Firewall rule to block connection between 2 IPs in intranet

Kingclee · June 16, 2025, 4:00pm

I have 3 physical ports connected together via a bridge to create a single physical network. I fail to block traffic between two IPs using the following firewall rules:

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'lan'

config rule
	option name 'Block 102 to 108'
	option src 'lan'
	option dest 'lan'
	list proto 'all'
	list src_ip '192.168.1.102'
	list dest_ip '192.168.1.108'
	option target 'REJECT'

Any help would be much appreciated.

eduperez · June 16, 2025, 6:01pm

That traffic flows through the bridge (and probably, the switch embedded in the device), and does not reach the firewall; blocking that traffic is not trivial. Can you block the traffic on the 192.168.1.108 device? Can you use separate networks? Otherwise, you will have to use "ebtables".

system · June 26, 2025, 6:01pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.