Hi,
hope you can help
In fact communication from client to client is well blocked. However 22.03 behaves slightly differently than 21.02 does when a scanning client is used on the guest bridge.
Because 22.03 is using fw4 I have removed kmod-br-netfilter and used kmod-nft-bridge (but no change)
The client to client bridge control reject works as follow
22.03 + kmod-nft-bridge: ping/connect to other bridge clients is rejected, arp request show all other bridge clients
21.02+ kmod-br-netfiletr: ping/conect to other bridge clients is rejected, arp request show only the scanning client and gateway (desired behaviour)
This are the arp request from a scanning client that are not blocked. Unfortunately I'm not capable to properly setup an appropriate firewall rule.
Look at the network description listed at the top3 post of this thread
Some few changes in the config/network file regarding each Vlan device part of the Invite (guest) bridge as follow
in the bridge port specific option you have to enable: Port isolation and Multicast to Unicast
this will result for any Vlan xyz part of the bridge to smth like this
config device
option name 'br-lan.xyz'
option type '8021q'
option ifname 'br-lan'
option vid 'xyz'
option isolate '1'
option multicast_to_unicast '1'
The isolate feature offers Vlan separation even when the Vlan is part of a bridge without the need of any extra package (kmod-br-netfilter or kmod-nft-bridge): no ping, no access, no arp between clients of the guest bridge
Finally guest clients are on the same network (IP address segment), have internet access, and are fully isolated from each others (wired or wireless on the router or on dumb AP)