Ap_isolate behavior.

Mark K Vallevand mvallevand at q.com
Thu Sep 9 16:58:17 PDT 2021

I've been looking at the kernel sources, and it should behave correctly when ap_isolate=1.
I suspect that it might be some networking thing that I don't understand or have mis-configured.
What I have is an ethernet bridge with wi-fi and ethernet slaves.  The bridge is used for some packet inspection and to get traffic into our solution.
When I have 2 stations connected to wi-fi and ap_isolate=0, the stations can talk to each other, and I can see their traffic using tcpdump on the wi-fi interface.  I do not see their traffic on the bridge.  So, aha I say.  Set ap_isolate=1.
When I have 2 stations connected to wi-fi and ap_isolate=1, the stations cannot talk to each other, and I cannot see their traffic using tcpdump on the wi-fi interface.  I do not see their traffic on the bridge (of course).
What I want is 2 stations connected to wi-fi to forward frames to the bridge and then back out the wi-fi.  If that makes sense.

Mark K Vallevand 

Cats were once worshiped as gods. They have not forgotten this. 
- Terry Pratchett

----- Original Message -----
From: "Sergey Ryazanov" <ryazanov.s.a at gmail.com>
To: "Mark Vallevand" <mvallevand at q.com>
Cc: "hostap" <hostap at lists.infradead.org>
Sent: Thursday, September 9, 2021 5:40:23 PM
Subject: Re: Ap_isolate behavior.

Hello Mark,

On Fri, Sep 10, 2021 at 12:37 AM Mark K Vallevand <mvallevand at q.com> wrote:
> I have two stations connected to an access point.
> The stations can communicate with each other.  According to the docs, hostapd allows this low-level bridging by default.
> If I set the ap_isolate=1, the bridging is disabled and the stations cannot communicate.
> However, it appears the the frames are not forwarded upstream either.

Sounds like a kernel bug or some misconfiguration. There is too little
information to say what exactly went wrong. Recheck traffic forwarding
or post full hostap configuration and related network subsystem
settings (e.g. bridges configuration, routes, etc.).

> Is there a way to disable the bridging done by hostapd and make it forward all frames from connected stations?

ap_isolate=1 should be enough.

> Will per_sta_vif=1 be of any use?

You need per_sta_vif=1 to apply some advanced inter-client filtering,
e.g. block SMB protocol while allowing any other communications. If
you need to fully block direct client-to-client communications within
BSS, then use the ap_isolate option instead.


More information about the Hostap mailing list