See my link, I do not believe the luci firewall4 gui will do that for you...
That will not work. If you want to use a bridge firewall, it is entirely different than the standard firewall.
https://openwrt.org/docs/guide-user/firewall/fw3_configurations/bridge
That said, Iām not sure if this method will work, but if it does, it might allow you to use the same subnet.
The vendor does not feel that this is a product failure, so they do not agree to improve it.
I will try this.
I will try this. Hope it works.
I successfully made it.
/root/nftables.conf
#!/usr/sbin/nft -f
table bridge filter {
chain input {
type filter hook input priority 0; policy accept;
# Drop all UDP packets coming into the bridge
meta l4proto udp drop
}
chain forward {
type filter hook forward priority 0; policy accept;
# Drop all UDP packets being forwarded by the bridge
meta l4proto udp drop
}
chain output {
type filter hook output priority 0; policy accept;
# Drop all UDP packets going out of the bridge
meta l4proto udp drop
}
}
then
nft -f /root/nftables.conf
then it works.
Thanks for your help.
Thanks for your help.
I made it by using nftables.
Yes, those hooks are outside reach of fw4.
But you can use fw4 as loader without rc.local.
read /usr/share/nftables.d/README , you need ruleset-pre or ruleset-post and slightly enhance your rules to reset on load as in
I think you probably don't need the filter on all 3 hooks (input, output, forward). Just filtering on the forward hook may (?) do the job.
add counters to determine?
Yes, you're right.
Router can discard the incoming UDP packets, only using chain input.
It is more awkward than you think
https://wiki.nftables.org/wiki-nftables/index.php/Bridge_filtering
in/out are in regard to cpu port, while pre/pist routing are in play and firward is one filtering.
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.