AuthPuppy

Access point clients isolation

Asked by Andrea Grandi

I've noticed that when clients are associated to access point and authenticated by Authpuppy, not only they can access Internet (and this is ok), but they can also:

- ping them selves
- ping other networks

For example: suppose the local network has 192.168.1.x addresses, the wifi router with WifiDog act as gateway with 192.168.2.1 address. The authenticated clients get, for example, 192.168.2.10 and 192.168.2.24 ip.

- 192.168.2.10 can ping 192.168.2.24
- 192.168.2.10 can ping 192.168.1.x ip addresses

I'd like to avoid this. At least I'd like to avoid 192.168.2.10 can ping 192.168.1.x ip addresses
How can I fix this? I think it would be better to keep the shared network and the local network separated, for security reasons.

Question information

Language:
English Edit question
Status:
Solved
For:
AuthPuppy Edit question
Assignee:
No assignee Edit question
Solved by:
gbastien
Solved:
Last query:
Last reply:
Revision history for this message
Best gbastien (gbastien02) said : 		#1

On your router, you have to edit the file /etc/wifidog.conf (or /etc/config/wifidog.conf). Around line 192, you have the following rule:

FirewallRuleSet global {
    ## To block SMTP out, as it's a tech support nightmare, and a legal liability
    #FirewallRule block tcp port 25

    ## Use the following if you don't want clients to be able to access machines on
    ## the private LAN that gives internet access to wifidog. Note that this is not
    ## client isolation; The laptops will still be able to talk to one another, as
    ## well as to any machine bridged to the wifi of the router.
    # FirewallRule block to 192.168.0.0/16
    # FirewallRule block to 172.16.0.0/12
    # FirewallRule block to 10.0.0.0/8

    ## This is an example ruleset for the Teliphone service.
    #FirewallRule allow udp to 69.90.89.192/27
    #FirewallRule allow udp to 69.90.85.0/27
    #FirewallRule allow tcp port 80 to 69.90.89.205
}

Uncomment the appropriate lines and you should be ok.

Revision history for this message
Andrea Grandi (andreagrandi) said : 		#2

Thank you so much :)
I'll try this thing as soon as possible and I'll let you know if it works for us, but it should work.

Revision history for this message
Andrea Grandi (andreagrandi) said : 		#3

Thanks gbastien, that solved my question.