Wireless client isolation — how does it work, and can it be bypassed?
Many SOHO routers these days support a feature called «wireless client isolation», or similar. What this is supposed to do, in principle, is to limit the connectivity between wireless clients connected to the AP. Wireless clients can talk to the LAN, and reach the Internet if such connection is available, but they cannot communicate with one another. How is this achieved? Are there any particular weaknesses which would allow this to be easily bypassed?
Seems like this would be trivial to implement — just drop all packets sent to the local subnet (besides the router itself). This is just a comment since I have no idea if they actually do it this way.
@BrendanLong «just drop all packets sent to the local subnet (besides the router itself).» drop broadcasts?
2 Answers 2
The implementation that I’ve seen of this is done by fiddling with the MAC forwarding table on the access point. Since the access point simply acts as a network bridge, it is fairly well suited to this kind of task. At the switching layer it is already collecting all of the heard (sometimes called learned) MACs and which interface it can be found on.
The logic looks kind of like this:
- Access Point receives a packet over the wireless interface
- Bridging subsystem examines packet for destination MAC
- If destination MAC is in the learned switching table for wireless interface -> DROP
- Otherwise forward packet via wired interface
Because of the way network bridges work I see this being fairly difficult to trick the access point into forwarding a packet to a client in spite of the isolation. Your best bet would be to attempt to talk directly to the other client, as if you were operating with an ad-hoc network.
You’re going about this all wrong, curiousguy. You should have said «It’s impossible to talk directly to a client as if you were operating an ad-hoc network.» Scott would have typed a novel.
@curiousguy you’ll need a Wi-Fi adapter that supports injection, and you’ll have to forge packets, after you get the correct link keys
Wireless client isolation, how it works and how it’s bypassed:
When you establish a wireless (wpa/wpa2-aes/tkip) connection to your access point (AP/router) 2 keys are created, a unique key for unicast traffic and a shared key for broadcast traffic which is shared with every pc that connects, known as the GTK.
When you send data to the AP it’s encrypted with your unicast key. The AP then decrypts this and uses the broadcast GTK to send the data to the next system on the wireless network.
When you enable client isolation on the AP it stops using the GTK to send data. Because everyone establishes a unique unicast key to send data with you will no longer be able to see eachothers data.
Bypassing this takes a little more effort and understanding. Know that ARP traffic still gets broadcasted across the network using the GTK so that DHCP can maintain clients.
If the ARP table is poisoned with a broadcast MAC on the clients entry you will force the clients system to use the bradcast GTK when sending data. If the clients system is fooled into using the GTK to send data it can now be seen and you will bypass the client isolation.
Thus, if you set your local static ARP entry using the clients ip with a bradcast mac your local system will think its sending broadcast traffic when talking to that client and use the GTK allowing the client to see your traffic.
It will take about two minutes for DHCP to fix a poisoned ARP entry so you will have to write a program that streams poisoned/fake ARPs to maintain visability.
I acknowledge that some advanced APs have arp control and layer 2 isolation where advanced tactics are needed but we’re not talking about those guys were talking about your SOHO.
AP Isolation and Net Isolation: What is it for in a WiFi Router
Some WiFi routers incorporate functions to isolate wireless and wired clients, this is ideal to provide security to the network and also to the WiFi and wired clients themselves, as it will prevent some of the main attacks on data networks, such as popular ARP Spoofing. In some routers we only have the AP Isolation option, which only affects the WiFi network so that wireless clients do not communicate with each other. However, other routers also allow you to isolate the wired network into a new subnet. Do you want to know everything about AP Isolation and Net Isolation ? Today we are going to explain both concepts in detail.
AP Isolation: isolation in WiFi network
AP Isolation is a feature of routers that allows you to isolate wireless clients from each other. If a WiFi client tries to connect to the Internet, with a wired computer or with a local NAS server that is connected via cable, it will be able to communicate without any problem, everything will work. If this same WiFi client tries to communicate with another wireless device within the same WiFi network, the communication will be denied, the communication is not allowed because AP Isolation what it does is isolate the wireless clients from each other , in order not to can communicate with each other.
Although this function is usually available and configured by default in the guest WiFi network of the routers, there are some manufacturers that in their firmware also allow this very interesting functionality to isolate the wireless clients from each other. For example, if we have an ASUS router, we should go to the ” Advanced / Wireless / Professional Configuration ” section, and we can enable the AP Isolation for the main WiFi network, either in 2.4GHz or 5GHz, since ASUS will allow us to configure it individually per frequency band.
In the case of other highly advanced and recommended routers, such as the AVM FRITZ! Box, we also have this configuration option available for the main network. In this case, if we activate AP isolation, it will affect both frequency bands (which would be normal, we are interested in making this option available in both bands). The configuration in this router is very simple, we activate the advanced configuration of the router in the upper right part, and we go to the “Wi-Fi / Security” section and we can see the option of “The active wireless devices displayed here will be able to communicate with each other “, if we disable this option then we will be enabling AP Isolation.
The most normal thing is that the router does not have the AP Isolation by default in the main network, so that the wireless clients can communicate with each other.
This same configuration option is also available in professional access points and WiFi controllers, usually this is called “Guest WiFi” when configuring an SSID.
By default, when we enable a guest WiFi network on our router, we will always have AP Isolation enabled, in fact, we may not even have the option to allow their communication between them, but this will depend on the firmware of the router in question.
Net Isolation: isolation in wired and WiFi network
The Net Isolation is a characteristic of the routers that allows to isolate the wireless and wired clients so that they cannot communicate with each other. If a WiFi client tries to communicate with a NAS server located in the main LAN, it will not be able to communicate because it will be isolated, the same happens if we have a wired client configured in a wired guest network, it will not be able to communicate with the main network.
- Communication using ebtables / iptables is denied between connected computers.
- A new subnet is created isolated from the main subnet, this method is the most elegant, to have all the clients “guests” in a new subnet.
For example, in the case of ASUS routers, the first option is used, ebtables / iptables are used to limit the communication of the different computers of the guest WiFi network with the main network. In the event that we are interested in having them access the LAN, we can always configure ” Intranet Access ” in the ” General / Guest Network ” section.
In the case of the AVM FRITZ! Box routers, the configuration of the WiFi and wired guest network is much more elegant and gives us more possibilities. For example, we can configure a private guest WiFi network, or create a public (open) WiFi network with authentication in a captive portal.
In this guest WiFi network, we can also enable or not the AP Isolation. We must bear in mind that AVM FRITZ! create a new subnet separate from the main one to accommodate all guests, and we could allow communication between them without problems. By default we have the best security, that is, we have AP Isolation enabled. If we want to disable it, we must click on the option “WiFi devices can communicate with each other.”
This AVM FRITZ! It also allows us to configure the LAN4 port for the guest network, it will have access to the Internet but not to the main local network. This is ideal for connecting one or more computers (using a switch) to the guest network and being completely separated from the main network. In the section “Local network / Network / Network configuration” you can see this very interesting configuration.
In the same section as the previous one, but at the bottom, we can click on «IPv4 addresses». Here we can change the subnet range of the main local network, and also of the secondary one that we have discussed previously. As you can see, the current network configuration is as follows:
And between them the routing is not activated, therefore, from the guest WiFi network we will not be able to communicate with the main network, we will have fully isolated wireless and wired clients.
- AP Isolation activated + Net Isolation activated: there is isolation between the WiFi clients (they cannot communicate) and access to the main network is not allowed.
- AP Isolation enabled + Net Isolation disabled: there is isolation between WiFi clients (they cannot communicate) and access to the main network is allowed.
- AP Isolation disabled + Net Isolation enabled: WiFi clients can communicate with each other, but access to the main network is not allowed.
- AP Isolation disabled + Net Isolation disabled: WiFi clients can communicate with each other and access to the main network is allowed.
Depending on what interests us, in some routers we can make all these configurations. We hope that this guide has helped you and you have clarified the concepts of AP Isolation and Net Isolation as well.
Изоляция клиентов Wi-Fi от локальной сети
Сегодня мы погорим о такой нужной, для общественных мест функции, как wi-fi isolation. Суть её в том, что клиенты, которые работают по Wi-Fi и пользуются доступом в интернет, не имели возможности работать с локальными ресурсами, будь то компьютеры, принтеры, сетевые хранилища и так далее. Я не зря упомянул общественные места — ведь, в первую очередь, это необходимо именно таким заведениям, как кафе, пиццерии, которые предоставляют посетителям бесплатно пользоваться вай-фай соединением. Да и мало ли других ситуаций, когда это необходимо…
Так как системным администратором, человеком, занимающимся созданием сайтов, грузчиком и плотником в большинстве компаний является один человек, то мы пойдем по пути наименьшего сопротивления, т.е. не будем заморачиваться со сложной маршрутизацией, а просто немного «подкрутим» настройки модема. На многих маршрутизаторах пункт Access Point Isolation выведен в отдельный пункт и найти его не составляет труда. Мы рассмотрим это на примере модема Dlinka 2640u с русской прошивкой:
Заходим в настройки по стандартному сценарию — 192.168.1.1. Далее слева выбираем пункт Wi-Fi, а затем Основные настройки. Увидеть мы должны следующую картину:
Там, как вы уже наверное догадались, надо включить функцию «Изоляция клиентов». Активируя её, юзеры сидящие на беспроводном соединении не будут иметь возможности взаимодействовать друг с другом и локальной сетью. Также обратите внимание на функцию включения гостевой беспроводной сети — включая её мы отрезаем клиентов Wi-fi от «остального мира». Такой доступ обычно даётся в гостиницах и отелях, чтобы поселенцы могли пользоваться интернетом, но изолируя от доступа к другим ресурсам.