Differences

This shows you the differences between two versions of the page.

--- en:dpi:dpi_options:use_cases:wifi_hotspot_session_management:start [2024/08/07 16:33] – elena.krasnobryzh
+++ en:dpi:dpi_options:use_cases:wifi_hotspot_session_management:start [Unknown date] (current) – removed - external edit (Unknown date) 127.0.0.1
@@ Line 1: / Line 1: @@
-{{indexmenu_n>6}}
-====== Configuring GUI, SSG, and WiFi HotSpot with Session Management Enabled ======
-===== Network Topology =====
-  - Connect the equipment according to the network topology.\\ {{ :dpi:dpi_options:use_cases:img1.jpg?nolink&700 |}}
-===== Authorization Sequence =====
-  - The subscriber connects to the WiFi network
-  - A welcome page appears informing the subscriber to open a browser and identify themselves
-  - The subscriber opens a browser, and upon navigating to any URL, they are redirected to the identification page
-  - The subscriber enters their phone number and requests an access code
-  - The access code is sent to the phone number via SMS
-  - The subscriber enters the received access code
-  - Session cookies are recorded on the subscriber's device for a specified period, and the subscriber is redirected to the requested URL
-===== Setting Up Virtual Machines (VM) =====
-  - Create two virtual machines with the following minimum specifications:
-    * VM ''dpiui_vm'' – 1 CPU, 2GB RAM, 50GB hard disk, Guest OS CentOS 7, NIC 1
-    * VM ''cp_wifi_vm'' – 1 CPU, 1GB RAM, 30GB hard disk, Guest OS CentOS 7, NIC
-  - Install the latest version of CentOS 7 (build-2009 at the time of writing) on both virtual machines. Choose minimal installation during setup.\\ After OS installation, open the console and install packages on both VMs: first <code bash>yum install epel-release</code> and then: <code bash>yum install nano tcpdump openssh-server openssh-clients</code>
-  - Disable SELinux on both VMs:
-    * Edit the file ''/etc/sysconfig/selinux''
-    * Set the parameter ''SELINUX=disabled'' and reboot the VM
-===== Installing and Configuring dpiui_vm =====
-  - Install DPIUI on ''dpiui_vm'' following the [[en:dpi:dpi_components:dpiui:install_and_update:install:start|instructions]]
-  - Configure the network on both VMs and SSG:<code bash>BOOTPROTO=static
-ONBOOT=yes
-IPADDR=10.0.0.x
-NETMASK=255.255.255.0
-GATEWAY=10.0.0.1
-DNS1=10.0.0.2</code> ''IPADDR'' — specify for each host according to the scheme (or use your own addressing).
-  - Log in to the GUI and add both VMs and SSG in the "EQUIPMENT" section, following the [[en:dpi:dpi_components:dpiui:user_guide:admin_section:equipment_management:start|instructions]]:
-===== Installing and Configuring cp_wifi_vm =====
-  - Install the ''wifi_hotspot'' package on the ''cp_wifi_vm'' VM following the [[en:dpi:dpi_components:module_wi-fi_hotspot:start|instructions]]:
-  - Edit the configuration file for Hotspot:<code bash>nano /var/www/html/wifi_hotspot/backend/.env</code> Change/add only these lines:
-    - **''AAA_HOTSPOT_IP – 10.0.0.4''**\\ NAS server address, IPv4/IPv6, if unknown — 0.0.0.0
-    - **''AAA_HOTSPOT_PORT – 0''**\\ NAS server port, number, if unknown — 0
-    - **''AAA_HOTSPOT_ID – 2''**\\ Network access point ID, integer between 0 and 1000, must be filled in for public WiFi access points, corresponds to the access point ID in field 1 from the access point export
-    - **''AAA_EXPORT_ENABLED=1''**\\ Enable AAA export
-    - **''AUTH_CODE_LENGTH=4''**\\ Change the number of characters in the SMS authorization code
-If the parameter ''AUTH_CODE_LENGTH'' is set, then in the file ''/var/www/html/wifi_hotspot/frontend/env.js'' set the value:<code bash>AppEnv.AuthCodePlaceHolder = "0000";</code>
-Finally, run the command:<code bash>php /var/www/html/wifi_hotspot/backend/artisan queue:restart</code>
-===== Installing and Configuring dhcp-isc on cp_wifi_vm =====
-  - Install the ''dhcp-isc'' package: <code bash>yum install dhcp expect</code>
-  - Configure the static ARP scripts and the ''dhcpd.conf'' configuration file:
-    * First, the ''dhcpd'' configuration file: <code bash>nano /etc/dhcp/dhcpd.conf</code> Set your values for ''option domain-name'' and ''option ntp-servers''!<code bash>ddns-update-style none;
-authoritative;
-db-time-format local;
-log-facility local7;
-subnet 100.64.0.0 netmask 255.255.252.0 {
-  range 100.64.0.3 100.64.3.254;
-  default-lease-time 600;
-  max-lease-time 600;
-  option subnet-mask 255.255.252.0;
-  option broadcast-address 100.64.3.255;
-  option routers 100.64.0.1;
-  option ntp-servers <ntp-server>;
-  option domain-name-servers 10.0.0.2;
-  option domain-name "name.local";
-  on commit {
-      set ClientIP = binary-to-ascii(10, 8, ".", leased-address);
-      set ClientMac = concat (
-      suffix (concat ("0", binary-to-ascii (16, 8, "", substring(hardware,1,1))),2), ":",
-      suffix (concat ("0", binary-to-ascii (16, 8, "", substring(hardware,2,1))),2), ":",
-      suffix (concat ("0", binary-to-ascii (16, 8, "", substring(hardware,3,1))),2), ":",
-      suffix (concat ("0", binary-to-ascii (16, 8, "", substring(hardware,4,1))),2), ":",
-      suffix (concat ("0", binary-to-ascii (16, 8, "", substring(hardware,5,1))),2), ":",
-      suffix (concat ("0", binary-to-ascii (16, 8, "", substring(hardware,6,1))),2));
-      log(concat("Request: IP: ", ClientIP, " Mac: ", ClientMac));
- execute("/usr/local/etc/dhcpd/clients_add_drop.sh", "add", ClientIP, ClientMac);}
-  on release {
-      set ClientIP = binary-to-ascii(10, 8, ".", leased-address);
-      set ClientMac = concat (
-      suffix (concat ("0", binary-to-ascii (16, 8, "",
-substring(hardware,1,1))),2), ":",
-      suffix (concat ("0", binary-to-ascii (16, 8, "", substring(hardware,2,1))),2), ":",
-      suffix (concat ("0", binary-to-ascii (16, 8, "", substring(hardware,3,1))),2), ":",
-      suffix (concat ("0", binary-to-ascii (16, 8, "", substring(hardware,4,1))),2), ":",
-      suffix (concat ("0", binary-to-ascii (16, 8, "", substring(hardware,5,1))),2), ":",
-      suffix (concat ("0", binary-to-ascii (16, 8, "", substring(hardware,6,1))),2));
-      log(concat("Release: IP: ", ClientIP, " Mac: ", ClientMac));
-      execute("/usr/local/etc/dhcpd/clients_add_drop.sh", "drop_rls", ClientIP, ClientMac);}
-  on expiry {
-      set ClientIP = binary-to-ascii(10, 8, ".", leased-address);
-      log(concat("Timeout: IP: ", ClientIP));
-      execute("/usr/local/etc/dhcpd/clients_add_drop.sh", "drop_exp", ClientIP);}
-}
-subnet 10.0.0.0 netmask 255.255.255.0 {
-}</code>Create directories and change their permissions:<code bash>mkdir /usr/local/etc/dhcpd/ && chown dhcpd:dhcpd /usr/local/etc/dhcpd/
-touch /usr/local/etc/dhcpd/clients_add_drop_mysql.sh && touch /usr/local/etc/dhcpd/clients_add_drop.sh
-&& chown dpiacc:dpiacc /usr/local/etc/dhcpd/*
-chmod 755 /usr/local/etc/dhcpd/
-chmod 755 /usr/local/etc/dhcpd/*</code>Next, copy the following script to ''/usr/local/etc/dhcpd/clients_add_drop.sh'':<code bash>#!/usr/bin/expect -f
-set METHOD [lindex $argv 0]
-set IP_ADDR [lindex $argv 1]
-set MAC_ADDR [lindex $argv 2]
-set MAC_ADDR [string toupper $MAC_ADDR]
-#Client interface on Mikrotik:
-set INT_ClIENT "vWifi"
-set status 0
-#Recording dhcp-lease (start and end) in the Hotspot database
-spawn /usr/local/etc/dhcpd/./clients_add_drop_mysql.sh "$METHOD" "$IP_ADDR" "$MAC_ADDR"
-expect "end_mysql";
-#Connecting to the router
-spawn ssh -i /usr/local/etc/dhcpd/.ssh/id_rsa admin+t@100.64.0.1 -oStrictHostKeyChecking=no -oUserKnownHostsFile=/dev/null
-expect {
-    "password:" {send "\n";}
-    "timeout" {set status 1;}
-    ">" {}
-}
-if { $METHOD == "add" && $status == 0} {
-send "ip arp add address=$IP_ADDR mac-address=$MAC_ADDR interface=$INT_ClIENT\r";
-expect ">";
-send "ip firewall address-list remove \[find address=$IP_ADDR list=DROP_CLIENTS\]\r";
-expect ">";
-send "log info \"ADD: $IP_ADDR -- $MAC_ADDR\"\r";
-expect ">"
-send "quit\r";
-expect eof
-} elseif { $METHOD == "drop_rls" && $status == 0} {
-send "ip arp remove \[find mac-address=$MAC_ADDR\]\r";
-expect ">";
-send "ip firewall address-list add address=$IP_ADDR list=DROP_CLIENTS\r";
-expect ">";
-send "log info \"DROP_RLS: $IP_ADDR -- $MAC_ADDR\"\r";
-expect ">"
-send "quit\r";
-expect eof
-} elseif { $METHOD == "drop_exp" && $status == 0} {
-send "ip arp remove \[find address=$IP_ADDR\]\r";
-expect ">";
-send "ip firewall address-list add address=$IP_ADDR list=DROP_CLIENTS\r";
-expect ">";
-send "log info \"DROP_EXP: $IP_ADDR\"\r";
-expect ">"
-send "quit\r";
-expect eof
-} elseif {$status == 0} {
-send "quit\r";
-expect eof
-exit 1;
-}
-set status 0
-#Connecting to SSG and adding static subscriber record
-spawn ssh -i /usr/local/etc/dhcpd/.ssh/id_rsa dpisu@10.0.0.6 -oStrictHostKeyChecking=no -oUserKnownHostsFile=/dev/null
-expect {
-    "password" {send "\r"}
-    "timeout" {set status 1; exit 4}
-    "\$" {}
-}
-if {$status == 0} {
-send "/var/dpiui2/add_captive_portal_auth_ivstar.sh $IP_ADDR\r"
-expect "\$"
-send "exit\r";
-expect eof
-}</code>And copy the following script to ''/usr/local/etc/dhcpd/clients_add_drop_mysql.sh'' for adding ''dhcp-lease'' data to the Hotspot database:<code bash>#!/bin/bash
-METHOD=$1
-IP_ADDR=$2
-MAC_ADDR=$3
-MYSQL_CONNECT_LEASEDB="mysql -u root -pvasexperts -Dwifi_hotspot -h 127.0.0.1"
-if [ "$METHOD" = "add" ]; then
-    echo "insert into hotspot_aaa(TYPE,MAC,IP) values("1",\""$MAC_ADDR"\",\""$IP_ADDR"\");" | $MYSQL_CONNECT_LEASEDB
-elif
-   [ "$METHOD" = "drop_rls" ]; then
-    echo "insert into hotspot_aaa(TYPE,MAC,IP) values("2",\""$MAC_ADDR"\",\""$IP_ADDR"\");" | $MYSQL_CONNECT_LEASEDB
-elif
-   [ "$METHOD" = "drop_exp" ]; then
-    echo "insert into hotspot_aaa(TYPE,MAC,IP) values("2",\"""\",\""$IP_ADDR"\");" | $MYSQL_CONNECT_LEASEDB
-fi
-echo "end mysql"</code>Enable the ''dhcpd'' server and add a firewall rule:<code bash>systemctl enable dhcpd
-systemctl start dhcpd
-firewall-cmd --permanent —add-service=dhcp
-firewall-cmd --reload</code>
-  - Create a script for transferring the session file to FTP:<code bash>mkdir  /srv/aaa/
-mkdir  /srv/aaa/processed/
-mkdir  /srv/aaa/script/
-touch /srv/aaa/script/script.sh</code>Copy the content into ''/srv/aaa/script/script.sh'':<code bash>#!/bin/bash
-FTP_ADDR="<ip ftp>"
-FTP_USER="<user ftp>"
-FTP_PASS="<password ftp>"
-#Directory with AAA Hotspot
-DIR="/var/www/html/wifi_hotspot/backend/storage/aaa_events"
-ls $DIR | while read f; do
-    curl --user $FTP_USER:$FTP_PASS --upload-file $DIR
-/$f ftp://$FTP_ADDR/ISP/aaa/  > /dev/null 2>&1
-    mv $DIR/$f /srv/aaa/processed</code>and add to cron:<code bash>crontab -e
-*/5 * * * * /srv/aaa/script/script.sh</code>
-  - Create an SSH key pair:<code bash>mkdir usr/local/etc/dhcpd/.ssh && cd usr/local/etc/dhcpd/.ssh
-ssh-keygen -t rsa</code>
-Leave the passphrase empty.\\
-**Attention! Transfer id.pub to SSG (10.0.0.6) and Mikrotik (100.64.0.1)!**
-  * SSG (10.0.0.6): transfer the file via SSH to SSG and add it to ''authorized_keys'' <code bash>cat id.pub >>  ~/.ssh/authorized_keys</code>
-  * Mikrotik (100.64.0.1): transfer the file via SSH or through the Web interface and import it: <code bash>user ssh-keys import public-key-file=id.pub user=admin</code>
-=====Configuring SSG=====
-  - Configure the DB for users on SSG: <code bash>nano /etc/dpi/fastdpi.conf
-udr=1</code>
-  - Set up filtering based on the federal list: <code bash>black_list_sm=0
-federal_black_list=1
-#redirect to page
-black_list_redirect=http://block.lan/</code>
-  - Set the default class: <code bash>class_order=0</code>
-  - Enable IPFIX export:
-    * Configure the ''eth1'' interface: ''nano /etc/sysconfig/network-scripts/ifcfg-eth1'' <code bash>BOOTPROTO=none
-ONBOOT=yes
-IPADDR=<ip address>
-PREFIX=24</code> <code bash>netflow=8
-netflow_dev=eth1
-netflow_timeout=20
-netflow_full_collector_type=2
-netflow_full_collector=127.0.0.1:1500
-netflow_passive_timeout=10
-netflow_active_timeout=20
-netflow_rate_limit=30
-ipfix_dev=eth1
-ipfix_tcp_collectors=<ip:port ipfix collectors>
-ipfix_meta_tcp_collectors=<ip:port ipfix collectors>
-ipfix_observation=127
-ipfix_dns_tcp_collectors=<ip:port ipfix collectors>
-ipfix_nat_udp_collectors=<ip:port ipfix collectors></code>
-  - Minimize traffic in class 7: <code bash>tbf_class7=rate 1kbit
-tbf_inbound_class7=rate 1kbit</code>
-  - Enable redirect to Captive portal: ''cp_server=10.0.0.4 (ip cp)''
-  - Disable NAT for private addresses: ''nat_exclude_private=1''
-  - Other SSG settings: <code bash>ctrl_port=29000
-ctrl_dev=lo
-scale_factor=1
-num_threads=2
-class_order=0
-mem_tracking_flow=1500000
-mem_tracking_ip=3000000
-http_parse_reply=1
-rlimit_fsize=32000000000</code>
-  - Replace the content of the script ''/var/dpiui2/add_captive_portal_auth_ivstar.sh'' with the following: <code bash>#!/bin/sh
-fdpi_ctrl load --service 5 --profile.name='hotspot_white_list_profile' --ip $1
-fdpi_ctrl load --service 11 --profile.name='NAT_PUBLIC_WIFI' --ip $1
-fdpi_ctrl load --policing --profile.name='wifi_hotspot_auth_policing' --ip $1</code>
-  - Add the public key for Hotspot access to SSG in the file ''/home/dpisu/.ssh/authorized_keys'': <code bash>#!/bin/sh
-fdpi_ctrl load --service 5 --profile.name='hotspot_white_list_profile' --ip $1
-fdpi_ctrl load --service 11 --profile.name='NAT_PUBLIC_WIFI' --ip $1
-fdpi_ctrl load --policing --profile.name='wifi_hotspot_auth_policing' --ip $1</code>Save all changes in the file ''/etc/dpi/fastdpi.conf'' and perform a ''reboot''.
-  - Configure the ''eth0'' interface for access to Hotspot and DPIUI: <code bash>nano /etc/sysconfig/network-scripts/ifcfg-eth0</code> <code bash>BOOTPROTO=none
-ONBOOT=yes
-IPADDR=10.0.0.6
-PREFIX=24
-DNS1=10.0.0.2</code>
-=====Configuring DPI and Hotspot via DPIUI=====
-Configuring prioritization by protocols.
-. Go to the DPI Management tab → PROTOCOL PRIORITIZATION (DSCP) → Editor
-  * cs0 – what we pass through
-  * cs1 – what we throttle by tariff
-  * cs7 – what we globally throttle <code bash>Bittorrent cs7
-default cs1
-dns cs0
-http cs0
-https cs0</code>
-. CG-NAT on SSG:\\ Go to the Services Management tab → Services → CGNAT\\ Create a profile:\\ Description: ''NAT_WIFI''\\ Type: ''CGNAT''\\ NAT IP pool: ''<public ip>''\\ Number of TCP sessions: ''1000'' (per subscriber)\\ Number of UDP sessions: ''1000'' (per subscriber)
-**Hotspot Configuration:**
-  - Go to the Services Management tab → Hotspot\\ Web server: ''WiFi-Hotspot'' (VM ''cp_wifi_vm'' previously set up in DPIUI)\\ Captive portal URL: ''https://10.0.0.4'' (cp url)\\ Session lifetime: ''36000''\\ Redirect URL: ''https://google.ru'' (redirect page after successful authorization)
-  - Enable WiFi and SMS authorization\\ SMS authorization through sms.ru service:\\ Method: ''Post''\\ URL: ''https://sms.ru/sms/send''
-  - Body (From): <code bash>api_id  =  <id from sms.ru personal account>
-to  =  [PHONE]
-msg  =  Your code for WIFI: [CODE]</code>
-**Hotspot Tariffs (in the editor):**
-  - Tariff for authorization:<code bash>htb_inbound_root=rate 5mbit ceil 5mbit burst 2500kbit cburst 2500kbit
-htb_inbound_class0=rate 8bit ceil  5mbit burst 8bit cburst 2500kbit
-htb_inbound_class1=rate 8bit ceil  8bit burst 8bit cburst 8bit
-htb_inbound_class2=rate 8bit ceil  8bit burst 8bit cburst 8bit
-htb_inbound_class3=rate 8bit ceil  8bit burst 8bit cburst 8bit
-htb_inbound_class4=rate 8bit ceil  8bit burst 8bit cburst 8bit
-htb_inbound_class5=rate 8bit ceil  8bit burst 8bit cburst 8bit
-htb_inbound_class6=rate 8bit ceil  8bit burst 8bit cburst 8bit
-htb_inbound_class7=rate 8bit ceil  8bit burst 8bit cburst 8bit
-htb_root=rate 100kbit ceil 100kbit burst 50kbit cburst 50kbit
-htb_class0=rate 8bit ceil  100kbit burst 8bit cburst 50kbit
-htb_class1=rate 8bit ceil  8bit burst 8bit cburst 8bit
-htb_class2=rate 8bit ceil  8bit burst 8bit cburst 8bit
-htb_class3=rate 8bit ceil  8bit burst 8bit cburst 8bit
-htb_class4=rate 8bit ceil  8bit burst 8bit cburst 8bit
-htb_class5=rate 8bit ceil  8bit burst 8bit cburst 8bit
-htb_class6=rate 8bit ceil  8bit burst 8bit cburst 8bit
-htb_class7=rate 8bit ceil  8bit burst 8bit cburst 8bit</code>
-  - Tariff for free WiFi:<code bash>htb_inbound_root=rate 10mbit ceil 10mbit burst 5mbit cburst 5mbit
-htb_inbound_class0=rate 8bit ceil  10mbit burst 8bit cburst 5mbit
-htb_inbound_class1=rate 8bit ceil  10mbit burst 8bit cburst 5mbit
-htb_inbound_class2=rate 8bit ceil  10mbit burst 8bit cburst 5mbit
-htb_inbound_class3=rate 8bit ceil  10mbit burst 8bit cburst 5mbit
-htb_inbound_class4=rate 8bit ceil  10mbit burst 8bit cburst 5mbit
-htb_inbound_class5=rate 8bit ceil  10mbit burst 8bit cburst 5mbit
-htb_inbound_class6=rate 8bit ceil  10mbit burst 8bit cburst 5mbit
-htb_inbound_class7=rate 8bit ceil  8bit burst 8bit cburst 8bit
-htb_root=rate 10mbit ceil 10mbit burst 5mbit cburst 5mbit
-htb_class0=rate 8bit ceil  10mbit burst 8bit cburst 5mbit
-htb_class1=rate 8bit ceil  10mbit burst 8bit cburst 5mbit
-htb_class2=rate 8bit ceil  10mbit burst 8bit cburst 5mbit
-htb_class3=rate 8bit ceil  10mbit burst 8bit cburst 5mbit
-htb_class4=rate 8bit ceil  10mbit burst 8bit cburst 5mbit
-htb_class5=rate 8bit ceil  10mbit burst 8bit cburst 5mbit
-htb_class6=rate 8bit ceil  10mbit burst 8bit cburst 5mbit
-htb_class7=rate 8bit ceil  8bit burst 8bit cburst 8bit</code>
-. Services:\\
-Go to Services Management, enable CGNAT, and select the NAT_WIFI profile.
-. Allow list:\\
-Go to the Services Management tab → Services → Block lists and Allow lists.\\
-Select the desired profile and create a list: ''ip 10.0.0.4 (cp ip)''\\
-If there is a DNS record for CP, add it as: ''cn example.com''\\
-Save settings through the interface.
-Here's the configuration for Mikrotik and Unifi Network:
----
-### Mikrotik Configuration (100.64.0.1)
-- **Configure Client Interface on Mikrotik:**
-  Upgrade to Router OS 6.48.x
-  ```bash
-  /interface vlan
-  add arp=reply-only arp-timeout=10m interface=sfp1 name=vWifi vlan-id=40
-  /ip settings
-  set icmp-rate-limit=5 rp-filter=strict
-  /ip address
-  add address=100.64.0.1/22 interface=vWifi network=100.64.0.0
-  /ip dhcp-relay
-  add dhcp-server=10.0.0.4 disabled=no interface=vWifi local-address=100.64.0.1 name=relay1
-  /ip dns
-  set servers=10.0.0.2
-  /ip route
-  add distance=1 dst-address=10.0.0.4/32 gateway=<specify gateway> pref-src=100.64.0.1
-  /system clock
-  set time-zone-name=Europe/Moscow
-  /system ntp client
-  set enabled=yes primary-ntp=<specify ntp server>
-  /tool bandwidth-server
-  set authenticate=no enabled=no
-  ```
-- **Configure IP Connectivity between DHCP/Hotspot and Mikrotik**
-### Unifi Network Configuration
-- **Configure Ubiquiti Access Points:**
-  * Install Unifi Network on the server.
-  * Configure DHCP to provide settings to the access points.
-  * If the access points and controller are in different subnets, specify option 43 in DHCP with the controller IP address in hex format. Refer to: [UniFi Device Adoption Methods](https://help.ui.com/hc/en-us/articles/204909754-UniFi-Device-Adoption-Methods-for-Remote-UniFi-Controllers).
-    * **Note:** Switch to the old interface by toggling the switch in System Settings → New USER Interface.
-- **Configure Network and Additional Settings:**
-  * Go to Settings → Network
-    * Create a new network with VLAN 40, name it `WiFi-Client`, set the gateway as `100.64.0.1/22`, and configure other options as desired.
-  * Go to Settings → Guest Control
-    * In Pre-Authorization Access, specify the IP of the Hotspot (10.0.0.4).
-  * Go to Settings → Wireless Networks
-    * Create a WiFi network.
-    * Open ADVANCED OPTIONS.
-    * Enter any name/SSID.
-    * Check Enabled.
-    * Check Open.
-    * Check Guest Policy.
-    * Select `WiFi-Client` in Network.
-    * Check Block LAN to WLAN Multicast and Broadcast Data.
-    * Check Allow BSS Transition with WNM.
-    * Check Block Tunneled Link Direct Setup (TDLS) connections.
-    * Check Isolate stations on layer 2 (ethernet) level.
-    * Click Save.

Differences

What were you trying to find?