Access point clients isolation

Asked by Andrea Grandi on 2011-04-13

I've noticed that when clients are associated to access point and authenticated by Authpuppy, not only they can access Internet (and this is ok), but they can also:

- ping them selves
- ping other networks

For example: suppose the local network has 192.168.1.x addresses, the wifi router with WifiDog act as gateway with 192.168.2.1 address. The authenticated clients get, for example, 192.168.2.10 and 192.168.2.24 ip.

- 192.168.2.10 can ping 192.168.2.24
- 192.168.2.10 can ping 192.168.1.x ip addresses

I'd like to avoid this. At least I'd like to avoid 192.168.2.10 can ping 192.168.1.x ip addresses
How can I fix this? I think it would be better to keep the shared network and the local network separated, for security reasons.

Question information

Language:
English Edit question
Status:
Solved
For:
AuthPuppy Edit question
Assignee:
No assignee Edit question
Solved by:
gbastien
Solved:
2011-04-15
Last query:
2011-04-15
Last reply:
2011-04-13
Best gbastien (gbastien02) said : #1

On your router, you have to edit the file /etc/wifidog.conf (or /etc/config/wifidog.conf). Around line 192, you have the following rule:

FirewallRuleSet global {
    ## To block SMTP out, as it's a tech support nightmare, and a legal liability
    #FirewallRule block tcp port 25

    ## Use the following if you don't want clients to be able to access machines on
    ## the private LAN that gives internet access to wifidog. Note that this is not
    ## client isolation; The laptops will still be able to talk to one another, as
    ## well as to any machine bridged to the wifi of the router.
    # FirewallRule block to 192.168.0.0/16
    # FirewallRule block to 172.16.0.0/12
    # FirewallRule block to 10.0.0.0/8

    ## This is an example ruleset for the Teliphone service.
    #FirewallRule allow udp to 69.90.89.192/27
    #FirewallRule allow udp to 69.90.85.0/27
    #FirewallRule allow tcp port 80 to 69.90.89.205
}

Uncomment the appropriate lines and you should be ok.

Andrea Grandi (andreagrandi) said : #2

Thank you so much :)
I'll try this thing as soon as possible and I'll let you know if it works for us, but it should work.

Andrea Grandi (andreagrandi) said : #3

Thanks gbastien, that solved my question.