1 Topic by breed (edited by breed 2008-02-27 16:23:28)

  • breed
  • New member
  • Offline
  • Registered: 2008-02-26
  • Posts: 5

Topic: Security - blocking inter client traffic

QUESTION:

I have a openwrt (x-wrt) / chillispot running on a wrt54gl with openwrt wrt54gl APs attached to the LAN ports via CAT5 operating a public wisp. The wlan and lan ports are bridged together as br0 and this is the interface that Chilli is managing and the wlan interface for IPTABLES.

On the APs I enabled 'Isolate WLAN clients' (which is inter BSS or layer 2 blocking), and as desired, 2 clients on the same AP are not able to network together. However, clients attached to different APs are able to network together and I would like a suggestion on how to block this.

My initial thinking is to utilize IPTABLES to block all traffic from br0 to br0. However:

1. I do not have much experience with IPTABLES and I have been unable to decipher online websites.
2. I do not understand exactly how Chillispot works with IPTABLES

Do you think that it is feasible to use IPTABLES to accomplish my goal - layer 2 blocking/isolation of all clients attached to the network? If yes, please provide specific IPTABLES rule / configuration.

  • breed
  • New member
  • Offline
  • Registered: 2008-02-26
  • Posts: 5

Re: Security - blocking inter client traffic

SOLVED:

with some help, I found a few references in the openwrt forum, aparently there is a problem with iptables and bridged interfaces in the 2.4 kernel. One solution that I am still testing and appears to work is to install and load the ebtables module. However, some references indicate that this slows performance of the bridge (I have not noticed this yet and will update the forum if it becomes an issue)

> ipkg install ebtables

> insmod /lib/modules/2.4.30/ebtables.o
> insmod /lib/modules/2.4.30/ebtable_filter.o
> insmod /lib/modules/2.4.30/ebtable_broute.o

Then the iptables works as expected for bridged interfaces. I added the modules to a startup script so they load at boot.

  • breed
  • New member
  • Offline
  • Registered: 2008-02-26
  • Posts: 5

Re: Security - blocking inter client traffic

CONTINUED:

The solution above works for blocking the traffic between the WLAN and the LAN, however traffic continues to route to 2 or more devices attached to the LAN interface (I do not know much about networking, but it appears that the packets are being routed by the physical interface before they get to br0). To solve this, I made each LAN port a separate VLAN and attached each VLAN to br0 (the bridge) and this effectively blocked the traffic from client to client, when there are no shared nodes between the client and the Chillispot router. I have not tested it where there are nodes in between, but I expect that it will behave the same and I will need to add the ebtables and appropriate iptables rules.

For more info on configuring VLANs - http://wiki.openwrt.org/OpenWrtDocs/Configuration#head-1f582c0ad21a03a769e00c345743d6cf85ba878f