Is there any way to create an exception for client isolation?

Trel

@Derelict:

What is the device so I can better understand what you're trying to do?  Printer or something?

If you're going to put it on a different layer 3 network, just put it on a different layer 3 network (different SSID on a different VLAN) and put the right rules on the guest wireless interface.

Putting multiple IP networks on a single segment is almost never the correct solution except maybe in temporary renumbering situations.

Device is a wireless Roku, but the user would like to be able to use the remote control app from their phone.
This is allowed, but with client isolation turned on, not possible as both devices are on the guest wireless.
Vlans are not an option in this case.

Derelict

Sorry, but real solutions often require real technologies.

Controller-based Ruckus has an exception list to their per-AP isolation.  I think it's going to be up to the AP to do this.

When you put an alias on an interface, it is not the same as creating another interface.  You can't really route to the interface and create different rulesets.  You will probably receive an ICMP redirect telling you to go to the MAC address of the Roku to reach it even on a different IP scheme.  This should make it a layer 2 connection and your AP isolation will (should) block it as traffic for another MAC on the same isolated network.

It might do something totally different.  It's really messy and should be avoided.

Trel

So, ignoring my idea (with the virtual IP), is there any feasible way to do this within pfsense itself?

I don't want devices on the guest wifi communicating with each other, with this one exception.

Pfsense IS the AP off of an internal wireless card, so there's no external controller I can configure here.

Derelict

It's a layer 2 problem.  It's up to the layer 2 device to provide the solution.  I can't think of any reliable way to get pfSense to do this.  I think you need to decide if Roku access is more important than isolation.  Or find a way to get the Roku on a different switch port than the AP.

Trel

@Derelict:

It's a layer 2 problem.  It's up to the layer 2 device to provide the solution.  I can't think of any reliable way to get pfSense to do this.  I think you need to decide if Roku access is more important than isolation.  Or find a way to get the Roku on a different switch port than the AP.

Pfsense IS the AP off of an internal wireless card, so there's no external controller I can configure here.
There's also no switch involved.  The wireless card is a minipcie card attached to the motherboard.

Derelict

Oh.  I'm probably the wrong person to talk to further.  I don't believe pfSense should be supporting wireless cards in the first place.  Nor do I have one to test and have never looked at the pfSense wireless config screens.

But if you were to bridge another LAN port to the wireless interface and find a way to plug the Roku into that it might work.

Trel

But if you were to bridge another LAN port to the wireless interface and find a way to plug the Roku into that it might work.

The Roku is wireless, not wired.

kejianshi

You could run 2 wireless adapters.  1 isolated and 1 not.

Derelict

You've kind of painted yourself into a corner.

kejianshi

Me, him or both…???

haha

Derelict

Does anyone know if the "Intra-BSS Communication" setting in the AP configuration simply tells the driver to turn it off and the Wi-Fi chipset handles it or does it actually trigger any magical layer 2 processing in pfSense?

lsf

Its a wifi option only. It tells the driver that no client should talk to another directly on L2. To op: this functionality is not possible on L2 if you want to seperate the clients. You cant have both. This needs to be changed on a frebsd wireless level. On the top of my head it would require a mac filter list and would make client isolation prone to security issues. In other words a ugly flawed hack.

Trel

@lsf:

Its a wifi option only. It tells the driver that no client should talk to another directly on L2. To op: this functionality is not possible on L2 if you want to seperate the clients. You cant have both. This needs to be changed on a frebsd wireless level. On the top of my head it would require a mac filter list and would make client isolation prone to security issues. In other words a ugly flawed hack.

Looks like they can't use their Roku app then.
I'm not going to turn it off considering any device can get on the guest wireless.