Bridge port isolation broken?

So, I'm trying to set up bridge port isolation on an access point and it kinda works, but the behavior doesn't really make sense.

I have a bridge with 3 enslaved interfaces: wifi1-100, wifi2-100 and a vlan interface eth0.100.

If I add

option isolate '1'

to the interface section of my brigde in /etc/config/network and check the port isolation status via /sys/class/net/*/brport/isolated then I see that both wifi interfaces are isolated (returning 1), but the vlan interface is not.

Now, coincidentally, this is exactly what I want to achieve.** But it just doesn't make sense to me that enabling port isolation on the bridge interface would only apply to some interfaces, but not all. I also skimmed through the netifd code and I don't see any logic there that would explain this behavior. So, I'm worried that this is just some bug or race condition and the behavior might change once I upgrade my OpenWrt device (oh, btw. I'm currently running the latest stable release 22.03.5).

I also tried creating two new configuration sections

config device
        option name 'wifi1-100'
        option isolate '1'

config device
        option name 'wifi2-100'
        option isolate '1'

in order to specifically enable port isolation on just those two interfaces. And while that would enable port isolation on wifi1-100, it stays disabled on wifi2-100. My suspicion is that this is some kind of race condition because wifi2-100 is on a 5GHz DFS channel, so it takes a bit more time to come up due to radar detection (but that still wouldn't explain why it works if I add the option to the bridge rather than the individual itnerfaces).

Alltogether, this just seems broken to me. How is port isolation supposed to work in OpenWrt and how can someone reliably and predictably isolate some ports but not all?

**The configuration I would like to achieve is to have the wireless interfaces on the bridge isolated, but the vlan interface not, because the bridge on the access point doesn't have any IP address configured and the VLAN interface is connected and bridged to my upstream router which runs the DHCP server, etc. So the wireless clients need to be able to reach the upstream router via the VLAN interface, otherwhise they wouldn't get IP addresses.

I don't get what you're trying to say or how it relates to my question. On the access point, I don't have firewall zones configured (dumb access point setup). This is entirely layer 2 bridging, layer 3 (IP firewalling and forwarding) are not involved here.

1 Like