Using net.bridge.bridge-nf-call-iptables=1 doesn't seem to be a good idea anyway.
For example, traffic between the bridge ports will be treated as forwarded traffic.
I think this isn't going well with the firewall zone setup/logic/concept and can break some things...?
But I'm not sure
Better use ebtables or iptables physdev module.
lan bridge is as default (eth0.1 - wlan0), a new interface is covering wlan0 (protocol = none)
AP behaves as wlan0 traffic was not monitored by the firewall rule while using tcpdump wlan0 tcp port 80 is well trapped and monitored
@66enligne
Try iptables -I ....
instead of iptables -A ....
I think, *-mod-physdev needs kmod-br-netfilter.
//edit
Indeed, physdev doesn't work. Does it also net.bridge.bridge-nf-call-iptables to be enabled?
So Jeff's suggestions would be the best options here.
Remove the wireless interfaces from the bridge and assign them into their own firewall zone.
But this will break things, like multicast for example?
So, the only option left is ebtables?
physdev does work, net.bridge.bridge-nf-call-iptables should be be enabled - just re-tested on the clean installation (18.06.5)
Using iptables -A is absolutely OK.
Sure, set it up like I did for the OP. I'm not sure why you need to test though - if you setup any WiFi interface and address it on any Interface, it wouldn't get multicast from another. That's same thing on a router.
Are sure that net.bridge.bridge-nf-call-iptables is needed?
With net.bridge.bridge-nf-call-iptables enabled, isn't it possible to use -i anyway?
So what is the purpose of physdev then?
However for a newbe like me it wasn’t that easy to capture all what you said
I will recap the full process for others
Tested using a fresh install R18.06.2 with default config wlan bridged to lan, wlan in AP mode. Connected to the internet via ethernet and configuring via Luci, some checking via console.
System\Software screen
Update list
Install ipsec (warn to be missing when performing a console ‘service firewall restart’ maybe not mandatory, but don’t like pending warnings)
Install iptables-mod-physdev
Wireless screen
Edit interface and set it up as AP with usual info (country, channel….etc)
Enable the wireless (saves the config and creates the wireless interface)
Network\Interface screen
Add new interface
Name ‘WhatYouWant’
Protocol ‘unmanaged’
Cover the following interface ‘wlan0’ (to be checked via console ‘ifconfig’)
Submit
Go to the firewall sheet and assign the firewall zone to ‘lan’
Network\Firewall\Custom Rules screen
Copy and paste the following line (assuming you want to block http and https)
iptables -I INPUT -p tcp -m multiport --dports 80,443 -m physdev --physdev-in wlan0 -j REJECT
The last operation is realized using the console. It consists in modifying the ‘net.bridge.bridge-nf-call-iptables’ flag
Current status of the flag can be checked using:
cat /proc/sys/net/bridge/bridge-nf-call-iptables
Permanent modification is obtained by editing the file /etc/sysctl.conf
and adding the line : net.bridge.bridge-nf-call-iptables=1
reffering to my setup recap there was a typo error regarding the packages I suggest to install.
You must read 'ipset' instead of 'ipsec'
Sorry for the confusion
I've read this thread and still don't fully understand it. I have a rather difficult configuration on top of that. I'm using a WRT3200ACM with two main networks and two guest networks divided on two separate radios. My goal is to prevent LuCI/GUI access for all but the Ethernet. I believe that I need a separate VLAN and firewall zone but not sure on the coding/configuration. My current VLAN configuration is the default for 18.06.5 and the switch part is the most confusing. I've read the manual for OpenWRT but I can't understand the difference between tagged/untagged/off in how it relates to internet traffic? To include how I use two CPU(ethx) effectively because the guest nets will rarely be on. Please any guidance?