Access point clients isolation

Asked by Andrea Grandi on 2011-04-13

I've noticed that when clients are associated to access point and authenticated by Authpuppy, not only they can access Internet (and this is ok), but they can also:

- ping them selves
- ping other networks

For example: suppose the local network has 192.168.1.x addresses, the wifi router with WifiDog act as gateway with address. The authenticated clients get, for example, and ip.

- can ping
- can ping 192.168.1.x ip addresses

I'd like to avoid this. At least I'd like to avoid can ping 192.168.1.x ip addresses
How can I fix this? I think it would be better to keep the shared network and the local network separated, for security reasons.

Question information

English Edit question
AuthPuppy Edit question
No assignee Edit question
Solved by:
Last query:
Last reply:
Best gbastien (gbastien02) said : #1

On your router, you have to edit the file /etc/wifidog.conf (or /etc/config/wifidog.conf). Around line 192, you have the following rule:

FirewallRuleSet global {
    ## To block SMTP out, as it's a tech support nightmare, and a legal liability
    #FirewallRule block tcp port 25

    ## Use the following if you don't want clients to be able to access machines on
    ## the private LAN that gives internet access to wifidog. Note that this is not
    ## client isolation; The laptops will still be able to talk to one another, as
    ## well as to any machine bridged to the wifi of the router.
    # FirewallRule block to
    # FirewallRule block to
    # FirewallRule block to

    ## This is an example ruleset for the Teliphone service.
    #FirewallRule allow udp to
    #FirewallRule allow udp to
    #FirewallRule allow tcp port 80 to

Uncomment the appropriate lines and you should be ok.

Andrea Grandi (andreagrandi) said : #2

Thank you so much :)
I'll try this thing as soon as possible and I'll let you know if it works for us, but it should work.

Andrea Grandi (andreagrandi) said : #3

Thanks gbastien, that solved my question.