Merlin + Ubi AP + isolation, is it possible?

[Orava]

Hey, I have a question. I have a RT-AX58U with latest Merlin in it. I'm about to buy a Ubi AP (U6 plus) and connect it to one of the LAN ports on Merlin and my question is:

Is it possible to isolate all the clients connected to the AP? There are some script tutorials to isolate a LAN port, but would it also work for all clients connecting to the AP? So none of the clients connected to U6 AP should see each other, and also not to see the other LAN ports or Asus own wifi clients.

Are there any concerns etc doing this?

 

[eibgrad]

AFAIK, there is NO isolation provided from a connected AP on the LAN switch. The rest of the network is essentially ignorant of how those wifi clients are connected to the network. They could very well be wired clients as far as the rest of the network is concerned. The only isolation you're going to get is between wireless clients of that AP because that's implemented in the wireless driver itself. But once they hit the LAN, they're just ordinary LAN clients, w/ all the same privileges and access of any other wired device.

All that said, if you're going to delve into VLANs at the scripting level, I suppose anything becomes possible. Assuming it's supported, that port could be isolated w/ its own IP network and processed through the firewall for routing purposes between other VLANs and/or the WAN.

Personally, I'm NOT a fan of hacking VLANs on these ASUS routers. I just don't like using VLANs unless they are natively supported. That's one of the big disadvantages of ASUS routers in general. Once you need VLANs, you always end up having to hack things. And I'd prefer to avoid that since VLANs is already complicated enough when the GUI supports it natively. But that's just me.

 

[Tech9]

Are there any concerns etc doing this?

If your plan is sharing your Internet account with someone else - there are some concerns about that.

 

[Orava]

Thanks for replies. Maybe in this case easiest solution would be to buy a seconds Asus router instead of Ubi AP and use Guest network feature with AiMesh?

 

[eibgrad]

That may be one possibility.

Years ago ASUS made a significant change to Guest #1 for the benefit of AiMesh, where the 2.4GHz and 5GHz guests were placed on separate bridges (br1 and br2, respectively) from the private network (br0), thus isolation is enforced by a layer 3 firewall (specifically, iptables). Normally that's NOT how it works. By default, Guest #2 and #3 (and previously Guest #1) exist on the private network, but are isolated from non-guests using a layer 2 firewall (specifically, ebtables).

I don't use AiMesh, but I *assume* this change to Guest #1 was for this very purpose, so that guests established on AiMesh nodes could maintain separation across those same nodes (probably w/ VLAN tagging). But it's not as if I can guarantee this is the case, or that it even works as intended (there have been numerous AiMesh bugs over the years), since as I said, I don't use AiMesh. But at least that appears to be the intent.