is ebtables still the way to go to achieve client isolation within a bridge device in 2025?
I've setup an iot vlan & created a firewall zone with the same name for it where I've set input, output & forward all to reject and only allowed dhcp + access from lan to iot with those firewall rules in /etc/config/firewall (created using the luci GUI):
config rule
option name 'iot dhcp requests'
option src 'iot'
option dest_port '67'
option target 'ACCEPT'
option family 'ipv4'
list proto 'udp'
config rule
option name 'iot dhcp responses'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
list proto 'udp'
option dest 'iot'
config rule
option name 'iot access from lan'
option src 'lan'
option family 'ipv4'
option target 'ACCEPT'
option dest 'iot'
list proto 'all'
Which seems to work as intended.
Now I'd also like to prevent the devices in that VLAN to talk to each other. Can (& should) I do that using ebtables? My VLAN spans over 3 OpenWRT devices where only the one central router currently has the firewall zone + rules and the other two only extend the range of the first as AccessPoints.
I have moved this to a new thread since the original one was ancient.
That said... can you expand on your objective a bit?
Specifically, the standard firewall (even the high level LuCI/UCI firewall environment) can isolate different subnets from each other (I.e. prevent inter-VLAN routing).
But is your issue/question about blocking intra-network traffic (in other words, isolating devices that are on the same subnet), that is a different requirement.
1 Like
well yes what I did so far suffices so that clients on that iot vlan cannot talk to anything outside of the iot vlan (besides reply to connections initiated by client's from my lan vlan and being able to join the network as dhcp clients).
My current interest would be to try and prevent the clients within the iot vlan from talking to each other.
For wireless devices, you can enable client isolation on the SSID. Clients on the same AP would not be able to connect to each other. But since you have multiple APs, devices on one AP would actually see the clients on another because those basically appear as if they're Ethernet connected (and Ethernet L2 connections are not blocked by this).
With that in mind, there are bridge-firewall options, although I don't know if it works with the latest OpenWrt (I've actually never used it) as it was written for FW3 and we now use FW4.
what's FW3 & FW4? I don't want to enable client isolation on the SSID because I'm using option wpa_psk_file '/etc/hostapd.wpa_psk' for my wireless network and that wpa_psk file contains different keys for different client groups with different VLANs - and for some of those VLANs I do NOT want to have client isolation.
With your current operating mode, I don't know of a way to achieve your goals. I would generally say it's not possible, but I'd love to be proven wrong about that. And if I'm wrong, hopefully someone else can provide insight into the methods by which this can be done.
You may want to consider just running a separate IoT SSID so you can use client isolation (but that doesn't solve issue of clients reaching each other if they're connected on different APs).
1 Like
okey, thank you! For now sharing a single SSID is more important to me than having client isolation for some of my VLANs, so I'll put a pin in that and maybe come back to it if my priorities change or anybody else has other suggestions.