physdev does work, net.bridge.bridge-nf-call-iptables
should be be enabled - just re-tested on the clean installation (18.06.5)
Using iptables -A
is absolutely OK.
I would think so. Just easier to separate the interfaces, and make wlan0 it's own OpenWrt enumerated interface. Then the rule works.
FYI, I noted this, and showed the OP screenshot in another thread that was hijacked:
Yes it would, as wlan0
would be on its own PHY/LAN.
Really, interesting, I didn't realize there was a hook to hit iptables on a bridge. Probably takes some extra CPUs. Glad you got it working!
Sure, set it up like I did for the OP. I'm not sure why you need to test though - if you setup any WiFi interface and address it on any Interface, it wouldn't get multicast from another. That's same thing on a router.
Are sure that net.bridge.bridge-nf-call-iptables is needed?
With net.bridge.bridge-nf-call-iptables enabled, isn't it possible to use -i anyway?
So what is the purpose of physdev then?
Sure. Sorry, I misinterpreted your earlier response.
Yes, I've performed my tests in sequence. Access was blocked only after I added a line to sysctl.conf
and rebooted.
This is what I took from my search results, this pretty much explains things to me, will appreciate if someone will provide a better explanation.
--physdev-in name
Name of a bridge port via which a packet is received
self-explaining
-i, --in-interface name
Name of an interface via which a packet was received
I guess that interface
here is more like a standalone L3 interface.
And the final quote is
When the sysctl net.bridge.bridge-nf-call-iptables=1 is set, bridged packets will traverse iptables rules.
Ok THX to all of you, the config is working now.
However for a newbe like me it wasnât that easy to capture all what you said
I will recap the full process for others
Tested using a fresh install R18.06.2 with default config wlan bridged to lan, wlan in AP mode. Connected to the internet via ethernet and configuring via Luci, some checking via console.
System\Software screen
Update list
Install ipsec (warn to be missing when performing a console âservice firewall restartâ maybe not mandatory, but donât like pending warnings)
Install iptables-mod-physdev
Wireless screen
Edit interface and set it up as AP with usual info (country, channelâŚ.etc)
Enable the wireless (saves the config and creates the wireless interface)
Network\Interface screen
Add new interface
Name âWhatYouWantâ
Protocol âunmanagedâ
Cover the following interface âwlan0â (to be checked via console âifconfigâ)
Submit
Go to the firewall sheet and assign the firewall zone to âlanâ
Network\Firewall\Custom Rules screen
Copy and paste the following line (assuming you want to block http and https)
iptables -I INPUT -p tcp -m multiport --dports 80,443 -m physdev --physdev-in wlan0 -j REJECT
The last operation is realized using the console. It consists in modifying the ânet.bridge.bridge-nf-call-iptablesâ flag
Current status of the flag can be checked using:
cat /proc/sys/net/bridge/bridge-nf-call-iptables
Permanent modification is obtained by editing the file /etc/sysctl.conf
and adding the line : net.bridge.bridge-nf-call-iptables=1
then reboot
It should work.
Any firewall rule configuration so that to generate an error 403 or 401 screen on the remote wireless client?
Fierewalls mainly work on a packet-by-packet basis -- generating a 401 or 403 is something that a web server does.
(Also, please upgrade to at least 18.06.5, as there have been security vulnerabilities patched since 18.06.2)
OK THX don't know how DD-Wrt does.
reffering to my setup recap there was a typo error regarding the packages I suggest to install.
You must read 'ipset' instead of 'ipsec'
Sorry for the confusion
I've read this thread and still don't fully understand it. I have a rather difficult configuration on top of that. I'm using a WRT3200ACM with two main networks and two guest networks divided on two separate radios. My goal is to prevent LuCI/GUI access for all but the Ethernet. I believe that I need a separate VLAN and firewall zone but not sure on the coding/configuration. My current VLAN configuration is the default for 18.06.5 and the switch part is the most confusing. I've read the manual for OpenWRT but I can't understand the difference between tagged/untagged/off
in how it relates to internet traffic? To include how I use two CPU(ethx) effectively because the guest nets will rarely be on. Please any guidance?
This an entirely different inquiry from the OP. I advice making a new thread to assist with your particular configuration.