2 subnets and some forward between

Hi all,

I've OpenWRT 22.03.7 on Netgear GS108T v3
I will use the switch as a lan switch, without wan interface and/or Internet connection.

my goal is to bridge all but:

  1. When from a device plugged in physical port 3 I broadcasts (dest IP x.x.x.255) an UDP package destinated to port 30000 I don't want that the device plugged to physical port 4 will receice it. Instead all other devices plugged have to receive it.

  2. And I want that a device plugged to physical port 5 will receive only UDP packages destinated to port 50000. And all other devices plugged receive all.

As an exercise I set /etc/config/network as 2 subnets bridged:

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd93:4551:c672::/48'

config device
        option name 'br-home'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config device
        option name 'br-office'
        option type 'bridge'
        list ports 'lan5'
        list ports 'lan6'
        list ports 'lan7'
        list ports 'lan8'

config interface 'home'
        option device 'br-home'
        option proto 'static'
        option ipaddr '192.168.0.1'
        option netmask '255.255.255.0'

config interface 'office'
        option device 'br-office'
        option proto 'static'
        option netmask '255.255.255.0'
        option ipaddr '192.168.1.1'

And I see that packets transmitted from a device plugged in on port 1..4, destinated to IP 255.255.255.255 to port 30000, are recieved by devices plugged in port 1..4 but not from devices plugged in ports 5..8.

Then I set /etc/config /firewall to have 2 zones, one linked to the first interface and one to the second interface, and set allowing forwarding from and to. Then i set a rule from all to all to accept packets with destination port 30000.

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option synflood_protect '1'
        option forward 'ACCEPT'

config zone
        option name 'zonehome'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'home'

config zone
        option name 'zoneoffice'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'office'

config rule
        option src '*'
        option dest '*'
        option target 'ACCEPT'
        option name 'allow30000'
        option dest_port '30000'

config forwarding
        option src 'zonehome'
        option dest 'zoneoffice'

config forwarding
        option src 'zoneoffice'
        option dest 'zonehome'

But I don't see the packets originated by a device plugged in port 1..4 received by a device plugged in port 5..8.

After resolving this issue I can go ahead and complete the settings, anyway my goal is as said before so ideally the network could be made of plugged devices all in a single subnet (eg: 192.168.0.0/24) but one of them will not receive packets destinated to port 30000 and one of them will receive only packets destinated to port 50000.

Thanks in advance for help!
Pietro

The version you are using is EOL. Please consider upgrading to the latest:
https://firmware-selector.openwrt.org/?version=23.05.5&target=realtek%2Frtl838x&id=netgear_gs108t-v3

You may need to use something like bridge firewall. This is for fw3 and I don't know if it works with fw4. And it's a rather uncommon use of the firewall. I have never used this.

Same comment as above.

A switch like this is not a good choice for routing and firewall functions as the CPU is generally very weak. It may be fine for the very limited things you are trying to do, but do not expect good bandwidth (~20Mbps or so for any inter-vlan routing, not sure what you can expect with the bridge firewall if you can get it to work).

DSA cannot currently setup 2 independent bridges on the same switch. Therefore, you want to use a single bridge + bridge-vlans. Edit your config so that all ports are in one bridge:

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'
        list ports 'lan5'
        list ports 'lan6'
        list ports 'lan7'
        list ports 'lan8'

Then create two bridge-VLANs:

config bridge-vlan
        option device 'br-lan'
        option vlan '1'
        list ports 'lan1:u*'
        list ports 'lan2:u*'
        list ports 'lan3:u*'
        list ports 'lan4:u*'

config bridge-vlan
        option device 'br-lan'
        option vlan '2'
        list ports 'lan5:u*'
        list ports 'lan6:u*'
        list ports 'lan7:u*'
        list ports 'lan8:u*'

Now edit the devices in the two networks:

config interface 'home'
        option device 'br-lan.1'
        option proto 'static'
        option ipaddr '192.168.0.1'
        option netmask '255.255.255.0'

config interface 'office'
        option device 'br-lan.2'
        option proto 'static'
        option netmask '255.255.255.0'
        option ipaddr '192.168.1.1'

This rule will not do anything at all, as you already have forwarding allowed between the two zones.

Thanks Psherman,

Upgraded firmware to 23.05.5 -> OK

Reset to a single bridge and made the suggested two bridged VLANs and edited the interfces -> OK
Kept forwarding allowed between the two zones (this will 'allow' further set forwarding rules? Or forwarding is already set? Afaik NO)

Downloaded the package 'kmod-nft-bridge' from
https://downloads.openwrt.org/releases/23.05.5/targets/realtek/rtl838x/kmods/5.15.167-1-040d391394b36f9ba6b7b1889d15738a/
and installed with LuCI System->Software->Upload Package -> OK

And now?
As suggested in;
https://openwrt.org/docs/guide-user/firewall/fw3_configurations/bridge?s[]=firewall
I read I have to 'nft add table.... ' but I don't know the syntax. Can I manage this with LuCI?
Or, if not, can you suggest me a tutorial for geek?

More, reading on a introduction on nftables on a RedHat page I issued 'nft list ruleset' on my OpenWRT and checked that rules that concern the network and firewall zones already are there.
Thus I can simply set a forwarding rule on /etc/config/firewall?

Forwarding is not already set by default. We need to see the configuration to know what you’ve done.

I have never used a bridge firewall configuration. I don’t know if it works with FW4.

In general, Bridge firewall is a bit of a different animal - but I’m not sure what you’re trying to set with the forwarding rule.

Try this:

nft add table bridge filter
nft add chain bridge filter forward '{type filter hook forward priority -200; }'
nft add rule bridge filter forward iif "lan3" oif "lan4" ip daddr 255.255.255.255 udp dport 30000 counter drop

Not really.

This is the actual /etc/config/network:

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd93:4551:c672::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'
        list ports 'lan5'
        list ports 'lan6'
        list ports 'lan7'
        list ports 'lan8'

config bridge-vlan
        option device 'br-lan'
        option vlan '1'
        list ports 'lan1:u*'
        list ports 'lan2:u*'
        list ports 'lan3:u*'
        list ports 'lan4:u*'

config bridge-vlan
        option device 'br-lan'
        option vlan '2'
        list ports 'lan5:u*'
        list ports 'lan6:u*'
        list ports 'lan7:u*'
        list ports 'lan8:u*'

config interface 'home'
        option device 'br-lan.1'
        option proto 'static'
        option ipaddr '192.168.0.1'
        option netmask '255.255.255.0'

config interface 'office'
        option device 'br-lan.2'
        option proto 'static'
        option netmask '255.255.255.0'
        option ipaddr '192.168.1.1'

And this is the /etc/config/firewall:

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option synflood_protect '1'
        option forward 'ACCEPT'

config zone
        option name 'zonehome'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'home'

config zone
        option name 'zoneoffice'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'office'

config forwarding
        option src 'zonehome'
        option dest 'zoneoffice'

As you suggested.
Then please see my reply to Pavel about Bridge Firewall

The config shown will allow the network on zonehome to initiate connections to zoneoffice, but not the other way around.

Routing between these networks will be very slow (max throughput likely around 20Mbps), but it will work.

Thanks Pavel for interest, still no success but little steps forward.

reading a little bit on nftables and having this page as starting point: https://openwrt.org/docs/guide-user/firewall/fw3_configurations/bridge?s[]=firewall

What I have already made is: installed 'kmod-nft-bridge' (I can see it in LuCI under System -> Software as Installed)

As you suggested I tried:
nft add table bridge filter
nft add chain bridge filter forward '{type filter hook forward priority -200; }'
nft add rule bridge filter forward iifname "br-lan.1" oifname "br-lan.2" ip daddr 255.255.255.255 udp dport 3000 counter drop
As you can see I changed iif and oif with names and if you see in my previous reply to PSherman I think names are correct. I changed port to 3000 instead of 30000.

Then I issued:
uci commit firewall
service firewall restart
But an UDP packet sent to port 3000 from a device plugged into ports 1..4 don't arrive to a device plugged on port 5..8.
I didn't made 'uci -q delete firewall.bridge' and 'uci set firewall.bridge="include" ... as for link suggestions but I think they are only to set permanent changes.

More: something I've read: could be necessary to add 'net.bridge.bridge-nf-call-iptables=1' in /etc/sysctl.conf to enable bridge firewall to be used by nftables?

More: as PSherman said it's not sure bridge firewall works with fw4...

Sum: I'm stuck here without an idea if not reading and trying something post on the Internet.

Yes until now I try transmitting UDP packets destinated to port 3000 from zonehome to zoneoffice.
and you are saying that with only these settings packet have to be routed to zoneoffice?
I don't see them!

Hi there,
something is moving... with the following setup:

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd93:4551:c672::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'
        list ports 'lan5'
        list ports 'lan6'
        list ports 'lan7'
        list ports 'lan8'

config bridge-vlan
        option device 'br-lan'
        option vlan '1'
        list ports 'lan1:u*'
        list ports 'lan2:u*'
        list ports 'lan3'
        list ports 'lan4:u*'

config bridge-vlan
        option device 'br-lan'
        option vlan '2'
        list ports 'lan2'
        list ports 'lan3:u*'
        list ports 'lan4'
        list ports 'lan5:u*'
        list ports 'lan6:u*'
        list ports 'lan7:u*'
        list ports 'lan8:u*'

config interface 'home'
        option device 'br-lan.1'
        option proto 'static'
        option ipaddr '192.168.0.1'
        option netmask '255.255.255.0'

config interface 'office'
        option device 'br-lan.2'
        option proto 'static'
        option netmask '255.255.255.0'
        option ipaddr '192.168.1.1'
		


		
root@OpenWrt:~# cat /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option synflood_protect '1'
        option forward 'ACCEPT'

config zone
        option name 'homezone'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'home'

config zone
        option name 'officezone'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'office'

config forwarding
        option src 'homezone'
        option dest 'officezone'

config forwarding
        option src 'officezone'
        option dest 'homezone'

The two VLANs can exchange UDP packets destinated to ip 255.255.255.255 port 3000 for example.
Why before that was not working? Because of tagging/untagging/excluding.
So in the actual configuration I have:
lan1: Untagged, primary, on vlan 1 and Excluded on vlan 2
lan3: Untagged on vlan 1 and Untagged, primary, on vlan 2
lan5: Excluded on vlan 1 and Untagged, primary, on vlan 2
What I see is that transmitting from a device plugged on port 1, 3 or 5, the packet is received depending on vlan settings:
from lan1 to lan3 (VLAN1) OK, but not from lan1 to lan5 (VLAN1 Excluded)
from lan5 to lan3 (VLAN2) OK, but not from lan5 to lan1 (VLAN2 Excluded)
from lan3 to lan5 (VLAN2) OK, but not from lan3 to lan1 (VLAN2 Excluded)

So now I will play around a little with tagging/untagging/excluding and then try to set some firewall rules do deny dest packet ports depending on physical dest lans.
May be I acheive what is my goal.

PSherman and Pavel, thanks for now, I will post the solution later (if I get it1)