New Member
kudu
Posts: 11
Registered: ‎10-11-2010
Posts: 11
Registered: 10-11-2010

Client isolation

I have read all over the net about this, but I am getting conflicting answers. So I will ask,

I read this in the AirOS 5 wiki
"Enable Client Isolation: This option allows packets only to be sent from the external network to the CPE and vice verse (applicable for AP/AP WDS mode only). If the Client Isolation is enabled wireless stations connected to the same AP will not be able to interconnect on both layer 2 (MAC) and layer 3 (IP) level. This is effective for the associated stations and WDS peers also. "

So this means I can have client isolation on with AP WDS.

Here is a simple of with I have.

PS = Pico Station
--- = wire
~~~ = wireless

Router --> PSm2 (wds) ~~~~~> PSm2(WDS) ~~~~~~> Laptop

Now if I disable client isolation it works fine, when I turn on client isolation no DHCP. I see in the past this was the way it worked, however as I read it above it works now in AP WDS mode. all with firmware 5.2.1.

I assume I am wrong. But have a city wide public network I am building that will have 5 or 6 Pico Stations and I would like to have a way to do client isolation. I can only inject the net from one location, all the others are on lamp posts.

Thanks
SuperUser
mhoppes
Posts: 13,767
Registered: ‎06-23-2010
Posts: 13767
Kudos: 4085
Solutions: 57
Registered: 06-23-2010

Re: Client isolation

I have read all over the net about this, but I am getting conflicting answers. So I will ask,

I read this in the AirOS 5 wiki
"Enable Client Isolation: This option allows packets only to be sent from the external network to the CPE and vice verse (applicable for AP/AP WDS mode only). If the Client Isolation is enabled wireless stations connected to the same AP will not be able to interconnect on both layer 2 (MAC) and layer 3 (IP) level. This is effective for the associated stations and WDS peers also. "

So this means I can have client isolation on with AP WDS.

Here is a simple of with I have.

PS = Pico Station
--- = wire
~~~ = wireless

Router --> PSm2 (wds) ~~~~~> PSm2(WDS) ~~~~~~> Laptop

Now if I disable client isolation it works fine, when I turn on client isolation no DHCP. I see in the past this was the way it worked, however as I read it above it works now in AP WDS mode. all with firmware 5.2.1.

I assume I am wrong. But have a city wide public network I am building that will have 5 or 6 Pico Stations and I would like to have a way to do client isolation. I can only inject the net from one location, all the others are on lamp posts.

Thanks


Kudu,
Client Isolation isolates ANYTHING connected wirelessly to the access point. To say it another way, when enabled, traffic can only flow from a wireless unit to the LAN and visaversa. It can not flow between wireless clients.

If you are 'injecting' the Internet over a wireless 'client' it won't work. You may need to do backhauls between the units using another frequency.
New Member
kudu
Posts: 11
Registered: ‎10-11-2010
Posts: 11
Registered: 10-11-2010

Re: Client isolation

Sighs, thanks, I was afraid that was the case.

Anybody have any ideas how to block windows file sharing, I just don't want the other people to see each other, I guess if I firewall 137 -139 and 445 on each AP that might work. Anybody know if that will?

Thanks
SuperUser
mhoppes
Posts: 13,767
Registered: ‎06-23-2010
Posts: 13767
Kudos: 4085
Solutions: 57
Registered: 06-23-2010

Re: Client isolation

Sighs, thanks, I was afraid that was the case.

Anybody have any ideas how to block windows file sharing, I just don't want the other people to see each other, I guess if I firewall 137 -139 and 445 on each AP that might work. Anybody know if that will?

Thanks


I'm not sure if the firewall (in bridge mode) will firewall bridged data or if it firewalls to the AP. I would think the later. There are a few 'options' I can think of:

#1 Use some sort of Ubiquity backhaul between sectors.

#2 Using DHCP allocate each client their own 255.255.255.255 address (much like back in the dial-up days).
If you've ever flown anywhere and used the Go-Go In-Flight Internet that several airlines offer GoGo is doing something similar to #2. Rather than doing AP isolation they are actually putting each client on their own subnet. If you are using private IPs you won't be exhausting a public pool and should be able to make this work fairly well.

#3 Say 'oh well' and realize it isn't your job to secure people's computers :manhappy:
Established Member
Headbang
Posts: 1,382
Registered: ‎03-16-2008
Posts: 1382
Kudos: 31
Registered: 03-16-2008

Re: Client isolation

I'm not sure if the firewall (in bridge mode) will firewall bridged data or if it firewalls to the AP. I would think the later. There are a few 'options' I can think of:

#1 Use some sort of Ubiquity backhaul between sectors.

#2 Using DHCP allocate each client their own 255.255.255.255 address (much like back in the dial-up days).
If you've ever flown anywhere and used the Go-Go In-Flight Internet that several airlines offer GoGo is doing something similar to #2. Rather than doing AP isolation they are actually putting each client on their own subnet. If you are using private IPs you won't be exhausting a public pool and should be able to make this work fairly well.

#3 Say 'oh well' and realize it isn't your job to secure people's computers :manhappy:


If using private IP's then just set routing on the CPE, this will solve the problem. Even if using external this is a good solution, it will just take an extra moment of planning and could waste public IP's.
SuperUser
mhoppes
Posts: 13,767
Registered: ‎06-23-2010
Posts: 13767
Kudos: 4085
Solutions: 57
Registered: 06-23-2010

Re: Client isolation

If using private IP's then just set routing on the CPE, this will solve the problem. Even if using external this is a good solution, it will just take an extra moment of planning and could waste public IP's.


I *thought* he was having computers connect to it natively, but I could be wrong.
Established Member
vaden
Posts: 951
Registered: ‎10-13-2007
Posts: 951
Kudos: 4
Registered: 10-13-2007

Re: Client isolation

If using private IP's then just set routing on the CPE, this will solve the problem. Even if using external this is a good solution, it will just take an extra moment of planning and could waste public IP's.


Headbang and others,

Going back to the dialup analogy, are you saying

1) the AP can be on say a /26 or /27 subnet

and

2) the CPE can be on their own, unique /32?

IOW, the AP can be treated as just another NAS?

The first problem I might be able to see would be if you have a downstream running OSPF since I always run OSPF against a subnet, never against an interface ...

thnx/ldv

===

It is amazing how much I resemble Will Roger's remark about ignorance.
SuperUser
mhoppes
Posts: 13,767
Registered: ‎06-23-2010
Posts: 13767
Kudos: 4085
Solutions: 57
Registered: 06-23-2010

Re: Client isolation

You COULD put the AP like that, but I don't know why you'd want to. I'd suggest having a subnet for AP management, and then if you really want to do this, subnet your clients into /31s. Granted, if I was doing it I'd turn on client isolation and use a full subnet, but for this application this might work for this guy.