Using net.bridge.bridge-nf-call-iptables=1 doesn't seem to be a good idea anyway.
For example, traffic between the bridge ports will be treated as forwarded traffic.
I think this isn't going well with the firewall zone setup/logic/concept and can break some things...?
But I'm not sure
Better use ebtables or iptables physdev module.
lan bridge is as default (eth0.1 - wlan0), a new interface is covering wlan0 (protocol = none)
AP behaves as wlan0 traffic was not monitored by the firewall rule while using tcpdump wlan0 tcp port 80 is well trapped and monitored
Try iptables -I ....
instead of iptables -A ....
I think, *-mod-physdev needs kmod-br-netfilter.
Indeed, physdev doesn't work. Does it also net.bridge.bridge-nf-call-iptables to be enabled?
So Jeff's suggestions would be the best options here.
Remove the wireless interfaces from the bridge and assign them into their own firewall zone.
But this will break things, like multicast for example?
So, the only option left is ebtables?
Sure, set it up like I did for the OP. I'm not sure why you need to test though - if you setup any WiFi interface and address it on any Interface, it wouldn't get multicast from another. That's same thing on a router.
However for a newbe like me it wasn’t that easy to capture all what you said
I will recap the full process for others
Tested using a fresh install R18.06.2 with default config wlan bridged to lan, wlan in AP mode. Connected to the internet via ethernet and configuring via Luci, some checking via console.
Install ipsec (warn to be missing when performing a console ‘service firewall restart’ maybe not mandatory, but don’t like pending warnings)
Edit interface and set it up as AP with usual info (country, channel….etc)
Enable the wireless (saves the config and creates the wireless interface)
Add new interface
Cover the following interface ‘wlan0’ (to be checked via console ‘ifconfig’)
Go to the firewall sheet and assign the firewall zone to ‘lan’
Network\Firewall\Custom Rules screen
Copy and paste the following line (assuming you want to block http and https)
iptables -I INPUT -p tcp -m multiport --dports 80,443 -m physdev --physdev-in wlan0 -j REJECT
The last operation is realized using the console. It consists in modifying the ‘net.bridge.bridge-nf-call-iptables’ flag
Current status of the flag can be checked using:
Permanent modification is obtained by editing the file /etc/sysctl.conf
and adding the line : net.bridge.bridge-nf-call-iptables=1
I've read this thread and still don't fully understand it. I have a rather difficult configuration on top of that. I'm using a WRT3200ACM with two main networks and two guest networks divided on two separate radios. My goal is to prevent LuCI/GUI access for all but the Ethernet. I believe that I need a separate VLAN and firewall zone but not sure on the coding/configuration. My current VLAN configuration is the default for 18.06.5 and the switch part is the most confusing. I've read the manual for OpenWRT but I can't understand the difference between tagged/untagged/off in how it relates to internet traffic? To include how I use two CPU(ethx) effectively because the guest nets will rarely be on. Please any guidance?