AP isolation with OpenWrt

  • Hello,

    at the moment I have 2 wireless networks @ home, 1 for LAN (our own computers and stuff), and 1 for guests (visitors network with AP isolation enabled).

    My question is: can I make one wireless network with AP isolation enabled with the possibility to connect to other computers on that "AP isolated" network? (Client -> WiFi Acces Point -> pfSense -> WiFi Acces Point -> Client.

    I know clients can't connect to each other with AP isolation enabled, so I thought I can connect them trough firewall rules in pfSense.

    Is this possible? I have tried this once, but I didn't managed it the way I want it :(

    Chris 8)

  • Netgate Administrator

    No, at least not if the AP shown in your diagram is the same one. You can't route in and out of the same interface, and here you wouldn't be routing anyway. The two devices are on the same subnet so they will try to connect directly rather than via pfSense.
    You could try something a little messy if you only have a few or one device to do it. For example, setup a VPN server on pfSense then connect one of the wireless devices to it. It will then get an IP in the VPN subnet and can route back out to the other device. You will probably have to play around with some settings to get it working correctly though. ;)

    Oh, and where does OpenWRT come into this? Might be possible to do something drectly there if it's on your AP.


  • Thanx for the info!

    Had already the idea it's not going to work because there is indeed no routing needed in this scenario :(

    OpenWRT (AP) is taking care off my VLAN's and Wifi isolation, that's all! (no firewall, routing, dhcp, etc.)

    Chris 8)

  • Netgate Administrator

    Hmm, well you might be able to do something within OpenWRT to achieve this. I'm unsure how OpenWRT handles client isolation (but now you've piqued my interest  :)). If it's at the radio level then you might be out of luck but if it's a layer 2 thing you might be able exclude MACs from the isolation.
    You could create a virual access point for the device you need to access and then allow traffic between them.
    If that doesn't work you can route traffic from that VAP via a different VLAN and route the traffic in pfSense.

    Many possibilities, all of them probably hours of fun!  ;)


Log in to reply