0

I have a routed access point running on a raspberry pi and would like to filter the traffic going between devices using something similar to iptables for traffic such as:

Desktop.wlan > phone.wlan

I know that you can't use iptables as this deals with layer 3 filtering. I tried using nftables with its ingress filtering but I still cannot filter the communication. But I did notice something change when using a rule such as this

nft add chain netdev filter input { type filter hook ingress device wlan0 priority -500 \; policy accept \; }

nft add rule netdev filter input ether saddr DESKTOP=MAC-ADDR counter drop

This caused the tracert from desktop to 10.0.0.10 (phone.wlan) to change from

Tracing route to phone.wlan over a maximum of 30 hops

To

Tracing route to 10.0.0.10 over a maximum of 30 hops

I don't know if this means anything is happening but this only occurs when I have that rule in place. But unfortunately, the two can still communicate with this rule in place. I don't want to use ap_isolate=1 as I want my clients to still be able to talk to one another, but I wish to be able to filter it.

Does anyone know if there is a way to filter my network? Let me know if more information is needed.

Improve this question

1 Answer 1

Reset to default
0

APs automatically do intra-BSS relay (relaying frames from one client STA to another within the same BSS), and this is usually done right in the 802.11 MAC (the wireless chipset), before the host OS ever sees or knows anything about the traffic, much less has any chance to act on it.

hostapd's ap_isolate=1 just disables intra-BSS relay in the 802.11 chipset. This is part of what you need in your case, because you want the traffic between wireless client devices to go up to the host OS's network stack first, so that you can apply filter rules there before sending some packets (the ones the filter doesn't block) along to the other clients.

Unfortunately, I don't think most software bridging code would be smart enough to know to send the packet back out the same interface it came in on, because that's usually a bridging no-no, as it would cause packets to continuously ping pong between bridges/switches/hubs.

So in theory you can do what you're asking, but whether or not there's an easy way to set it up in whatever OS you're running on your AP device is a different question.

Improve this answer
1
  • Okay, that's actually really helpful thank you. At least now I know it's not impossible. Now I just need to try and figure out how to do it.
    – Gozzerz
    Commented Apr 1, 2021 at 10:06

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .