.1 -s $IPHONE_MAC -j ACCEPT
ebtables -t filter -I FORWARD -p ARP -o wl1.1 --arp-ip-dst $IPHONE_IPADDR -j ACCEPT
ebtables -t filter -I FORWARD -p ARP -i wl1.1 -s $IPHONE_MAC -j ACCEPT

ebtables -t broute -I BROUTING -p ARP -i wl1.1 -s $ROKU_MAC -j ACCEPT
ebtables -t filter -I FORWARD -p ARP -o wl1.1 --arp-ip-dst $ROKU_IPADDR -j ACCEPT
ebtables -t filter -I FORWARD -p ARP -i wl1.1 -s $ROKU_MAC -j ACCEPT