Disable forwarding between different wireless interfaces in the same bridge

I have a task that seems similar to Client isolation, but that thread is old and I'm pretty certain I know what I want, I'm just not sure how to express it in idiomatic way in OpenWrt.

Basically I have the following guest bridge:

bridge name	bridge id				STP enabled	interfaces
br-guest		7fff.525400d77476	no			eth1

This is an access point VM, eth1 goes to the router and handles DHCP as well.

Clients within wlan0-1 are isolated, clients within wlan1-1 are isolated too, but wlan0-1 clients can talk to wlan1-1 clients and vice versa, which I want to prevent from happening.

What I need (in ebtables syntax) is the following:

ebtables -A FORWARD -i wlan0-1 -o eth1 -j ACCEPT
ebtables -A FORWARD -i wlan0-1 -j DROP
ebtables -A FORWARD -i wlan1-1 -o eth1 -j ACCEPT
ebtables -A FORWARD -i wlan1-1 -j DROP

This would allow both wlan0-1 and wlan1-1 clients to communicate with router and back, but they wouldn't be able to send anything anywhere else, including to each other.

Which packages do I need (I installed kmod-nft-bridge so far mentioned in https://openwrt.org/docs/guide-user/firewall/fw3_configurations/bridge, but not sure if that is the right one), also not sure how do I configure that in LuCI, firewall section only seems to deal with L3 networking, not L2 that I need.

If your OpenWrt version is 22.03.x which uses fw4 by default, this is exactly what you need.

The rules translated into nftables syntax:

nft add table bridge filter
nft add chain bridge filter forward '{type filter hook forward priority -200; }'
nft add rule bridge filter forward iifname "wlan0-1" oifname "eth1" counter accept
nft add rule bridge filter forward iifname "wlan0-1" counter drop
nft add rule bridge filter forward iifname "wlan1-1" oifname "eth1" counter accept
nft add rule bridge filter forward iifname "wlan1-1" counter drop

To automatically create and populate the table, see:

https://forum.openwrt.org/t/marking-packets-from-different-wifi-iface/145883/4 - #4 by jow

1 Like

Is there a way to configure the same using LuCI?
I'd like to make it discoverable and also, ideally, backed up by default (though I can add any path for backup purposes of course).

I’m sorry, but that’s not possible.

I'm not entirely sure how this is applicable. In my case eth1 is just a bridge, OpenWrt doesn't even have an IP address assigned to that interface, I need rules on L2 and the way LuCI presents things is not clear to me.

luci firewall screen is more for L3 type of rules, so as @pavelgl suggested add your rules to an nft file which will be imported by firewall once you restart it.

For those who read this thread in the future, here is what needs to be done:

opkg install kmod-nft-bridge
mkdir /usr/share/nftables.d/ruleset-post

Now create /usr/share/nftables.d/ruleset-post/no-guest-forwarding.nft like this:

table bridge filter {
    chain FORWARD {
        type filter hook forward priority filter; policy accept;
        iifname "wlan0-1" oifname "eth1" counter accept;
        iifname "wlan0-1" counter drop;
        iifname "wlan1-1" oifname "eth1" counter accept;
        iifname "wlan1-1" counter drop;

And restart firewall with service firewall restart.

https://openwrt.org/docs/guide-user/firewall/firewall_configuration#drop-in_includes_for_package_authors describes what this and other directories (not present out of the box) are.
Not sure why is it for package authors only, I wish there was a user-specific directory under /etc, but there is just /etc/nftables.d/ (with /etc/nftables.d/10-custom-filter-chains.nft in it) that is specific to table inet fw4 and doesn't seem to allow customizing table bridge filter.

To create those rules I installed ebtables-nft on OpenWRT, applied rules as described at the very beginning with ebtables, then printed generated rules with nft list ruleset and removed things like packets 0 bytes 0 from output and also added some semicolons at the end of lines.

I hope this is helpful for someone in the future and thanks to everyone who commented in this thread.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.