Isolating wireless devices in OpenWRT on a Linksys EA8300
I switched to OpenWRT when I purchased this device in 2019. I'm still using it as the core network device although I have recently stood up a VM running OpenWRT 24.10 so I can stage all of the configurations before I do a fresh install on my EA8300 to go from OpenWRT 21.02 to 24.10. I may yet decide to move my core routing fully into that VM and repurpose the EA8300 strictly as an access point. Regardless, I want to share my experience with wireless device isolation on this device when I first configured it.
I always isolate devices on my network as best as possible. In Proxmox PVE I use all three level of firewalls to restrict traffic between VMs and other VMs/hosts to only what's necessary. My wired devices within the same subnet can't communicate with each other unless specifically configured to do so. Wired devices can't communicate with wireless devices (like my wireless printer) unless allowed, and wireless devices can't communicate with anything but the internet unless configured for it. Importantly, everything is forced through the OpenWRT firewall rules -- nothing is allowed to communicate directly. Unfortunately for me this means that my poor EA8300 can't deliver full 1 Gbps from WAN to clients because I am really asking a lot of it with everything. I don't mind, security trumps all.
As mentioned above I'm still running 21.02 on this device, so YMMV. But, in the interface there is ostensibly already functionality to isolate wireless clients found in the interface configuration section for each SSID:
This does work for clients sharing the same radio. The EA8300 is a three radio device. The issue I had when using this is that it doesn't isolate wireless clients to prevent them from communicating across radios. So, I have two 5 GHz radios with the same SSID configured so that clients can freely associate with whichever they choose. When two clients are on different radios, with the default packages installed in OpenWRT 21.02 the clients can communicate directly with each other without applying any of my configured firewall rules. I want to force all clients through firewall rule processing so while checking this box for each radio is important, this doesn't fully isolate wireless clients on my EA8300.
The solution in my case was to add a couple of packages: kmod-br-netfilter and ebtables.
Kernel Module (kmod-) bridge netfilter (br-netfilter) enables application of iptables rules to bridge interfaces. The ebtables module enables applying rules based on layer 2, although for my case I really only needed a single rule.
You can read about kmod-br-netfilter here: https://openwrt.org/packages/pkgdata/kmod-br-netfilter
You can read about ebtables here: https://linux.die.net/man/8/ebtables
With these 2 packages installed, fully isolating the clients to prevent cross-radio communication (via the bridge interface) it's a simple command:
ebtables -A FORWARD --logical-in br-lan -j DROP
Run this at the shell of your OpenWRT device. ebtables rules process before iptables rules so essentially what this is doing is instructing the device that any layer 2 bridged traffic forwarded through the bridge interface in the FORWARD chain should be dropped. This has the effect of forcing all of the wireless clients through the firewall rules for communication.
An unfortunate side effect of this configuration is that wireless devices on the same radio will no longer be able to communicate with each other even if explicitly allowed in firewall rules. For me this is a limitation that I'm willing to accept because as I said before security trumps all.fs
- Andrew
topics openwrt
I always isolate devices on my network as best as possible. In Proxmox PVE I use all three level of firewalls to restrict traffic between VMs and other VMs/hosts to only what's necessary. My wired devices within the same subnet can't communicate with each other unless specifically configured to do so. Wired devices can't communicate with wireless devices (like my wireless printer) unless allowed, and wireless devices can't communicate with anything but the internet unless configured for it. Importantly, everything is forced through the OpenWRT firewall rules -- nothing is allowed to communicate directly. Unfortunately for me this means that my poor EA8300 can't deliver full 1 Gbps from WAN to clients because I am really asking a lot of it with everything. I don't mind, security trumps all.
As mentioned above I'm still running 21.02 on this device, so YMMV. But, in the interface there is ostensibly already functionality to isolate wireless clients found in the interface configuration section for each SSID:
This does work for clients sharing the same radio. The EA8300 is a three radio device. The issue I had when using this is that it doesn't isolate wireless clients to prevent them from communicating across radios. So, I have two 5 GHz radios with the same SSID configured so that clients can freely associate with whichever they choose. When two clients are on different radios, with the default packages installed in OpenWRT 21.02 the clients can communicate directly with each other without applying any of my configured firewall rules. I want to force all clients through firewall rule processing so while checking this box for each radio is important, this doesn't fully isolate wireless clients on my EA8300.
The solution in my case was to add a couple of packages: kmod-br-netfilter and ebtables.
Kernel Module (kmod-) bridge netfilter (br-netfilter) enables application of iptables rules to bridge interfaces. The ebtables module enables applying rules based on layer 2, although for my case I really only needed a single rule.
You can read about kmod-br-netfilter here: https://openwrt.org/packages/pkgdata/kmod-br-netfilter
You can read about ebtables here: https://linux.die.net/man/8/ebtables
With these 2 packages installed, fully isolating the clients to prevent cross-radio communication (via the bridge interface) it's a simple command:
ebtables -A FORWARD --logical-in br-lan -j DROP
Run this at the shell of your OpenWRT device. ebtables rules process before iptables rules so essentially what this is doing is instructing the device that any layer 2 bridged traffic forwarded through the bridge interface in the FORWARD chain should be dropped. This has the effect of forcing all of the wireless clients through the firewall rules for communication.
An unfortunate side effect of this configuration is that wireless devices on the same radio will no longer be able to communicate with each other even if explicitly allowed in firewall rules. For me this is a limitation that I'm willing to accept because as I said before security trumps all.fs
- Andrew
topics openwrt