Member
Fisher2010
Posts: 223
Registered: ‎08-16-2010
Posts: 223
Kudos: 63
Registered: 08-16-2010

Client isolation question

I've got an AP with 18 CPE' on it. Two of the customers are neighbors and work together. They each have their own radio.

I recently enabled Client Isolation on the AP so customers wouldn't see each other. In the process, these two neighbors can no longer access the websites and mail servers they are running in one of their basements. Customer A has the server in his basement and can access it just fine, but Customer B can no longer view the website or access the mail server in Customer A's basement. (why they have all this stuff is a completely different subject) Both customers are using Public IP addresses.

They called me when they no longer had access. I unchecked the Client Isolation box and everything magically started working.

My question is this. I would like to keep Client Isolation enabled on this AP for security reasons. But I want these guys to still be able to have access to each others network. Can I have both? If so, how?
Ubiquiti Employee
UBNT-Matt
Posts: 5,286
Registered: ‎11-27-2007
Posts: 5286
Kudos: 2091
Solutions: 50
Contributions: 39
Registered: 11-27-2007

Re: Client isolation question

If you route them through through an upstream router (put them on different subnets) it should work fine even with client isolation enabled.
I'm guessing now they are both on IPs in the same subnet?
Ancient Member
Dave-D
Posts: 24,849
Registered: ‎06-23-2009
Posts: 24849
Kudos: 3476
Solutions: 390
Registered: 06-23-2009

Re: Client isolation question

Client isolation is for users on the LAN;
it should not affect WAN operations.

If these users were able to access each
other's WAN addresses and the Internet
provider permits relay between
users on the same router, this will work.

First, check that they use WAN addresses--
not LAN. If this doesn't work, contact your
ISP for help. Dave

PS: the 'upstream router' Matt refers to will
be the ISP's router--unless you insert one
of your own in the stream.
No disclaimer. Nothing to sell. I need to fix that.
Member
Fisher2010
Posts: 223
Registered: ‎08-16-2010
Posts: 223
Kudos: 63
Registered: 08-16-2010

Re: Client isolation question

They are both on the same subnet. I'll try setting one of them up with an IP on a different subnet and see if that works. Thanks!
Established Member
LittleBill
Posts: 1,088
Registered: ‎06-18-2010
Posts: 1088
Kudos: 174
Solutions: 6
Registered: 06-18-2010

Re: Client isolation question

why not tell customer b to point to the public IP of the servers and not the local one?
Member
Fisher2010
Posts: 223
Registered: ‎08-16-2010
Posts: 223
Kudos: 63
Registered: 08-16-2010

Re: Client isolation question

why not tell customer b to point to the public IP of the servers and not the local one?


I believe they are already doing that.
Ancient Member
WHT
Posts: 28,992
Registered: ‎03-17-2008
Posts: 28992
Kudos: 5162
Solutions: 95
Registered: 03-17-2008

Re: Client isolation question

Don't know if this is relevant yet, but the ISP's upstream router/POP could have recently started client isolation. Very common in my area with CenturyLink's DSLAMs.
WHT = Short Form Acronym for "You couldn't handle me even if I came with instructions!"
Well engineered projects are indistinguishable from crazy ideas.

Speed, distance, reliability, cost...Pick three.
...World's First Ubiquiti AirMax WISP....
Ancient Member
Dave-D
Posts: 24,849
Registered: ‎06-23-2009
Posts: 24849
Kudos: 3476
Solutions: 390
Registered: 06-23-2009

Re: Client isolation question

As I said,

"If these users were able to access each
other's WAN addresses and the Internet
provider permits relay between
users on the same router, this will work."

If you don't have your own upstream router,
you need to negotiate with the ISP. Dave
No disclaimer. Nothing to sell. I need to fix that.
Member
Fisher2010
Posts: 223
Registered: ‎08-16-2010
Posts: 223
Kudos: 63
Registered: 08-16-2010

Re: Client isolation question

As I said,

"If these users were able to access each
other's WAN addresses and the Internet
provider permits relay between
users on the same router, this will work."

If you don't have your own upstream router,
you need to negotiate with the ISP. Dave


I do have an upstream router that routes the whole network. They are both able to access the internet completely. But when Customer B tries to ping the public IP assigned to the server in Customer A's basement, it won't go through.

But when I disable Client Isolation on the AP that feeds their respective radios, Customer B is able to ping the server next door.

Don't know if this is what you're getting at. I'm just trying to clarify the situation.
Established Member
drwho17
Posts: 2,036
Registered: ‎08-02-2008
Posts: 2036
Kudos: 117
Solutions: 3
Registered: 08-02-2008

Re: Client isolation question

They are both on the same subnet. I'll try setting one of them up with an IP on a different subnet and see if that works. Thanks!

Don't hand out public IP's to different users on the same subnet. Each customer should have their own unique subnet. Each user should get a mask of 255.255.255.255 (unless they truly do need multiple IP's). You appear to be handing them a 255.255.255.0, which resulting in IP's on the same subnet not being routed, but just sent out the WAN, this is bad stuff, each user on the subnet would be able to see other users on the WAN.
Ubiquiti Employee
UBNT-Matt
Posts: 5,286
Registered: ‎11-27-2007
Posts: 5286
Kudos: 2091
Solutions: 50
Contributions: 39
Registered: 11-27-2007

Re: Client isolation question

Wouldn't he have to use /30 (one IP for customer, one for router)
Veteran Member
Josh_SPITwSPOTS
Posts: 16,786
Registered: ‎11-20-2011
Posts: 16786
Kudos: 4801
Solutions: 111
Registered: 11-20-2011

Re: Client isolation question

Wouldn't he have to use /30 (one IP for customer, one for router)

Yes.
Also (post before yours), the CIDR for a /30 translates to a mask of 255.255.255.252, not 255.255.255.255.
Wildcard mask would be 0.0.0.3
Okay, back to configuring mhoppes routers/switches for him :icon_mrgreen:
Josh Reynolds :: Chief Information Officer :: www.spitwspots.com
Ubiquiti Carrier Wireless Admin, Trainer
Ancient Member
Dave-D
Posts: 24,849
Registered: ‎06-23-2009
Posts: 24849
Kudos: 3476
Solutions: 390
Registered: 06-23-2009

Re: Client isolation question

What I'm getting at is routing.

For the route to complete, it must go
to the ISP's router and then back along
the same circuit to the other client.

Some ISPs will provide routing back through
the end router to clients on the same
circuit--some won't. If you have your own
head-end router, you should be able to install
a local static route that does the same thing. Dave
No disclaimer. Nothing to sell. I need to fix that.
Established Member
drwho17
Posts: 2,036
Registered: ‎08-02-2008
Posts: 2036
Kudos: 117
Solutions: 3
Registered: 08-02-2008

Re: Client isolation question

Wouldn't he have to use /30 (one IP for customer, one for router)

Well, that would be a real subnet (multiple IP's, in that case 4, 2 usable), 255.255.255.252.
Veteran Member
mhoppes
Posts: 12,598
Registered: ‎06-23-2010
Posts: 12598
Kudos: 3453
Solutions: 49
Registered: 06-23-2010

Re: Client isolation question

Yes.

Also (post before yours), the CIDR for a /30 translates to a mask of 255.255.255.252, not 255.255.255.255.

Wildcard mask would be 0.0.0.3

Okay, back to configuring mhoppes routers/switches for him :icon_mrgreen:


Yeah... you're cheap.... a beer when next I see you, and you offer configuration advise :mantongue:
Sent via alt.hardware.wireless.ubnt reflector

On-Location airMax Training for Groups of 4 or more.
Send PM for more information.
Established Member
drwho17
Posts: 2,036
Registered: ‎08-02-2008
Posts: 2036
Kudos: 117
Solutions: 3
Registered: 08-02-2008

Re: Client isolation question

Yes.

Also (post before yours), the CIDR for a /30 translates to a mask of 255.255.255.252, not 255.255.255.255.

Wildcard mask would be 0.0.0.3

Okay, back to configuring mhoppes routers/switches for him :icon_mrgreen:

I'm routed, I apply a 255.255.255.255, the default gateway is the physical interface pppoe (you do not need an IP on both sides, just needs to know what interface to send traffic out on).

ppp0 Link encap:mantongue:oint-to-Point Protocol
inet addr:xxx.xxx.xxx.xxx P-t-P:xxx.xxx.xxx.xxx Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1492 Metric:1
RX packets:1500 errors:0 dropped:0 overruns:0 frame:0
TX packets:1564 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:32
RX bytes:371390 (362.6 KiB) TX bytes:743867 (726.4 KiB)

default * 0.0.0.0 U 0 0 0 ppp0
Established Member
drwho17
Posts: 2,036
Registered: ‎08-02-2008
Posts: 2036
Kudos: 117
Solutions: 3
Registered: 08-02-2008

Re: Client isolation question

What I'm getting at is routing.

For the route to complete, it must go
to the ISP's router and then back along
the same circuit to the other client.

Some ISPs will provide routing back through
the end router to clients on the same
circuit--some won't. If you have your own
head-end router, you should be able to install
a local static route that does the same thing. Dave

No, he's just got his subnetting wrong.

For example.
192.168.1.21 255.255.255.0 - node 1

192.168.1.22 255.255.255.0 - node 2

If you assign those to two WAN's, and enable isolation neither will be able to talk to the other on that subnet, and it won't try to route it.

192.168.1.21 255.255.255.255 node 1
192.168.1.22 255.255.255.255 node 2

All traffic will go out the default route, and they will be able to communicate this way.
Veteran Member
Josh_SPITwSPOTS
Posts: 16,786
Registered: ‎11-20-2011
Posts: 16786
Kudos: 4801
Solutions: 111
Registered: 11-20-2011

Re: Client isolation question

No, he's just got his subnetting wrong.
For example.
192.168.1.21 255.255.255.0 - node 1
192.168.1.22 255.255.255.0 - node 2
If you assign those to two WAN's, and enable isolation neither will be able to talk to the other on that subnet, and it won't try to route it.
192.168.1.21 255.255.255.255 node 1
192.168.1.22 255.255.255.255 node 2
All traffic will go out the default route, and they will be able to communicate this way.

I'm massively confused, because in setting up enterprise level cisco/juniper/hp gear, I have never used nor seen anybody use a netmask of 255.255.255.255. I can't find any reason in talking to peers (many of who work for hurricane electric, global crossing, etc in the noc) as to why you would do that.
Care to explain? I can see why it would work in your case, it just seems bad practice. (Kind of like using a heavy wrench for a hammer)
note: Be aware, I understand that it is a mask for a single network host.
note2: Are you still vlaning for level2 separation?
question: You don't use multicast for anything, do you?
Josh Reynolds :: Chief Information Officer :: www.spitwspots.com
Ubiquiti Carrier Wireless Admin, Trainer
Ubiquiti Employee
UBNT-Matt
Posts: 5,286
Registered: ‎11-27-2007
Posts: 5286
Kudos: 2091
Solutions: 50
Contributions: 39
Registered: 11-27-2007

Re: Client isolation question

No, he's just got his subnetting wrong.

For example.
192.168.1.21 255.255.255.0 - node 1

192.168.1.22 255.255.255.0 - node 2

If you assign those to two WAN's, and enable isolation neither will be able to talk to the other on that subnet, and it won't try to route it.

192.168.1.21 255.255.255.255 node 1
192.168.1.22 255.255.255.255 node 2

All traffic will go out the default route, and they will be able to communicate this way.


You can't use a subnet mask of 255.255.255.255...

He will need to properly subnet, split into smaller subnets, like /30 (255.255.255.252).
If he used a subnet mask of 255.255.255.255, his device would not even be in the same broadcast domain as the "default gateway".
Established Member
drwho17
Posts: 2,036
Registered: ‎08-02-2008
Posts: 2036
Kudos: 117
Solutions: 3
Registered: 08-02-2008

Re: Client isolation question

I'm massively confused, because in setting up enterprise level cisco/juniper/hp gear, I have never used nor seen anybody use a netmask of 255.255.255.255. I can't find any reason in talking to peers (many of who work for hurricane electric, global crossing, etc in the noc) as to why you would do that.

Care to explain? I can see why it would work in your case, it just seems bad practice. (Kind of like using a heavy wrench for a hammer)

Yea, you are confused, you can do it that way, but it's not how you would typically hand out IP's to a large amount of users. You are talking about PTP links, where both ends need to share the same subnet to run routing protocols, or just because it is easier to explain when interconnecting with other providers.

I use a Redback for example, and handout single IP's with a 255.255.255.255 mask to each of my residential DSL/Wireless clients, this works in the same manner with Cisco.