Answer the question
In order to leave comments, you need to log in
How to make network hosts not see each other, but only the gateway?
Good afternoon.
There is a task to provide Internet access via WiFi (about 1-5 thousand clients are expected). The entire infrastructure is already there (based on Ubiquiti and HP points). The infrastructure provides a single gateway network with clients. The gateway has a self-made Captive Portal running using iptables, but this is not very relevant to the question.
The gateway distributes IP addresses in this network (now it distributes from the network 10.240.0.0/255.240.0.0).
The problem is that network users "see" each other on the network. Not all users have the ability to protect themselves online, so I would like to cover them.
The network administrator is still looking for the right solution in this case: the ability to block intranet communication using the Ubiquiti and HP settings. But so far without success.
Question: is it possible to somehow solve this problem with network settings?
For example, it may be useful to hand out addresses with a mask of 255.255.255.255, then the hosts will send everything to the gateway, which will filter what is needed. But I have doubts that with such a mask they will generally send something to the gateway.
Or another option: distribute micronetworks to clients with 4 addresses (fortunately, there is enough address space). But how to set it up - I'll never know (5000 networks in /etc/network/interfaces on the gateway?)
Thanks in advance.
Answer the question
In order to leave comments, you need to log in
In fact, many access points have the "Clients isolation" option (Wireless isolation, AP isolation and other names). Actually, this option isolates the traffic of wifi network clients among themselves inside the access point. - https://www.howtogeek.com/179089/lock-down-your-wi...
Now we just have to isolate the access points themselves from each other. To do this, you can make VLANs for each point.
Well, put the switch (s) L3 in the center so that it (s) resolves the routing between these Wealans.
We put a large (preferably a couple with failover) DHCP server in the center, and on the switches we configure DHCP-proxy to the necessary vlans.
Yes, in order not to deal with routes, I would also raise OSPF.
Oh yes, DLINK has Assymmetric VLANS and Traffic Segmentation features. Probably other manufacturers have the same.
There are no pieces of iron on hand, but in my "feng shui" way, make dynamic VLANs for users.
split a large pool into grids of at least 24 bits and group them into vlans.
more radically - through AD to pour hips and software MSE (you can at least built-in Windows using group policies) to each user's computer. arps will be available, but close everything above
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question