Route traffic between clients on the same subnet (Wifi AP w isolation) ???

[BillyJoePiano]

I recently obtained a TP-Link TL-WA1201 Wifi Access point.  It is connected to one of the 'opt' ports on my Protectli Vault with OPNsense installed.  The Wifi AP is configured with 4 different SSIDs, each on a different VLAN, corresponding to a VLAN virtual interface on the OPNsense router.  DHCP service is disabled on the AP, and handled by the router.  Each VLAN is a separate subnet.

I'm trying to achieve selective host isolation depending on the subnet and individual hosts, which would be dictated by firewall rules.  The Access Point itself is all-or-nothing with the isolation setting... I can't even enable it on individual SSIDs (which is really my goal here...).  If I do enable isolation, then there is no way for any client on any SSID to access another wifi client even on the same SSID/VLAN... or at least via the AP itself.

HOWEVER, I'm wondering if it is possible for the router to take over this task, and act as a (sort-of?) "layer-2 router/switch" by responding to the intra-subnet ARP requests with its own MAC address.  I did try using ARP proxy in the Virtual IP settings, but this was causing problems with DHCP and conflicting MAC addresses.  The clients were sending DHCP Refusal packets as soon as they saw the ARP conflict.  I'd need the router to abstain from sending these ARP packets back to the client that it is spoofing.  It should only respond with an ARP to a client looking for another client on the same subnet.  In other words, if 192.168.1.5 is looking for 192.168.1.6, it should spoof 192.168.1.6 with its own MAC to 192.168.1.5, but NOT send this ARP to 192.168.1.6 (or via a layer-2/ARP broadcast) because that would confuse the latter client.  Once the router has all the clients pointing to itself for their intra-subnet traffic, the router would then be responsible for determining if a packet is allow (or not) based on its firewall rules, and if allowed then retransmit using the actual MAC/IP combo of the destination host.

I realize it's also possible this behavior would confuse the Access Point itself, since it is supposed to be the layer-2 switch for all the wifi clients.  But shouldn't it be irrelevant since it just ignores the layer-3 address, and only "routes" based on layer 2?  I'm not sure??

Perhaps what I'm suggesting is impossible to achieve with the devices I'm working with.  Any thoughts or suggestions are appreciated!

[Demusman]

No such thing as a layer 2 router.

There is a way to isolate based on mac address but it seems like it's not worth it to me.
Not sure if I saw it here or on the pfSense forum. Try searching both.

You can't isolate hosts on the same subnet with a router since that traffic wouldn't even go to the router, again there's no layer 2 router and the same sunet would be layer 2 only.
If that's what you're trying to do that is, very confusing post.

Even the title is confusing.

[jlab]

OP,

Can you explain what you are actually trying to do and achieve ?

Why not turn on Client isolation and leave it at that ? Why do you have so many SSID's too ?

[BillyJoePiano]

OP,

Can you explain what you are actually trying to do and achieve ?

Why not turn on Client isolation and leave it at that ? Why do you have so many SSID's too ?

I can't just turn on blanket client isolation because I need hosts on some of the Wifi networks to be able to communicate with other hosts on the same network.

My goal is selective host isolation on certain SSID networks.  Specifically, I have an SSID for IOT devices which I treat as a "high risk" network, and would like absolute host isolation between all IOT devices on that network.  Additionally, there are some other (non-IOT) devices which occasionally log onto that network for the purposes of debugging and admin (e.g. my desktop workstation) and I need THAT device to have access to the other devices on the IOT network.

In short, I would like the firewall rules to dictate which hosts are "isolated" and which can communicate with others on their own subnet.  The solution would involve turning on blanket isolation at the AP obviously, but then having the router determine which communications would be allowed and re-forwarding the allowed communications (albeit back to the same interface, but with a different layer 2 destination address)

While thinking through this problem, I realized that I could achieve something very similar to what I've proposed  previously by putting each host on its own point-to-point subnet with the router using virtual IPs, and using the firewall rules there to determine what is allowed.  It would just be normal layer-3 routing in that case.  The issue which arises in that scenario is that there needs to be a separate point-to-point network (probably /30 to allow for a broadcast address, meaning taking up 4 ip addresses...) for each host.  If all the hosts are known in advance this is very do-able, but if I want to dynamically allocate host addresses where they can communicate with each other, I run into a problem.

[EdwinKM]

Really, devices on a network segments are peers. Hack what you want but you are creating a difficult to manage network.

IOT usually means: it may not connect to LAN (or other segments). Disable connection to the internet.

If you have IOT devices who should not talk to other IOT devices (not sure why you want this) just create another SSID/VLAN (aka: IOT-CAMERA/IOT-DOORBELL) and manage things with firewall rules.

> Additionally, there are some other (non-IOT) devices which occasionally log onto that network for the purposes of debugging and admin (e.g. my desktop workstation) and I need THAT device to have access to the other devices on the IOT network.

Yeah, this is normal. You put this on "LAN". LAN can connect usually to *everything*