Is there any way to create an exception for client isolation?

Derelict

It's a layer 2 problem.  It's up to the layer 2 device to provide the solution.  I can't think of any reliable way to get pfSense to do this.  I think you need to decide if Roku access is more important than isolation.  Or find a way to get the Roku on a different switch port than the AP.

Trel

@Derelict:

It's a layer 2 problem.  It's up to the layer 2 device to provide the solution.  I can't think of any reliable way to get pfSense to do this.  I think you need to decide if Roku access is more important than isolation.  Or find a way to get the Roku on a different switch port than the AP.

Pfsense IS the AP off of an internal wireless card, so there's no external controller I can configure here.
There's also no switch involved.  The wireless card is a minipcie card attached to the motherboard.

Derelict

Oh.  I'm probably the wrong person to talk to further.  I don't believe pfSense should be supporting wireless cards in the first place.  Nor do I have one to test and have never looked at the pfSense wireless config screens.

But if you were to bridge another LAN port to the wireless interface and find a way to plug the Roku into that it might work.

Trel

But if you were to bridge another LAN port to the wireless interface and find a way to plug the Roku into that it might work.

The Roku is wireless, not wired.

kejianshi

You could run 2 wireless adapters.  1 isolated and 1 not.

Derelict

You've kind of painted yourself into a corner.

kejianshi

Me, him or both…???

haha

Derelict

Does anyone know if the "Intra-BSS Communication" setting in the AP configuration simply tells the driver to turn it off and the Wi-Fi chipset handles it or does it actually trigger any magical layer 2 processing in pfSense?

lsf

Its a wifi option only. It tells the driver that no client should talk to another directly on L2. To op: this functionality is not possible on L2 if you want to seperate the clients. You cant have both. This needs to be changed on a frebsd wireless level. On the top of my head it would require a mac filter list and would make client isolation prone to security issues. In other words a ugly flawed hack.

Trel

@lsf:

Its a wifi option only. It tells the driver that no client should talk to another directly on L2. To op: this functionality is not possible on L2 if you want to seperate the clients. You cant have both. This needs to be changed on a frebsd wireless level. On the top of my head it would require a mac filter list and would make client isolation prone to security issues. In other words a ugly flawed hack.

Looks like they can't use their Roku app then.
I'm not going to turn it off considering any device can get on the guest wireless.