Try it and see.
For testing put it in /tmp (gone if you reboot)
Make sure it is executable..... Run it....
I gave it a try but doesn't seem to work. I can still see other guest clients (LAN + Wifi) when connected to the guest AP on both devices.
root@OpenWrt:/tmp# chmod +x /tmp/guest_isolate
root@OpenWrt:/tmp# ./guest_isolate
root@OpenWrt:/tmp# nft list table bridge guests
table bridge guests {
chain guests_PRE {
type filter hook prerouting priority -350; policy accept;
iifname "br-lan.3" counter packets 0 bytes 0 drop comment "Guest Isolation"
}
}
I'm not sure if it's related to my DIR860L which is currently still running 19.07.10 with the following ebtables rules:
ebtables -A FORWARD -i ! eth0.3 -o eth0.3 -j ACCEPT # allow AP clients to talk to router
ebtables -A FORWARD -i eth0.3 -o ! eth0.3 -j ACCEPT # allow router to talk to AP clients
ebtables -A FORWARD --logical-in br-guest -j DROP
I'm going to install 23.05.3 on the DIR860L, configure the VLANS via DSA (br-lan.x) like on the GL-MT6000 and try again but I think it wont make a difference. I'll give it a try anyway.
No success either with the DIR860L on 23.05.3.
I've also tried to run the script on the DIR860L after installing kmod-nft-bridge for br-lan.3 but it didn't had any impact.
iifname "br-lan.3" counter packets 0 bytes 0 drop comment "Guest Isolation"
The script I posted is just a taster to get you going. I did not intend to do it for you 
You will have to describe what you mean by isolate guests. How are they connected, wireless, ethernet, both, remote access points?
You probably already went through all this, but I have not read it all, sorry.
The GL-MT6000 and the DIR860L are connected via Ethernet cable, GL-MT6000 LAN Port 1 >> DIR860L WAN Port.
By isolating the guest clients I mean that devices within the guest network are not able to communicate and see each other. As I said with 19.07.10 I had this done via ebtables rules on both devices (see my starting post).
Most of my guest clients are connected to my second AP (DIR860L) via Wifi but I also got one guest client connected via Ethernet (LAN Port 2) over the DIR860L.
My main router (GL-MT6000) also got guest clients connected via Wifi and it will probably have 1 or 2 guest clients connected via Ethernet in the near future. So let's say both devices (GL-MT6000 and DIR860L) have guest clients connected via Wifi and Ethernet.
For the reference I'm going to list the current network and firewall configs for both devices running 23.05.3.
GL-MT6000 network:
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd85:9f09:098d::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
list ports 'lan5'
config device
option name 'lan1'
option macaddr '**'
config device
option name 'lan2'
option macaddr '**'
config device
option name 'lan3'
option macaddr '**'
config device
option name 'lan4'
option macaddr '**'
config device
option name 'lan5'
option macaddr '**'
config interface 'lan'
option device 'br-lan.1'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option delegate '0'
config device
option name 'eth1'
option macaddr '**'
config interface 'wan'
option device 'eth1.7'
option proto 'pppoe'
option username '**'
option password '**'
option ipv6 'auto'
option peerdns '0'
option pppd_options 'debug'
list dns '1.1.1.1'
list dns '8.8.8.8'
config interface 'wan6'
option device 'eth1.7'
option proto 'dhcpv6'
option reqaddress 'try'
option reqprefix 'auto'
config bridge-vlan
option device 'br-lan'
option vlan '1'
list ports 'lan1:t'
list ports 'lan2:u*'
list ports 'lan3:u*'
list ports 'lan4:u*'
list ports 'lan5:u*'
config bridge-vlan
option device 'br-lan'
option vlan '3'
list ports 'lan1:t'
config bridge-vlan
option device 'br-lan'
option vlan '15'
list ports 'lan1:t'
config interface 'guest'
option proto 'static'
option device 'br-lan.3'
option ipaddr '192.168.55.1'
option netmask '255.255.255.0'
config interface 'psx'
option proto 'static'
option device 'br-lan.15'
option ipaddr '192.168.100.1'
option netmask '255.255.255.0'
config device
option type '8021q'
option ifname 'eth1'
option vid '7'
option name 'eth1.7'
config interface 'modem'
option proto 'static'
option device 'eth1.42'
option ipaddr '192.168.254.1'
option netmask '255.255.255.0'
config device
option type '8021q'
option ifname 'eth1'
option vid '42'
option name 'eth1.42'
config interface 'WG_TEST_1'
option proto 'wireguard'
option private_key '**'
option listen_port '51821'
list addresses '**'
option auto '0'
option defaultroute '0'
list dns '8.8.8.8'
config wireguard_WG_TEST_1
option description '**.conf'
option public_key '**'
list allowed_ips '0.0.0.0/0'
option endpoint_host '**'
option endpoint_port '51820'
option persistent_keepalive '25'
config interface 'WG_TEST_2'
option proto 'wireguard'
option private_key '**'
list addresses '**'
list dns '**'
list dns '**'
option auto '0'
option listen_port '51821'
config wireguard_WG_TEST_2
option description '**.conf'
option public_key '**'
list allowed_ips '0.0.0.0/0'
option persistent_keepalive '21'
option endpoint_host '**'
option endpoint_port '51820'
GL-MT6000 firewall config:
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone 'guest'
option name 'guest'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'guest'
config zone
option name 'wireguard'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'WG_TEST_1'
list network 'WG_TEST_2'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config forwarding
option src 'lan'
option dest 'wireguard'
config forwarding 'guest_wan'
option src 'guest'
option dest 'wan'
config rule 'guest_dns'
option name 'Allow-DNS-Guest'
option src 'guest'
option dest_port '53'
option proto 'tcp udp'
option target 'ACCEPT'
config rule 'guest_dhcp'
option name 'Allow-DHCP-Guest'
option src 'guest'
option dest_port '67'
option proto 'udp'
option family 'ipv4'
option target 'ACCEPT'
config forwarding
option src 'guest'
option dest 'wireguard'
config zone
option name 'psx'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'psx'
config forwarding
option src 'psx'
option dest 'wan'
config forwarding
option src 'psx'
option dest 'wireguard'
config zone
option name 'modem'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
list network 'modem'
config forwarding
option src 'lan'
option dest 'modem'
config forwarding
option src 'modem'
option dest 'lan'
config include 'pbr'
option fw4_compatible '1'
option type 'script'
option path '/usr/share/pbr/pbr.firewall.include'
DIR860L network config:
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd43:9954:1a7b::/48'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
list ports 'wan'
config device
option name 'lan1'
option macaddr '**'
config device
option name 'lan2'
option macaddr '**'
config device
option name 'lan3'
option macaddr '**'
config device
option name 'lan4'
option macaddr '**'
config interface 'lan'
option device 'br-lan.1'
option proto 'static'
option ipaddr '192.168.1.2'
option netmask '255.255.255.0'
option delegate '0'
option gateway '192.168.1.1'
list dns '192.168.1.1'
config device
option name 'wan'
option macaddr '**'
config bridge-vlan
option device 'br-lan'
option vlan '1'
list ports 'lan1'
list ports 'wan:t'
config bridge-vlan
option device 'br-lan'
option vlan '3'
list ports 'lan2'
list ports 'wan:t'
config bridge-vlan
option device 'br-lan'
option vlan '15'
list ports 'lan3'
list ports 'lan4'
list ports 'wan:t'
config interface 'guest'
option proto 'static'
option device 'br-lan.3'
option ipaddr '192.168.55.2'
option netmask '255.255.255.0'
option delegate '0'
config interface 'psx'
option proto 'static'
option device 'br-lan.15'
option ipaddr '192.168.100.2'
option netmask '255.255.255.0'
option delegate '0'
DIR860L firewall config:
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'lan'
config zone
option name 'guest'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'guest'
config zone
option name 'psx'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'psx'
Because you only have 2 APs a simple solution would be to just turn on isoaltion on the APs wireless and create a vlan/network for each AP.
Putting each AP on its own VLAN will solve the isolation problem, but will add complications when it comes to roaming. The SSIDs should therefore be different between the two APs, and that means that roaming won't be an option.
1 Like
Right. Well I could live with two different SSIDs for guests (1x for GL-MT6000 and 1x for the DIR860L) but this still doesn't solve the isolation issue, at least with my current DSA vlan setup situation.
In a perfect world my GL-MT6000 would manage everything and the DIR860L would just act as a smart switch + Wifi AP but without the proper custom firewall/nft rules guest client isolation across two OpenWrt devices seems to be impossible.
With 19.07.10 and ebtables it was possible but I can remember that I've created a seperate vlan for my one ethernet guest client on my DIR860L and added it to br-guest. Anyway with 19.07.10 my guest isolation setup was working fine...
My old 19.07.10 config: GL-MT6000 DSA config
Shouldn't that be dest 'wan'?
Further down you block the guest from your lan
Yes that would be wrong, where did you spotted that one? I don't see it in my firewall config.
Hello. Stick with this. My scenario is quite similar to yrs.
ubiquiti x router as main router v/22.03 (mwan3, zerotier, firewall, 4 vlans - office, home, iot, guests), 2 dumb ap (archer c5 v/19.07 and archer c6 v/23.05) and everything is almost fine. My office can browse the whole LAN and the others isolated can only access to the wan, when allowed.
I'm still refining the deployiment regarding media streaming, upnp is disable in the meanwhile, ip cam access, smartv app control wich are confined still to each vlan. Im still learning abt nftables and rules but i had a heading with this forum help.
rgds
Hi, you mean stick to the DumpAP guest wifi guide or the bridge table part?
Greetings to you!
1 Like
stick with trendy whole suggestion.
Rgds
I want to isolate my wireless clients in my Guest and IoT VLAN but also need some communication between dedicated clients in my IoT wifi (e.g. WLed clients). Therefore, I deactivated the isolation on the wireless interface and use nftables for it. It helps to assign your own names to the interfaces to have the same rulesets on different AP from different vendors.
First I tried to achieve it with IPs, but this didn't work with devices on the same AP. I learned that clients on the same interface could only be blocked/allowed by MAC and not by IP. My nft files look like this:
add table bridge Guest_isolation
flush table bridge Guest_isolation
table bridge Guest_isolation {
chain forward {
type filter hook forward priority 0; policy accept;
ct state established,related accept
# MAC of my router
oif "GuestWifi" ether saddr 11:22:33:44:55:66 accept
# MAC of a special device
oif "GuestWifi" ether saddr 66:55:44:33:22:11 accept
oif "GuestWifi" drop
}
}
2 Likes
Hi @wschomburg,
Is the bridge table working for as posted?
I'm currently trying to achieve the same (my guest/IoT devices are on VLAN 3; also on a DSA based configuration) with the difference that clients on that VLAN are partly tethered and partly connected wirelessly - but didn't succeed with nft so far.
Even without an exception for my router's MAC address clients can see and access each other within that VLAN.
My table looks as follows (currently added on the fly via ssh without any persistence yet):
table bridge guest_isolation {
chain forward {
type filter hook forward priority 0; policy accept;
oif "br-lan.3" drop
oif "br-lan" vlan id 3 drop # added, as 'br-lan.3' didn't work
}
}
What names are you referring to? The config interface 'name' within the network configuration file (/etc/config/network)?
Would you mind to share more details about your configuration so that I can find where my mistake lies?
Thanks a million in advance!
Cheers,
Mat
Hi @madmat17,
Thanks for asking, my setup was gone after the last upgrade and I had to configure it again. Without your question, I hadn't noticed it.
I only configured it for my Wifi interfaces and there I have set the option "ifname" in the wireless config file
...
config wifi-iface 'default_radio1'
option device 'radio1'
option network 'lan'
option mode 'ap'
option ssid 'guest'
option ifname 'GuestWifi'
...
With that, the mentioned configuration will block all connections Wifi->Wifi, Wifi->Wired and Wired->Wifi, but not Wired->Wired.
Best regards,
Wilm
I was able to make it work with this:
table bridge filter {
chain guest_isolation {
type filter hook forward priority filter; policy accept;
ibrname "br-lan" vlan id 99 counter drop
}
}
The ibrname "br-lan" isn't strictly necessary on my setup since I don't have the same VLAN ID across multiple bridges.
Maybe someone knows if there is a better way to do it, but I just created a new file /etc/nftables-bridge.nft with the rule, and then added this line nft -f /etc/nftables-bridge.nft to the /etc/rc.local file, so the rule is applied after a restart. It seems to survive a firewall restart, but I'm not sure if there are scenarios where it could be flushed.
cd /etc/nftables.d; cat README
The firewall refuses to restart if I add the file to that folder because the rule requires its own top-level table. Took some head scratching to figure out.
All *.nft files in this directory are included by the firewall4 ruleset
within the inet/fw4 table context