Firewall bypassed by device?

I have a device on the network that doesn't appear to be going through iptables from what I can tell when logging, which I 100% don't understand how this is happening.

The device itself is connected over a wireless AP, which is plugged into the network. The AP, as expected, just passes the traffic like a switch. I want this one device to not be able to communicate to other devices on the network (without setting up a VLAN in this case). The issue I'm having, is this device CAN communicate to certain devices even though I've explicitly put in rules to keep it from being allowed to.

I have a firewall chain called "mac_check_pre_forward", where I basically only allow specific mac addresses on the network to talk to certain devices on the network. So for example, I have the following two lines in there (changed mac address):

ACCEPT     all  --  *      *       0.0.0.0/0            192.168.1.0/24      MACaa:aa:aa:aa:aa:aa
DROP       all  --  *      *       192.168.1.0/24      192.168.1.0/24     

This is inserted into FORWARD at the very beginning:

mac_check_pre_forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

When from this device (with mac example of bb:bb:bb:bb:bb:bb), I run a ping to the device in the 192.168.1.0/24 subnet with ping 192.168.1.55. When adding iptables -I FORWARD -j LOG, I see logs for only the ICMP response, but no logs for the send request from bb:bb...:

Oct 10 12:21:20 192.168.1.1 kernel: [213670.920538] IN=br-lan OUT=br-lan MAC=xx...aa:aa:aa:aa:aa:aa... SRC=192.168.1.55 DST=192.168.1.30 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=11099 PROTO=ICMP TYPE=0 CODE=0 ID=55626 SEQ=113

When the ICMP is coming from my device that shouldn't be able to communicate to the rest of the network, iptables appears to be logging as if the source is actually the destination. I see zero logs related to this actual device I'm trying to block from accessing the rest of the network.

What am I missing here? Outside of setting up a VLAN, how would I get this device to only be allowed to communicate to the Internet and not local network (by means of filtering it by mac address)?

NOTE: It's not just ICMP. It can reach out to all open ports on the network, ICMP is just an example above.

LAN to LAN traffic isn’t really routed or forwarded.

2 Likes

I see... I guess I had thought that the packets still went through netfilter/iptables to be sent to the corresponding devices on the same network. Does this mean that a VLAN is the only solution to this? :thinking: I had a lot of trouble setting one up when trying to share DHCP/DNS settings between multiple VLANs (I don't fully understand them or how to set them up and kept getting myself locked out of the router until it reverted the settings) so that was the only reason I was avoiding it up until now. But if that's the only way, I guess I'mma have to try again and figure out how OpenWrt works with setting those up. Basically trying to setup a separation of my work device with the rest of my network and if that means setting up a VLAN for a single device, I guess I'd have no choice, huh.

iptables / nftables can filter bridge traffic but you may need additional kernel modules.
iptables requires kmod-br-netfilter, in nftables you can use a table of family bridge.

see https://openwrt.org/docs/guide-user/firewall/fw3_configurations/bridge

1 Like

In addition, a bridge firewall only works if the firewall device is directly in the path between the two devices of interest. If, for example, you have an external switch or an AP and there is a direct path between the two hosts that does not involve your router/firewall, you will not be able to filter/firewall those devices.

2 Likes

Even with an internal switch (as used on most routers), this traffic would be switched between the lan ports in hardware and not bridged - so never seen by netfilter.

1 Like

Thanks all for the responses and the details. @slh - that hadn't even crossed my mind and makes a lot more sense to me now. @psherman there is actually an external switch, which was another thing I hadn't thought about.

So overall, sounds like I'm going to need to find another solution to this, whether it's moving some devices physically around or working on the VLAN solution. Either way, thank you all for the insight - it all makes clearer sense to what would be going on at this point :slight_smile: Much appreciated!!

Just wanted to report back (I know, double post, boooo) - This worked. I plugged my router that was in AP mode into one of my ports, installed this kernel module, and was able to get my rules all working so that I could isolate devices away without needing a VLAN configuration. Marking this as the solution since this is what got it for me! :pray:

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.