Client isolation

I managed to get it working via iptables :slight_smile:

Install the following package: kmod-br-netfilter
Which will add netfilter support for bridges. And then set:

echo 1 > /sys/class/net/br-guestlan/bridge/nf_call_iptables
Optional for ipv6 support: echo 1 > /sys/class/net/br-guestlan/bridge/nf_call_ip6tables

You can make these options survive a reboot by setting these in sysctl.

Now packets traveling from one VLAN to another VLAN through the bridge interface are subject to iptables rules, and hence using a reject rule on the default forward chain will effectively isolate the clients :slight_smile: Hopefully this is helpful information for other people as well!