Blocking one local IP talking to another local IP

thencein · June 14, 2020, 3:59pm

Hi,

I need a quick sanity check to see whether I'm doing something wrong here:

I have a PC connected via ethernet to my openwrt router (PC 1).
I have a laptop connected via ethernet to my openwrt router (LAPTOP 1).

I wanted to put a firewall rule that blocks access FROM LAPTOP1 to any port, any protocol TO PC1 (a little like this):

Unfortunately, this rule doesn't work, so my question is: does traffic between two devices on the same network even hit the firewall in the first place or does the traffic flow through directly?

Jack007 · June 14, 2020, 4:11pm

I'm by no means an expert on Openwrt or networking but i think the firewall only works when the traffic crosses zones (like lan to wan).
You could put one of them in a separate zone.

mk24 · June 14, 2020, 4:23pm

Right as @Jack007 said, the firewall doesn't work that way. Connections within the same network are always allowed.

Besides, the router CPU doesn't even see ethernet to ethernet traffic, it is hardware switched.

thencein · June 14, 2020, 4:28pm

Thanks @Jack007 and @mk24 - I guess placing one device in a separate zone would also be futile if both are ethernet connected anyway?

I suppose the best thing to do would be to install firewall rules at the device OS level (e.g. on PC1)

Hegabo · June 14, 2020, 4:52pm

No, zones are "seen" by the router. Well, not the zones on their own; you will make an additional VLAN and assign to it the LAN port that's connected to the PC you want to isolate, then you configure the firewall to block the traffic between the languest and lan.

fantom-x · June 14, 2020, 5:22pm

A potentially simpler solution is to still use VLAN’s to create interfaces on each LAN port, put all interfaces into the same bridge, configure Netfilter to send all bridge traffic to Iptables, and then block cross-talk between the interfaces within the same bridge.

thencein · June 14, 2020, 7:03pm

I think for the time being, I'll try using a host-level firewall on the PC as I'm reluctant to start tinkering with VLANs.

For my understanding though...can VLANs only be created for 'physical ports'? For example, if I have a router with 4 ethernet ports, does that mean I can create a VLAN per port?

What if I have two wifi devices, A and B. Can I put A in a VLAN of its own and B in a separate VLAN of its own and then a "main VLAN" for my regular wifi traffic?

fantom-x · June 14, 2020, 7:29pm

Yes to all your questions.

Huzeifa88 · October 20, 2022, 8:32am

i wish there is a way to do this
here is my problem
i have 2 samsung printers k2200
they have various consumable chips like toner chip and drum chip
since they are connected in same network they communicate with each other
and share there consumable information
i have never thaught this would be possible but after checking indeed there is sharing of consumable
information
a toner chip is a read only eeprom when i introduce a new chip to a printer it will always believe its a new chip buy here coz they talk to one and another, i cant use a used toner chip from one printer add it to new printer coz they keep track of all the consumable on the network
so i am loosing chips fast at an alarming rate, it would be so good if i could just block them from talking to each other on the same network