AP Isolate Has No Effect
Hooman
mailinglister.hooman at gmail.com
Tue Jun 23 14:35:13 EDT 2020
An update on this. As I said setting `ap_isolate` through `wpa_cli` has
no effect.
However, I tried setting up my wifi access point using hostap with a
config file that has `ap_isolate=1` in it and I can verify that packets
between local hosts on the network created by the access point are blocked.
My guess are:
* Either `wpa_cli` is not doing what it's supposed to do, or something
else that it calls to set this flag (maybe the mac80211 or something
else). The appropriate flag (IEEE80211_SDATA_DONT_BRIDGE_PACKETS =
BIT(3)) is not set for the device under
`/sys/kernel/debug/ieee80211/*/netdev*/flags` when I set the
`ap_isolate` to 1 in the `wpa_cli`.
* The other possibility is that I might need to restart the access
point. In other words, maybe this flag needs to be set during the
access point creation. I have not tested this, since I don't know
exactly how to do this, i.e., restart the access point with the same
configuration through the `wpa_cli` just changing the `ap_isolate`
option.
-Hooman
On 6/22/20 1:44 PM, Hooman wrote:
> Hi,
>
>
> On 6/18/20 2:01 AM, Thomas Pedersen wrote:
>> On 2020-06-17 23:00, Thomas Pedersen wrote:
>>> On 2020-06-14 13:10, Hooman wrote:
>>>> I have created a WiFi hotspot using Ubuntu 20.04. Under the hood it
>>>> uses
>>>> wpa_supplicant to create the AP. I'm trying to enable client isolation,
>>>> so that devices on the hotspot network cannot send packets to each
>>>> other. So once the hotspot is set up, I do the following:
>>>>
>>>> #sudo wpa_cli -i wlan0
>>>>
>>>>> set ap_isolate 1
>>>> OK
>>>>> get ap_isolate
>>>> 1
>>>>
>>>> So I see that AP isolate is enabled. However, I still can send packets
>>>> from one device to another on the hotspot network. Why is that? Am I
>>>> missing something?
>>> Are the AP and STA interfaces on a bridge with hairpinning enabled?
>> Sorry, obviously meant just the AP interface.
>>
> Thank you for your response.
>
> I don't see any bridge information when I run the brctl command:
>
>> root at myuser:~# brctl show
>> bridge name bridge id STP enabled interfaces
> The list is empty. Can you tell me how I can check if there's a bridge
> with hairpinning on the interface?
>
>
> Also to give you some background and info about my setup. I am using
> Ubuntu 18.04 default hotspot feature.
>
> The hotspot creates a network on subnet on my wifi interface:
>
>
>> root at myuser:~# ifconfig
>> eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
>> inet 25.02.224.105 netmask 255.255.252.0 broadcast 25.02.227.255
>> inet6 fe80::3521:18e2:11d9:7c70 prefixlen 64 scopeid 0x20<link>
>> ether 2e:61:a5:b2:3d:88 txqueuelen 1000 (Ethernet)
>> RX packets 1144162 bytes 508133990 (508.1 MB)
>> RX errors 0 dropped 0 overruns 0 frame 0
>> TX packets 89831 bytes 7271961 (7.2 MB)
>> TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
>> device interrupt 17 memory 0xb1200000-b1220000
>
>> wlan1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
>> inet 10.42.0.1 netmask 255.255.255.0 broadcast 10.42.0.255
>> inet6 fe80::c112:bd92:d15:ea96 prefixlen 64 scopeid 0x20<link>
>> ether ac:6f:d2:2a:1b:9a txqueuelen 1000 (Ethernet)
>> RX packets 0 bytes 0 (0.0 B)
>> RX errors 0 dropped 0 overruns 0 frame 0
>> TX packets 92 bytes 11830 (11.8 KB)
>> TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
>
> Some other info about the setup:
>
>> root at myuser:~# ip link show
>> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
> mode DEFAULT group default qlen 1000
>> link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
>> 2: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel
> state UP mode DEFAULT group default qlen 1000
>> link/ether 2e:61:a5:b2:3d:88 brd ff:ff:ff:ff:ff:ff
>> 3: wlan1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP
> mode DORMANT group default qlen 1000
>> link/ether ac:6f:d2:2a:1b:9a brd ff:ff:ff:ff:ff:ff
>
>> root at myuser:~# ip rule show
>> 0: from all lookup local
>> 32766: from all lookup main
>> 32767: from all lookup default
>
>> root at myuser:~# ip route show
>> default via 25.02.224.1 dev eth1 proto dhcp metric 100
>> 10.42.0.0/24 dev wlan1 proto kernel scope link src 10.42.0.1 metric 600
>> 25.02.224.0/22 dev eth1 proto kernel scope link src 25.02.224.105
> metric 100
>> 169.254.0.0/16 dev eth1 scope link metric 1000
>> root at myuser:~# ip netconf
>> ipv4 dev lo forwarding on rp_filter off mc_forwarding off proxy_neigh
> off ignore_routes_with_linkdown off
>> ipv4 dev eth1 forwarding on rp_filter loose mc_forwarding off
> proxy_neigh off ignore_routes_with_linkdown off
>> ipv4 dev wlan1 forwarding on rp_filter strict mc_forwarding off
> proxy_neigh off ignore_routes_with_linkdown off
>> ipv4 all forwarding on rp_filter strict mc_forwarding off proxy_neigh
> off ignore_routes_with_linkdown off
>> ipv4 default forwarding on rp_filter strict mc_forwarding off
> proxy_neigh off ignore_routes_with_linkdown off
>> ipv6 dev lo forwarding off mc_forwarding off proxy_neigh off
> ignore_routes_with_linkdown off
>> ipv6 dev eth1 forwarding off mc_forwarding off proxy_neigh off
> ignore_routes_with_linkdown off
>> ipv6 dev wlan1 forwarding off mc_forwarding off proxy_neigh off
> ignore_routes_with_linkdown off
>> ipv6 all forwarding off mc_forwarding off proxy_neigh off
> ignore_routes_with_linkdown off
>> ipv6 default forwarding off mc_forwarding off proxy_neigh off
> ignore_routes_with_linkdown off
>
>> root at myuser:~# brctl show
>> bridge name bridge id STP enabled interfaces
>
>> root at myuser:~# arp -a
>> ? (25.02.224.104) at 2e:61:a5:b2:3e:25 [ether] on eth1
>> ? (10.42.0.57) at f6:2e:23:4b:72:ae [ether] on wlan1
>> ? (25.02.224.1) at 00:00:0c:9f:f0:e0 [ether] on eth1
>
> The hotspot feature creates some iptable rules:
>
>
>> root at myuser:~# iptables -vL -t filter
>> Chain INPUT (policy ACCEPT 284K packets, 89M bytes)
>> pkts bytes target prot opt in out source
> destination
>> 0 0 ACCEPT udp -- wlan1 any anywhere
> anywhere udp dpt:bootps
>> 0 0 ACCEPT tcp -- wlan1 any anywhere
> anywhere tcp dpt:bootps
>> 0 0 ACCEPT udp -- wlan1 any anywhere
> anywhere udp dpt:domain
>> 0 0 ACCEPT tcp -- wlan1 any anywhere
> anywhere tcp dpt:domain
>> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
>> pkts bytes target prot opt in out source
> destination
>> 0 0 ACCEPT all -- any wlan1 anywhere
> 10.42.0.0/24 state RELATED,ESTABLISHED
>> 0 0 ACCEPT all -- wlan1 any 10.42.0.0/24
> anywhere
>> 0 0 ACCEPT all -- wlan1 wlan1 anywhere
> anywhere
>> 0 0 REJECT all -- any wlan1 anywhere
> anywhere reject-with icmp-port-unreachable
>> 0 0 REJECT all -- wlan1 any anywhere
> anywhere reject-with icmp-port-unreachable
>> Chain OUTPUT (policy ACCEPT 13186 packets, 1539K bytes)
>> pkts bytes target prot opt in out source
> destination
>>
>> root at myuser:~# iptables -vL -t nat
>> Chain PREROUTING (policy ACCEPT 110K packets, 27M bytes)
>> pkts bytes target prot opt in out source
> destination
>> Chain INPUT (policy ACCEPT 110K packets, 27M bytes)
>> pkts bytes target prot opt in out source
> destination
>> Chain OUTPUT (policy ACCEPT 1309 packets, 99285 bytes)
>> pkts bytes target prot opt in out source
> destination
>> Chain POSTROUTING (policy ACCEPT 1276 packets, 96891 bytes)
>> pkts bytes target prot opt in out source
> destination
>> 33 2394 MASQUERADE all -- any any 10.42.0.0/24
> !10.42.0.0/24
>>
>> root at myuser:~# iptables -vL -t mangle
>> Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
>> pkts bytes target prot opt in out source
> destination
>> Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
>> pkts bytes target prot opt in out source
> destination
>> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
>> pkts bytes target prot opt in out source
> destination
>> Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
>> pkts bytes target prot opt in out source
> destination
>> Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
>> pkts bytes target prot opt in out source
> destination
>>
>> root at myuser:~# iptables -vL -t raw
>> Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
>> pkts bytes target prot opt in out source
> destination
>> Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
>> pkts bytes target prot opt in out source
> destination
>>
>> root at myuser:~# iptables -vL -t security
>> Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
>> pkts bytes target prot opt in out source
> destination
>> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
>> pkts bytes target prot opt in out source
> destination
>> Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
>> pkts bytes target prot opt in out source
> destination
>
> There are no ebatbles:
>
>> root at myuser:~# ebtables -t broute -L
>> Bridge table: broute
>>
>> Bridge chain: BROUTING, entries: 0, policy: ACCEPT
>>
>>
>> root at myuser:~# ebtables -t filter -L
>> Bridge table: filter
>>
>> Bridge chain: INPUT, entries: 0, policy: ACCEPT
>>
>> Bridge chain: FORWARD, entries: 0, policy: ACCEPT
>>
>> Bridge chain: OUTPUT, entries: 0, policy: ACCEPT
>>
>>
>> root at myuser:~# ebtables -t nat -L
>> Bridge table: nat
>>
>> Bridge chain: PREROUTING, entries: 0, policy: ACCEPT
>>
>> Bridge chain: OUTPUT, entries: 0, policy: ACCEPT
>>
>> Bridge chain: POSTROUTING, entries: 0, policy: ACCEPT
>>
>
> Now Machine A is on 10.42.0.34 and Machine B is on 10.42.0.57.
>
> Machine A (10.42.0.34) can ping Machine B (10.42.0.57) and can also
> ping 8.8.8.8 (external:Google).
>
> These ebtables rules don't have any effect:
>
>
>> sudo ebtables -t broute -F
>> sudo ebtables -t broute -P BROUTING DROP
>>
>>
>> sudo ebtables -t nat -F
>> sudo ebtables -t nat -P PREROUTING DROP
>> sudo ebtables -t nat -P OUTPUT DROP
>> sudo ebtables -t nat -P POSTROUTING DROP
>>
>>
>> sudo ebtables -t filter -F
>> sudo ebtables -t filter -P INPUT DROP
>> sudo ebtables -t filter -P OUTPUT DROP
>> sudo ebtables -t filter -P FORWARD DROP
>
> These following iptables rules stop packets from Machine A to Google but
> not from Machine A to B:
>
>> sudo iptables -t mangle -I PREROUTING -j DROP
>> sudo iptables -t filter -I FORWARD -j DROP
>> sudo iptables -t raw -I PREROUTING -j DROP
>
> The only way I can stop packets from machine A to B for a few second is
> to flush arp cache by running:
>
>> sudo ip -s -s neigh flush all
More information about the Hostap
mailing list