Raspberry Pi Forums

Dear Community,
I have setup a Hotspot on Raspberry Pi. I want to achieve client isolation using iptables. Before moving to iptables way, I tried putting flag in file. Unfortunately, it did not work for me.
Below are the steps that I took. However, it is not working. Can you kindly let me know if I have missed anything here.

1. Setup Hotspot with Hub address (Raspberry Pi) as 192.168.42.1
2. My iptables is very simple 3. Connect two machines to the hotspot WiFi. The IP address that they receive is 192.168.42.244 and 192.168.42.61

4. Now when I ping from .244 to .61 it pings. When I ssh from .244 to .61 it connects.
5. When I see output it shows
163 packets in ACCEPT chain
and 3 packets in DROP chain
But communication between the two clients is working. I am expecting it that communication should have failed.
Any help / pointers are appreciated.

Greetings.

How did you install hostapd? If you got it from sudo apt-get install hostapd, then I suggest you might get a newer source from http://w1.fi/hostapd/.

The reason is that my own experience told me the repo version act quite strange in some condition. I'm using a RT5372 based dongle, and it doesn't support some high throughput options in 802.11n, but the repo version would silently ignore those options while the official version would report error and quit.

And about the iptables rules, they won't work:
1 The INPUT table is for those packets targeted for the Pi itself, not those targeting another machine in the network. The FORWARD table is for that purpose.
2 However in your case, even if you use the FORWARD table, it won't work either. This is because the computer network has a layer architecture, if some function is done in the lower layer, then the upper layer won't need to do anything more, nor even see those function. In a LAN, data could be exchanged in layer 2, so upper layer like layer 3 or 4, won't know those data who is not targeting the machine itself. The iptables like their name, working for IP, the Internet Protocol, which is a layer 3 protocol.


I haven't implemented client isolation either.
I suggest you might get a new source from official hostapd website and try the ap_isolate=1 option again.
If that is not working, you could send an email to hostapd development mailing list to ask.

And in fact, there is something called ebtables, which is analogous to iptables, but operates at the layer 2 rather than the layer 3. It is designed to work on wired Ethernet, I don't know if it would work for wireless WiFi. If you are determined, maybe it worth a check.

Thanks allfox for your reply...

I will download new hostapd source and try. Somewhere I read that hostapd simply passes this flag to driver and driver does the trick. I have raspberry pi 3 and TP-LINK wn823n USB router. I downloaded the driver source from TP-LINK site and compiled to make it work on Pi.

Your iptables and Layer 2 logic makes sense, that made me research a bit more.
I came across this link https://forum.openwrt.org/viewtopic.php?id=62557 where it seems that "rtrimana" has managed to achieve the same thing, but with OpenWRT. I tried to follow his instructions, but on Raspberry Pi

1. set ap_isolate in hostapd.conf
2. created a bridge br0 between wlan0 and eth0 in file
3. Set hairpin mode on bridge //this makes all the data pass through bridge
4. made entry with ebtables to drop messages reaching 102 destination to begin with. This did not work for me. Few things I noticed in between
1. my dnsmasq.conf has DHCP range as 192.168.42.* and wlan0 has a static address of 192.168.42.1, but post bridge the IP address I received was in the range of 192.168.0.* which is the range of my eth0

Was wondering if this feature ap_isolate will only work with OpenWRT? As given in https://forum.openwrt.org/viewtopic.php?id=62557

No, on Raspbian, ap_isolate=1 would work too.
I've just tried the ap_isolate=1 option on my own AP, it just work. No iptables nor ebtables is needed. I got a small web server on my PC, and connect to it using a tablet. ap_isolate=1 made a difference.

A Pi router is a system that require every components in it work in harmony, and to me, it's a little complex system. It's a topic I followed since my first Pi 1B. I acquired some info during my learning path, however, every time when I'm thinking about post them, there comes some new info that make me think I need more learning before I post.

Anyway, I'm posting some of my known here:

For a Pi AP, the core components are the hostapd demon and the wireless dongle's driver. They must work, and must be being maintained by some developers. So, the popular Realtek wireless chip is a poor choice, because there is no good open source driver in the kernel yet. To use it, a driver from Realtek is required, and that driver is, well, buggy. And Realtek do not support the mac80211 subsystem in the kernel, they have their own wireless stack, so we would have to use a special hostapd demon from Realtek either, it's just so old, and not being maintained. The open source community is developing a new driver named rtl8xxxu, but it's not ready for AP yet.

I checked the kernel driver list, there are two USB based 802.11n chip driver looks promising: ath9k_htc and rt2800usb.

The former one would work, but somewhat slow. Because the Atheros AR9001 and AR9002 family hardware is 1 transmitter 1 receiver chip. There is no way for them to work as MIMO. And they are 2.4GHz chip, not 5GHz.

The latter one, are for hardware from Ralink. There are some 2 transmitter 2 receiver chips. And some of them, can do 5GHz. Just read the chip's naming pattern:
RT5370 - 1 transmitter 1 receiver
RT5372 - 2 transmitter 2 receiver
RT5572 - 2 transmitter 2 receiver and able to work in 5GHz.

RT3070 - 1 transmitter 1 receiver, old
RT3072 - 2 transmitter 2 receiver, old


I'm using a RT5372 dongle and a RT5572 dongle on a Raspberry Pi 3, to build an AP working in both 2.4GHz and 5GHz. I have two hostapd demon running at the same time, one for 2.4GHz with RT5372, another for 5GHz with RT5572. I tested the ap_isolate=1 option with RT5372 dongle in 2.4GHz.

I'm using the official hostapd 2.6, not the repo version.

So I'm suggesting that maybe you could pick a new wireless dongle with RT5372 in it.
Today those manufacturer nameing their products by their own rule. It would be difficult to tell what chip is in a dongle. And TP-LINK is using the trick that put different chip in a same product. Seeing TP-LINK 823 dongle, there is no guarantee on what chip is in it. You could need to search on the very chip name, or just bring a laptop to the local market to check the dongle.

If you do so, here is a note: the firmware from repo's firmware-ralink package has version 0.29, there are some reports on the Internet say its hardware cipher has some issue. There is a new version from Ralink, version 0.33, you could find it on Ralink's website. Google this to find out how to extract it.

@allfox THANK YOU VERY MUCH FOR THIS POST!

You made my day (or my month)! I made so many test with different configuration and read so many posts. And finally your suggestion with a RT5372 was the solution!

My hostapd.conf for a WIDE OPEN Access Point looks like this:
Maybe this helps with another project.

I have searched in the webshops explicitly for "RT5372" and found some suppliers.

Thanks once again!

Regards
Forelli