I've OpenWRT 22.03.7 on Netgear GS108T v3
I will use the switch as a lan switch, without wan interface and/or Internet connection.
my goal is to bridge all but:
When from a device plugged in physical port 3 I broadcasts (dest IP x.x.x.255) an UDP package destinated to port 30000 I don't want that the device plugged to physical port 4 will receice it. Instead all other devices plugged have to receive it.
And I want that a device plugged to physical port 5 will receive only UDP packages destinated to port 50000. And all other devices plugged receive all.
As an exercise I set /etc/config/network as 2 subnets bridged:
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd93:4551:c672::/48'
config device
option name 'br-home'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
config device
option name 'br-office'
option type 'bridge'
list ports 'lan5'
list ports 'lan6'
list ports 'lan7'
list ports 'lan8'
config interface 'home'
option device 'br-home'
option proto 'static'
option ipaddr '192.168.0.1'
option netmask '255.255.255.0'
config interface 'office'
option device 'br-office'
option proto 'static'
option netmask '255.255.255.0'
option ipaddr '192.168.1.1'
And I see that packets transmitted from a device plugged in on port 1..4, destinated to IP 255.255.255.255 to port 30000, are recieved by devices plugged in port 1..4 but not from devices plugged in ports 5..8.
Then I set /etc/config /firewall to have 2 zones, one linked to the first interface and one to the second interface, and set allowing forwarding from and to. Then i set a rule from all to all to accept packets with destination port 30000.
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option synflood_protect '1'
option forward 'ACCEPT'
config zone
option name 'zonehome'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'home'
config zone
option name 'zoneoffice'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'office'
config rule
option src '*'
option dest '*'
option target 'ACCEPT'
option name 'allow30000'
option dest_port '30000'
config forwarding
option src 'zonehome'
option dest 'zoneoffice'
config forwarding
option src 'zoneoffice'
option dest 'zonehome'
But I don't see the packets originated by a device plugged in port 1..4 received by a device plugged in port 5..8.
After resolving this issue I can go ahead and complete the settings, anyway my goal is as said before so ideally the network could be made of plugged devices all in a single subnet (eg: 192.168.0.0/24) but one of them will not receive packets destinated to port 30000 and one of them will receive only packets destinated to port 50000.
You may need to use something like bridge firewall. This is for fw3 and I don't know if it works with fw4. And it's a rather uncommon use of the firewall. I have never used this.
Same comment as above.
A switch like this is not a good choice for routing and firewall functions as the CPU is generally very weak. It may be fine for the very limited things you are trying to do, but do not expect good bandwidth (~20Mbps or so for any inter-vlan routing, not sure what you can expect with the bridge firewall if you can get it to work).
DSA cannot currently setup 2 independent bridges on the same switch. Therefore, you want to use a single bridge + bridge-vlans. Edit your config so that all ports are in one bridge:
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
list ports 'lan5'
list ports 'lan6'
list ports 'lan7'
list ports 'lan8'
Then create two bridge-VLANs:
config bridge-vlan
option device 'br-lan'
option vlan '1'
list ports 'lan1:u*'
list ports 'lan2:u*'
list ports 'lan3:u*'
list ports 'lan4:u*'
config bridge-vlan
option device 'br-lan'
option vlan '2'
list ports 'lan5:u*'
list ports 'lan6:u*'
list ports 'lan7:u*'
list ports 'lan8:u*'
Reset to a single bridge and made the suggested two bridged VLANs and edited the interfces -> OK
Kept forwarding allowed between the two zones (this will 'allow' further set forwarding rules? Or forwarding is already set? Afaik NO)
More, reading on a introduction on nftables on a RedHat page I issued 'nft list ruleset' on my OpenWRT and checked that rules that concern the network and firewall zones already are there.
Thus I can simply set a forwarding rule on /etc/config/firewall?
What I have already made is: installed 'kmod-nft-bridge' (I can see it in LuCI under System -> Software as Installed)
As you suggested I tried:
nft add table bridge filter
nft add chain bridge filter forward '{type filter hook forward priority -200; }'
nft add rule bridge filter forward iifname "br-lan.1" oifname "br-lan.2" ip daddr 255.255.255.255 udp dport 3000 counter drop
As you can see I changed iif and oif with names and if you see in my previous reply to PSherman I think names are correct. I changed port to 3000 instead of 30000.
Then I issued:
uci commit firewall
service firewall restart
But an UDP packet sent to port 3000 from a device plugged into ports 1..4 don't arrive to a device plugged on port 5..8.
I didn't made 'uci -q delete firewall.bridge' and 'uci set firewall.bridge="include" ... as for link suggestions but I think they are only to set permanent changes.
More: something I've read: could be necessary to add 'net.bridge.bridge-nf-call-iptables=1' in /etc/sysctl.conf to enable bridge firewall to be used by nftables?
More: as PSherman said it's not sure bridge firewall works with fw4...
Sum: I'm stuck here without an idea if not reading and trying something post on the Internet.
Yes until now I try transmitting UDP packets destinated to port 3000 from zonehome to zoneoffice.
and you are saying that with only these settings packet have to be routed to zoneoffice?
I don't see them!
Hi there,
something is moving... with the following setup:
root@OpenWrt:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd93:4551:c672::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
list ports 'lan5'
list ports 'lan6'
list ports 'lan7'
list ports 'lan8'
config bridge-vlan
option device 'br-lan'
option vlan '1'
list ports 'lan1:u*'
list ports 'lan2:u*'
list ports 'lan3'
list ports 'lan4:u*'
config bridge-vlan
option device 'br-lan'
option vlan '2'
list ports 'lan2'
list ports 'lan3:u*'
list ports 'lan4'
list ports 'lan5:u*'
list ports 'lan6:u*'
list ports 'lan7:u*'
list ports 'lan8:u*'
config interface 'home'
option device 'br-lan.1'
option proto 'static'
option ipaddr '192.168.0.1'
option netmask '255.255.255.0'
config interface 'office'
option device 'br-lan.2'
option proto 'static'
option netmask '255.255.255.0'
option ipaddr '192.168.1.1'
root@OpenWrt:~# cat /etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option synflood_protect '1'
option forward 'ACCEPT'
config zone
option name 'homezone'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'home'
config zone
option name 'officezone'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'office'
config forwarding
option src 'homezone'
option dest 'officezone'
config forwarding
option src 'officezone'
option dest 'homezone'
The two VLANs can exchange UDP packets destinated to ip 255.255.255.255 port 3000 for example.
Why before that was not working? Because of tagging/untagging/excluding.
So in the actual configuration I have:
lan1: Untagged, primary, on vlan 1 and Excluded on vlan 2
lan3: Untagged on vlan 1 and Untagged, primary, on vlan 2
lan5: Excluded on vlan 1 and Untagged, primary, on vlan 2
What I see is that transmitting from a device plugged on port 1, 3 or 5, the packet is received depending on vlan settings:
from lan1 to lan3 (VLAN1) OK, but not from lan1 to lan5 (VLAN1 Excluded)
from lan5 to lan3 (VLAN2) OK, but not from lan5 to lan1 (VLAN2 Excluded)
from lan3 to lan5 (VLAN2) OK, but not from lan3 to lan1 (VLAN2 Excluded)
So now I will play around a little with tagging/untagging/excluding and then try to set some firewall rules do deny dest packet ports depending on physical dest lans.
May be I acheive what is my goal.
PSherman and Pavel, thanks for now, I will post the solution later (if I get it1)