I'm trying to set up a forwarding rejection for specific vlans in the LuCI firewall zone settings, but it is not working. Here are the basic info about my system
Model Buffalo WSR-2533DHP2
Architecture ARMv8 Processor rev 4
Target Platform mediatek/mt7622
Firmware Version OpenWrt SNAPSHOT r18437-92820cc5b9 / LuCI Master git-21.357.58153-63d9bcb
Kernel Version 5.10.88
Here is the summery of my problem in a single image, along with the relevant settings in the second image. I modified these after a clean install, so everything else should be default.
Do these settings look correct to you? Should I wrap each vlan devices inside bridge devices?
Also, other functionalities, like dhcp servers seem to behave kind of inconsistent (stops working after changing the mac address of the vlan devices). Is this because the firmware is not stable?
If so, this snapshot is the only version that seems to be available for this devices. Should I try more stable firmwares for similar devices?
I can post the /etc/config files here if you want to take a look at specific setting files, so please do request me about it in the reply:)
You are pinging between two devices on the same network, so the result you are seeing is expected. What is happening here is that the ports are switched (L2), so the traffic does not pass through the routing/firewall engine of OpenWrt (which operates at L3). L3 connections happen between two different networks, not between devices on the same subnet. You cannot use the standard firewall to block connections on the same subnet.
Furthermore, forward does not do what you are expecting. Forward allows/blocks the inter-network routing (L3) between networks that are assigned to the same zone. This is really useful if you have several networks that have largely the same requirements with respect to the firewall configuration, but where you wish to isolate the networks from each other -- simply set forward to reject or drop. That forward option does not impact inter-zone forwarding (those are explicitly set with the "forward to" and "forward from" zone settings) nor can it affect the switching between clients in the same network.
You might be able to use bridge firewall to achieve your goals, but I've never used this method and I cannot say if this will work for your specific situation (you need to be able to separate the ports from the switch and send everything through the CPU in order for this to work). The preferred method to isolate your two systems is to put them on different VLANs.
2 Likes
