Client isolation with VLAN in 21.02 - How?


With OpenWrt 19.07 I have a number of devices (VM, Raspi) each connected with a different VLAN to the router. With this, the devices are isolated from each other on the ('physical') network.

As a picture:

The wanted setup is:

  • All devices are part of the same network (say:
  • The devices do not talk to each other, except via explicitly allowed traffic rules (port 53 for VLAN 401, ports 80,443 for VLAN 402, port 25,587 for VLAN 403).

With 19.07 I achieved that by briding VLANS 401,402 and 403 on one interface:

The interface members have been isolated from each other by using kmod-br-netfilter.

On the firewall page it looks like this:

And the traffic that should be allowed is defined by traffic rules:

With this configuration the expected result has been achieved. The traffic between the VLANs 401,402,403 was blocked except for the explicitely allowed traffic by traffic rules.

But I didn't get this to work with OpenWrt 21.02.

Maybe I'm on the wrong path ans need to use some of the 'other' VLAN options like using MAC VLAN. So any help is welcome.