Configure Ethernet ports to only be able to connect to internet

When I plug a device into a LAN ethernet port, it can communicate with other LAN ethernet devices and with wifi clients (even if isolated). I would like my LAN ethernet devices to only be able to communicate with the WAN.

I have 4 LAN ethernet ports. An possible (brute force) solution would be to create 4 new vlans, corresponding to each LAN port. I then create 4 new firewall zones so that each vlan has a separate zone.

Is there a simpler way, possibly just using vlans?

OK...WiFi isolation should work when enabled; but Ethernet isolation may be more of a task. WiFi isolation may be failing if you've somehow accidentally configured a route, mangling, etc. on the WiFi.

On Ethernet, likely not an easier way, VLANs would work.

3 Likes

It looks like I need to create a new interface for each of the vlans, and also create a separate dhcp server for each ethernet port. Is there any way to share one dhcp pool?

Also, interestingly I seem to need to make a "bridge" over my single ethernet port in order for it to work. That does not seem to be needed when creating a new (separate) wifi ssid interface.

Not reasonably, as your router won’t know which VLAN to route return packets over.

Yes, as long as your router is not using DSA, but the old swconfig (i.e. if you see the Network/Switch menu, this will work:

  • Create a VLAN for each port
  • Load this module: kmod-br-netfilter
  • echo 1 > /sys/class/net/br-guest/bridge/nf_call_iptables
  • echo 1 > /sys/class/net/br-guest/bridge/nf_call_ip6tables
  • Use REJECT or DROP for INPUT & FORWARDING in the guest firewall zone.
  • Add a firewall rule to block the guest zone from accessing the router, except DHCP & DNS

Now all your ports are in the same bridge and using the same DHCP range and the bridge is in the guest firewall zone.

Is you do go this route, you do not need a bridge here: just add all your wired VLAN interfaces to the same firewall zone and disable forwarding between interfaces in the zone.

1 Like

The bridge is primarily for LuCI and OpenWrt firewall config. As noted, if you're hand-configuring, it is not needed. netifd does this "magically" when you define and bring up a new SSID (often adding it to an existing bridge).

1 Like

You do need 4 vlans then connect them to the IoT network by software. If you don't have a separate VLAN for each port the hardware switch will allow them to link to each other.

2 Likes