Hi all, openWRT and networking newbie here.
I am using a EA7500v2 with the latest openWRT. I want to isolate physical ports from each other. They should not be able to ping or access any device from any other port, but they should be able to access the internet.
Similar firewall rules apply to other ports. I know I am missing config to allow access to WAN, but ignore that for now.
I connected my PC to one port, and a spare router on another port. They are still able to ping each other.
I have seen other guides, in particular on Guest wifi, but I want isolation through wired LAN ports. Thanks in advance for any help.
Creating a vlan and then creating different subnets for them like @shdf suggested will work fine. However, I've been recently thinking about doing this in a much cleaner way. Like how the hosting providers do. The trick is, you isolate each interface with bridge(8).
Like: bridge link set dev "interface" isolated on.
Then, you put ARP proxy entries using ip-neighbour(8) to respond to ARP requests for devices to be able to communicate with each other on different switch ports.
Like: ip neigh add proxy "IP"
If you don't want the isolated ports to talk to each other at all (not even by routing the packets), you can discard this section completely.
However, one slight issue is that most of the DSA subdrivers for switches have the bridge offloading feature implemented. This feature offloads forwarding frames between switch ports to the switch hardware, so they don't go to the CPU and exhaust the link to it. When you isolate a port with the command above, it's a big posibility that it won't work, simply because the DSA subdriver did not implement isolation with the bridge offloading feature present. So this heavily relies on your switch model and trial and error.
With this way you get these benefits:
No bunch of different subnets, all devices connected to the ports would reside on the same subnet (192.168.1.0/24, etc.).
Therefore, no need to setup DHCP, etc.
You can remove a port from the bridge, but if you do that, the port no longer has a connection to the network...
Setting up VLANs and then isolating them using firewall zones is the correct way to achieve this goal. Each port will be connected to its own network (and not part of the same bridge, unless the device is DSA, in which case the bridge is treated slightly differently).
is there a GUI way to do this?
I'm also unsure whether the EA7500v2 has a switch mode. I saw on a youtube guide that you can select Network > Switch. I do not have that option. I also dont see anything called DSA or vlan in my settings.
for the benefit of others: OpenWRT recently went through a change from v19 to v21. One of the things that changed is how switches were handled (dependant on whether your router architecture is supported - https://openwrt.org/releases/21.02/notes-21.02.0#initial_dsa_support). Just a heads up if you are confused by openWRT v19 guides that talk about switches and/or vlans
Also highlighting a very useful youtube video (and channel for other openWRT stuff) - https://www.youtube.com/watch?v=qeuZqRqH-ug
That was a big help in helping me to understand what's going on and where to find what. The official docs has been linked and marked as a solution by @psherman
