Difficulties achieving client isolation in mixed wifi/wired network

Hello!
OpenWRT beginner here. Although I was looking for it, I wasn't able to find my specific problem. I recently set up OpenWRT on a TP-Link Archer C7 v4 device.

My goal is to have three separated network segments:

• Main (my laptops, phones) via WIFI
  • Access to internet
  • Access to OpenWRT web interface/SSH
  • Access to other devices on the same VLAN
  • Access to devices on other VLANs (e.g. web interface of robot vacuum)
• IOT-online (IOT devices that need access to the internet) via WIFI and four physical switch ports
  • Access to internet
  • NO access to OpenWRT web interface/SSH
  • NO access to other devices on the same VLAN
  • NO access to devices on other VLANs
• IOT-offline (IOT devices that do not need internet) via WIFI
  • NO Access to internet
  • NO access to OpenWRT web interface/SSH
  • NO access to other devices on the same VLAN
  • NO access to devices on other VLANs

What I did was:

• Create three VLANs (10: main, 20: iot-online, 30: iot-offline)
• Create three bridges based on these VLANs
• Create three interfaces
• Create three wifi access points
• Do the firewall config

Please see my config files attached.

The main segment and the IOT-offline segment work as intended, however from wireless devices in the IOT-online segment I can access wired IOT devices in the IOT-online segment. Also wired devices in the IOT-online segment can access OpenWRT router web interface and don't seem to be restricted at all.

My questions are:

1. How can I get both wireless and wired devices in the IOT-online segment to behave as expected?
2. I have the feeling that there is some basic concept I didn't understand yet. What did I miss?
3. I am doing this to enhance my network security and to learn. Is there anything in the config you would recommend to improve in order to enhance security? Anything I can safely remove?

Thank you for any insights!

/etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd8f:9248:8bf6::/48'
	option packet_steering '1'

config device
	option name 'eth0.2'
	option macaddr '****'

config interface 'wan'
	option device 'eth0.2'
	option proto 'dhcp'

config interface 'wan6'
	option device 'eth0.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '0t 1'
	option vid '2'

config device
	option type '8021q'
	option ifname 'eth0'
	option vid '10'
	option name 'eth0.10'
	option ipv6 '0'

config device
	option type '8021q'
	option ifname 'eth0'
	option vid '20'
	option name 'eth0.20'
	option isolate '1'

config device
	option type '8021q'
	option ifname 'eth0'
	option vid '30'
	option name 'eth0.30'

config interface 'main'
	option proto 'static'
	option device 'br-main'
	option ipaddr '192.168.10.1'
	option netmask '255.255.255.0'
	option type 'bridge'

config interface 'iot_online'
	option proto 'static'
	option device 'br-iot-online'
	option ipaddr '192.168.20.1'
	option netmask '255.255.255.0'
	option type 'bridge'

config interface 'iot_offline'
	option proto 'static'
	option device 'br-iot-offline'
	option ipaddr '192.168.30.1'
	option netmask '255.255.255.0'
	option type 'bridge'

config device
	option type 'bridge'
	option name 'br-main'
	list ports 'eth0.10'

config device
	option type 'bridge'
	option name 'br-iot-online'
	list ports 'eth0.20'

config device
	option type 'bridge'
	option name 'br-iot-offline'
	list ports 'eth0.30'

config switch_vlan
	option device 'switch0'
	option vlan '3'
	option ports '0t 2 3 4 5'
	option vid '20'

/etc/config/wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option path 'pci0000:00/0000:00:00.0'
	option band '5g'
	option channel 'auto'
	option htmode 'HT20'
	option cell_density '0'

config wifi-device 'radio1'
	option type 'mac80211'
	option path 'platform/ahb/18100000.wmac'
	option band '2g'
	option channel 'auto'
	option cell_density '0'
	option legacy_rates '1'
	option htmode 'HT20'

config wifi-iface 'wifinet0'
	option device 'radio0'
	option mode 'ap'
	option ssid 'Main'
	option encryption 'psk2'
	option key '****'
	option network 'main'

config wifi-iface 'wifinet1'
	option device 'radio1'
	option mode 'ap'
	option ssid 'IOT-Offline'
	option encryption 'psk2'
	option key '****'
	option network 'iot_offline'
	option isolate '1'

config wifi-iface 'wifinet3'
	option device 'radio1'
	option mode 'ap'
	option ssid 'IOT-Online'
	option encryption 'psk2'
	option key '****'
	option network 'iot_online'
	option disassoc_low_ack '0'
	option isolate '1'

/etc/config/firewall

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP-Main'
	option src 'wan'
	option dest 'main'
	option proto 'esp'
	option target 'ACCEPT'
	option enabled '0'

config rule
	option name 'Allow-ISAKMP-Main'
	option src 'wan'
	option dest 'main'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'
	option enabled '0'

config zone
	option name 'main'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'main'

config forwarding
	option src 'main'
	option dest 'wan'

config zone
	option name 'iot_online'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'iot_online'

config forwarding
	option src 'iot_online'
	option dest 'wan'

config zone
	option name 'iot_offline'
	option input 'REJECT'
	option output 'REJECT'
	option forward 'REJECT'
	list network 'iot_offline'

config rule
	option src 'iot_online'
	option name 'Allow-DHCP-IOT_online'
	list proto 'udp'
	option dest_port '67-68'
	option target 'ACCEPT'

config rule
	option dest 'iot_online'
	option name 'Allow-DHCP-IOT-online-Outgoing'
	list proto 'udp'
	option src_port '67-68'
	option target 'ACCEPT'

config rule
	option src 'iot_online'
	option name 'Allow-DNS-IOT_online'
	option dest_port '53'
	option target 'ACCEPT'

config rule
	option src 'iot_offline'
	option name 'Allow-DHCP-IOT_offline'
	option dest_port '67-78'
	option target 'ACCEPT'
	list proto 'udp'

config rule
	option dest 'iot_offline'
	option name 'Allow-DHCP-IOT-offline-Outgoing'
	list proto 'udp'
	option src_port '67-68'
	option target 'ACCEPT'

config forwarding
	option src 'main'
	option dest 'iot_offline'

config forwarding
	option src 'main'
	option dest 'iot_online'

config rule
	option src 'iot_online'
	option dest 'iot_online'
	option name 'Reject-IOT-Online-To-IOT-Online'
	option target 'REJECT'

If I’m reading your post correctly, you have a wireless segment VLANed with a wired segment and you’re trying to achieve the same isolation on the wired segment as “Client Isolation” performs on the wireless segment. It’s not as simple on wired segments. This post might give you some insight on how to achieve your goal. The simple answer is you’ll need a switch port per wired device and a lot of VLANs, interfaces, and firewall rules.

Hi!
Thank you for the answer. Yes, I want the same kind of client isolation for wired devices as there is for wireless ones.
Goven that bothe the wired and wireless devices are in the same VLAN and the same Firewall zone, shouldn‘t it be possible to just create a Firewall rule that forbids traffic from source „iot-online“ firewall zone to target „iot-online“ firewall zone?
Is my configuration correct? Especially: are both the wired devices and wireless devices in the same VLAN and the same firewall zone?
Thank you!

It won’t work on the a LAN segment because there is nothing preventing them from simply sending packets directly to each other. On the wireless side, each device is provided with encryption keys. If you have Client Isolation turned on, the AP will hand out a unique key for each device, forcing them to go through the router before. On the wired side, there is no encryption so devices are able to send messages to each other. The only reliable ways to do this are either VLAN per device, or a switch that provides port isolation (which will use VLANs in a weird way). Since the wired devices are not required to go through the router or firewall to talk to each other, no firewall rule will prevent them from doing so.

Depending on how many wired devices you have there are switches claiming “one click VLAN” or these have a toggle switch to set some ports to VLAN mode. I can’t vouch for how well these might work for you. They are certainly inexpensive enough to try.

No, this is where it gets tricky to filter ethernet based devices on the same network.

Traffic between any two devices that exist on the same subnet will, by definition, not actually flow through the firewall. That is because the firewall is part of the routing engine, and this happens at Layer 3 -- its s relevant when traffic must traverse between two networks. However, L2 connections are switched, so no routing/firewalling will happen.

It is possible in some cases to use a "bridge firewall" to achieve ethernet port isolation, but it's tricky and a bit of a hack (I have no idea if it still works with the latest versions of OpenWrt).

When the wifi standards were introduced, they specifically built in provisions for isolation within the context of a single AP. Using multiple APs (connected by ethernet) causes the same complication since a client connected to AP1 appears as if it is ethernet connected AP2 and thus clients on AP2 can reach it.

Ethernet was not designed for isolation, although there are port-isolation techniques that are found on managed switches. I don't think it would help in your specific situation, though.

Thank you so much for your responses. I believe I understand it better now.
I will try to achieve it with separate VLANs for every devices and bridges or ebtables and reply again with the results

Hello!
A quick followup and question:

I finally got around to reconfigure the network settings to assign a VLAN for every switch port, then create a bridge for that VLAN and create an interface for that bridge:

Switch Port 1 => VLAN 20 => br-eth0.20 => Interface iot-online
Switch Port 2 => VLAN 21 => br-eth0.21 => Interface port 2
Switch Port 3 => VLAN 22 => br-eth0.22 => Interface port 3
Switch Port 4 => VLAN 23 => br-eth0.23 => Interface port 4

The issue I am having now is the fact that the device on Switch Port 2, 3 and 4 don't get an IP address via DHCP. It's as if the were not event connected.
Do you have any ideas/further insights as to what I might have done wrong?
Thank you very much in advance!

Please find below my configs:

cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd8f:9248:8bf6::/48'
	option packet_steering '1'

config device
	option name 'eth0.2'
	option macaddr '****'

config interface 'wan'
	option device 'eth0.2'
	option proto 'dhcp'

config interface 'wan6'
	option device 'eth0.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '0t 1'
	option vid '2'

config device
	option type '8021q'
	option ifname 'eth0'
	option vid '10'
	option name 'eth0.10'
	option ipv6 '0'

config device
	option type '8021q'
	option ifname 'eth0'
	option vid '20'
	option name 'eth0.20'
	option isolate '1'

config device
	option type '8021q'
	option ifname 'eth0'
	option vid '30'
	option name 'eth0.30'

config interface 'main'
	option proto 'static'
	option device 'br-main'
	option ipaddr '192.168.10.1'
	option netmask '255.255.255.0'
	option type 'bridge'

config interface 'iot_online'
	option proto 'static'
	option device 'br-iot-online'
	option ipaddr '192.168.20.1'
	option netmask '255.255.255.0'
	option type 'bridge'

config interface 'iot_offline'
	option proto 'static'
	option device 'br-iot-offline'
	option ipaddr '192.168.30.1'
	option netmask '255.255.255.0'
	option type 'bridge'

config device
	option type 'bridge'
	option name 'br-main'
	list ports 'eth0.10'

config device
	option type 'bridge'
	option name 'br-iot-online'
	list ports 'eth0.20'

config device
	option type 'bridge'
	option name 'br-iot-offline'
	list ports 'eth0.30'

config switch_vlan
	option device 'switch0'
	option vlan '3'
	option ports '0t 2'
	option vid '20'

config device
	option type '8021q'
	option ifname 'eth0'
	option vid '21'
	option name 'eth0.21'

config device
	option type '8021q'
	option ifname 'eth0'
	option vid '22'
	option name 'eth0.22'

config device
	option type '8021q'
	option ifname 'eth0'
	option vid '23'
	option name 'eth0.23'

config switch_vlan
	option device 'switch0'
	option vlan '4'
	option vid '21'
	option ports '0t 3'

config switch_vlan
	option device 'switch0'
	option vlan '5'
	option vid '22'
	option ports '0t 4'

config switch_vlan
	option device 'switch0'
	option vlan '6'
	option ports '0t 5'
	option vid '23'

config device
	option type 'bridge'
	option name 'br-eth0.21'
	option bridge_empty '1'
	list ports 'eth0'

config device
	option type 'bridge'
	option name 'br-eth0.22'
	option bridge_empty '1'

config device
	option type 'bridge'
	option name 'br-eth0.23'
	list ports 'eth0.23'
	option bridge_empty '1'

config interface 'port2'
	option proto 'static'
	option device 'br-eth0.21'
	option ipaddr '192.168.21.1'
	option netmask '255.255.255.0'

config interface 'port3'
	option proto 'static'
	option device 'br-eth0.22'
	option ipaddr '192.168.22.1'
	option netmask '255.255.255.0'

config interface 'port4'
	option proto 'static'
	option device 'br-eth0.23'
	option ipaddr '192.168.23.1'
	option netmask '255.255.255.0'

cat /etc/config/firewall

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP-Main'
	option src 'wan'
	option dest 'main'
	option proto 'esp'
	option target 'ACCEPT'
	option enabled '0'

config rule
	option name 'Allow-ISAKMP-Main'
	option src 'wan'
	option dest 'main'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'
	option enabled '0'

config zone
	option name 'main'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'main'

config forwarding
	option src 'main'
	option dest 'wan'

config zone
	option name 'iot_online'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'iot_online'

config forwarding
	option src 'iot_online'
	option dest 'wan'

config zone
	option name 'iot_offline'
	option input 'REJECT'
	option output 'REJECT'
	option forward 'REJECT'
	list network 'iot_offline'

config rule
	option src 'iot_online'
	option name 'Allow-DHCP-IOT_online'
	list proto 'udp'
	option dest_port '67-68'
	option target 'ACCEPT'

config rule
	option dest 'iot_online'
	option name 'Allow-DHCP-IOT-online-Outgoing'
	list proto 'udp'
	option src_port '67-68'
	option target 'ACCEPT'

config rule
	option src 'iot_online'
	option name 'Allow-DNS-IOT_online'
	option dest_port '53'
	option target 'ACCEPT'

config rule
	option src 'iot_offline'
	option name 'Allow-DHCP-IOT_offline'
	option dest_port '67-78'
	option target 'ACCEPT'
	list proto 'udp'

config rule
	option dest 'iot_offline'
	option name 'Allow-DHCP-IOT-offline-Outgoing'
	list proto 'udp'
	option src_port '67-68'
	option target 'ACCEPT'

config rule
	option src 'port2'
	option name 'Allow-DHCP-Port2'
	list proto 'udp'
	option dest_port '67-68'
	option target 'ACCEPT'

config rule
	option dest 'port2'
	option name 'Allow-DHCP-Port2-Outgoing'
	list proto 'udp'
	option src_port '67-68'
	option target 'ACCEPT'

config rule
	option src 'port2'
	option name 'Allow-DNS-Port2'
	option dest_port '53'
	option target 'ACCEPT'

config rule
	option src 'port3'
	option name 'Allow-DHCP-Port3'
	list proto 'udp'
	option dest_port '67-68'
	option target 'ACCEPT'

config rule
	option dest 'port3'
	option name 'Allow-DHCP-Port3-Outgoing'
	list proto 'udp'
	option src_port '67-68'
	option target 'ACCEPT'

config rule
	option src 'port3'
	option name 'Allow-DNS-Port3'
	option dest_port '53'
	option target 'ACCEPT'

config rule
	option src 'port4'
	option name 'Allow-DHCP-Port4'
	list proto 'udp'
	option dest_port '67-68'
	option target 'ACCEPT'

config rule
	option dest 'port4'
	option name 'Allow-DHCP-Port4-Outgoing'
	list proto 'udp'
	option src_port '67-68'
	option target 'ACCEPT'

config rule
	option src 'port4'
	option name 'Allow-DNS-Port4'
	option dest_port '53'
	option target 'ACCEPT'

config forwarding
	option src 'main'
	option dest 'iot_offline'

config forwarding
	option src 'main'
	option dest 'iot_online'

config zone
	option name 'port2'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'port2'

config forwarding
	option src 'port2'
	option dest 'wan'

config zone
	option name 'port3'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'port3'

config forwarding
	option src 'port3'
	option dest 'wan'

config forwarding
	option src 'main'
	option dest 'port3'

config forwarding
	option src 'main'
	option dest 'port2'

config zone
	option name 'port4'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'port4'

config forwarding
	option src 'port4'
	option dest 'wan'

config forwarding
	option src 'main'
	option dest 'port4'

ubus call system board

{
	"kernel": "6.6.93",
	"hostname": "OpenWrt",
	"system": "Qualcomm Atheros QCA956X ver 1 rev 0",
	"model": "TP-Link Archer C7 v4",
	"board_name": "tplink,archer-c7-v4",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "24.10.2",
		"revision": "r28739-d9340319c6",
		"target": "ath79/generic",
		"description": "OpenWrt 24.10.2 r28739-d9340319c6",
		"builddate": "1750711236"
	}
}

What about your DHCP config?

The syntax of your bridge naming is likely a problem. Dotted notation is reserved and this may be messing things up.

You also have some other issues. Let's fix them:

Delete all of the 802.1q stanzas:

remove the bridge line from these network interface stanzas:

Next, it looks like you have VLANs assigned 1-per-port (20-23). That means that you have a few bridges that are no longer attached to ethernet, so they need to be updated or deleted:

If the above are being used for wifi, remove the ports line and add option bridge_empty '1'. Otherwise, delete them and the associated network interfaces.

Now, for the bridges that need to be fixed because they're violating the dotted notation methods:

This first one needs multiple changes:

Remove the bridge_empty line, edit the ports to eth0.21 and change the name to something like br-vlan21.

The same things here about the bridge_empty and name, but also there is no port connection here... add list ports 'eth0.22' to this one:

Finally, this one just needs to be renamed and the bridge_empty line removed. for the name, consider br-vlan23:

Now, you need to go int o each of the related network config stanzas and fix the names of the devices to match (i.e. option device 'br-vlan21' and so on):

I have not reviewed the firewall file, but the network file alone needs that attention before anything could work. If that doesn't fix things, please let me know and I'll review the firewall file. And, if there are issues, also post the dhcp file and the updated network config so they can be reviewed at the same time.

I missed it in the above discussion, but is the suggestion from @Mushoz Netfilter on bridge not simpler? Or is this no longer supported in current OpenWRT?

It depends on the goals, but I've never actually seen bridge firewalling in action and I'm not sure if it works these days.

Ultimately, though, you have lots of major issues with the network config that I described. You need to fix those first and then you'll have a VLAN isolated config that will hopefully work as expected. If it doesn't do what you want, we can try to look at the rest of the details of your config and see if there is a misconfiguration or if the issue is inherent to the method used (vs bridge firewall).

Thank you so much for helping me out here - it works after applying suggested changes!

One question though to understand OpenWRT better: Why delete all the VLAN devices? Are VLANs now configured implicitly by putting VLAN-IDs in the switch config? The tutorials I watched/read mentioned creating VLAN devices. So why was deleting them right thing to do?
Thank you!

Yes, the underlying 802.1q devices are created automatically when you setup VLANs on the switch (with swconfig based devices), or when you use bridge-VLANs (DSA devices). And in situations where there is no internal switch (such as a Pi or an x86 box), dotted notation (I.e. eth0.x where x is the VLAN ID) will do the same.

I don't know why those tutorials recommend creating the 802.1q device stanzas.

Because they're unnecessary... and I have a theory (although this has yet to be proven/disproven in a specifically designed experiment) that the 802.1q stanzas may even conflict.

There were many issues in your config, beyond just the 802.1q stanzas... so it is possible that they were entirely benign and that the other things were the only real problems. But, as you can see, it works without those 802.1q devices, so as a whole solution, I'm glad it's now working!!

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
Thanks!

At the very least they can get out of sync, causing real pain.

Thanks for the clarification! Unfortunately I can't mark the topic as "[Solved]" any more (if a moderator can: please feel free!) and both @cmdrdeliver and @psherman offered insights into the solution of my multi-step issues - Thank you very much! - so I also can't mark one specific post as solution. However here is a short solution summary:

• For client isolation on physical switch ports, you need to create separate VLANs, bridges, interfaces for each physical switch port
• Bridges can't have dots in their naming! Dotted notation is reserved for other purposes.
• Setting up VLANs in the switch config is sufficient. No creation of 802.1q devices is necessary and sometimes it's counterproductive.

A few further config issues have been resolved:

• Bridge devices which are empty (e.g. only for wifi) need option bridge_empty '1'
• Remove option type 'bridge' from interfaces
• Make sure bridge devices have the correct port definition, incl. the corresponding VLAN id after a dot: e.g. list ports 'eth0.22'
• After renaming bridges, make sure to change the device name in the interface as well.

Hope this helps!
Thank you again for all the help in this awesome forum!
Cheers!

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.