Is there any way to create an exception for client isolation?



  • I have client isolation turned on for my guest wireless.

    However, there is one device which I do want to allow communication with.  Is there any method (including NAT, or virtual IPs, etc) that would allow me to let this one device be able to be communicated with over wireless while keeping client isolation on for everything else?

    Right now, I'm thinking this may work
    1. Create a virtual IP alias for the interface on a different subnet for the guest wifi interface
    2. Create a static lease for the device pointing to that IP for the gateway with an IP in that range
    3. Create rules to allow communication two and from that IP

    Would that work as it would have to pass through pfsense rather than direct wifi device to wifi device?

    EDIT: looks like I can't use static DHCP for step 2 there, so I can't test that way.


  • LAYER 8 Netgate

    What is the device so I can better understand what you're trying to do?  Printer or something?

    If you're going to put it on a different layer 3 network, just put it on a different layer 3 network (different SSID on a different VLAN) and put the right rules on the guest wireless interface.

    Putting multiple IP networks on a single segment is almost never the correct solution except maybe in temporary renumbering situations.



  • @Derelict:

    What is the device so I can better understand what you're trying to do?  Printer or something?

    If you're going to put it on a different layer 3 network, just put it on a different layer 3 network (different SSID on a different VLAN) and put the right rules on the guest wireless interface.

    Putting multiple IP networks on a single segment is almost never the correct solution except maybe in temporary renumbering situations.

    Device is a wireless Roku, but the user would like to be able to use the remote control app from their phone.
    This is allowed, but with client isolation turned on, not possible as both devices are on the guest wireless.
    Vlans are not an option in this case.


  • LAYER 8 Netgate

    Sorry, but real solutions often require real technologies.

    Controller-based Ruckus has an exception list to their per-AP isolation.  I think it's going to be up to the AP to do this.

    When you put an alias on an interface, it is not the same as creating another interface.  You can't really route to the interface and create different rulesets.  You will probably receive an ICMP redirect telling you to go to the MAC address of the Roku to reach it even on a different IP scheme.  This should make it a layer 2 connection and your AP isolation will (should) block it as traffic for another MAC on the same isolated network.

    It might do something totally different.  It's really messy and should be avoided.



  • So, ignoring my idea (with the virtual IP), is there any feasible way to do this within pfsense itself?

    I don't want devices on the guest wifi communicating with each other, with this one exception.

    Pfsense IS the AP off of an internal wireless card, so there's no external controller I can configure here.


  • LAYER 8 Netgate

    It's a layer 2 problem.  It's up to the layer 2 device to provide the solution.  I can't think of any reliable way to get pfSense to do this.  I think you need to decide if Roku access is more important than isolation.  Or find a way to get the Roku on a different switch port than the AP.



  • @Derelict:

    It's a layer 2 problem.  It's up to the layer 2 device to provide the solution.  I can't think of any reliable way to get pfSense to do this.  I think you need to decide if Roku access is more important than isolation.  Or find a way to get the Roku on a different switch port than the AP.

    Pfsense IS the AP off of an internal wireless card, so there's no external controller I can configure here.
    There's also no switch involved.  The wireless card is a minipcie card attached to the motherboard.


  • LAYER 8 Netgate

    Oh.  I'm probably the wrong person to talk to further.  I don't believe pfSense should be supporting wireless cards in the first place.  Nor do I have one to test and have never looked at the pfSense wireless config screens.

    But if you were to bridge another LAN port to the wireless interface and find a way to plug the Roku into that it might work.



  • But if you were to bridge another LAN port to the wireless interface and find a way to plug the Roku into that it might work.

    The Roku is wireless, not wired.



  • You could run 2 wireless adapters.  1 isolated and 1 not.


  • LAYER 8 Netgate

    You've kind of painted yourself into a corner.



  • Me, him or both…???

    haha


  • LAYER 8 Netgate

    Does anyone know if the "Intra-BSS Communication" setting in the AP configuration simply tells the driver to turn it off and the Wi-Fi chipset handles it or does it actually trigger any magical layer 2 processing in pfSense?



  • Its a wifi option only. It tells the driver that no client should talk to another directly on L2. To op: this functionality is not possible on L2 if you want to seperate the clients. You cant have both. This needs to be changed on a frebsd wireless level. On the top of my head it would require a mac filter list and would make client isolation prone to security issues. In other words a ugly flawed hack.



  • @lsf:

    Its a wifi option only. It tells the driver that no client should talk to another directly on L2. To op: this functionality is not possible on L2 if you want to seperate the clients. You cant have both. This needs to be changed on a frebsd wireless level. On the top of my head it would require a mac filter list and would make client isolation prone to security issues. In other words a ugly flawed hack.

    Looks like they can't use their Roku app then.
    I'm not going to turn it off considering any device can get on the guest wireless.


Log in to reply