Firewalling with two bridges on same NIC or sharing subnet between LAN and WiFi w/o bridge

Hi all :slight_smile:

Currently I have a misunderstanding about bridges I guess.

This is my network conf:

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdb4:2f4e:ddd2::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0.1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '10.13.37.254'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option vid '1'
	option ports '0t 4 5'

config interface 'iot'
	option proto 'static'
	option ipaddr '10.13.38.254'
	option netmask '255.255.255.0'
	option type 'bridge'
	option device 'bridge-iot'

config switch_vlan
	option device 'switch0'
	option vlan '4'
	option ports '0t 2 3'
	option vid '1338'
	option description 'iot'

config switch_vlan
	option device 'switch0'
	option vlan '5'
	option vid '10'
	option description 'WAN'
	option ports '0t 1'

config interface 'WAN'
	option proto 'dhcp'
	option device 'eth0.10'

config device
	option type 'bridge'
	option name 'bridge-iot'
	list ports 'eth0.1338'
	option txqueuelen '1000'
	option mtu6 '1500'

My goal is to have two subnets, 1 for LAN and 1 for IOT and to block traffic between them.

First try was to have an interface 10.13.38.254/24 on eth0.1338 with enabled DHCP which works. But I wasn't able to add a WiFi where clients also get IPs from that DHCP.

So I removed the interface and added it again but on a bridge between eth0.1338 and the WiFi. (This is the config above).

DHCP on both - LAN and WiFi - now works, but I'm not able to block traffic between this bridge-iot and the default LAN bridge (10.13.37.0/254). I assume that the bridging stuff happens before iptables, but not sure (especially if both bridges are on the same NIC?)

Any ideas how to achieve a solution?

Best regards,
Hauke

You should create a separate firewall zone for the iot devices. Use the guest network firewall as an example.

1 Like

Yeah, I debugged and configured a lot and turns out that just my firewall policies were too open.

I already had the Iot stuff into a dedicated zone, but all my default policies were "ACCEPT". Wasn't aware that OpenWRT per default allows everything instead of rejecting :grimacing:

But now I left my LAN zone open and restricted the Iot zone and only allow some stuff :slight_smile:

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.