Isolate Wired LAN from Wireless LAN clients

I have 2 seperate interfaces and firewall zones for my wired (192.168.1.1) and wireless (10.20.30.40) LAN clients. I used to think putting forward rule to REJECT/DROP on these zones would block traffic between them but in 2022 (before OpenWRT switched to nftables) someone suggested that I should add a rule like this:

iptables -I FORWARD -s 10.20.30.0/255.255.255.0 -d 192.168.1.0/255.255.255.0 -j DROP

Now that we are on nftables, should I make a similar rule? If so, can someone type it for me please?

  • Do the 2 firewall zones allow forwarding already?
  • Is there a reason you don't wish to reduce the rule to UCI/LuCI (i.e., OpenWrt syntax)?

In OpenWrt, 2 new zones would not forward by default, so it's unclear why you need the rule anyway - as no rule is generally necessary.

Would you mind sharing the network and firewall configs?

Edit:

And wireless config (omitting keys), please.

1 Like

Do the 2 firewall zones allow forwarding already?

Where did I say I was allowing forwarding?

I was asking if this config below was enough to block traffic between LAN and WiFi because someone else told me it wasn't and told me to add an extra custom rule here: Are there extra measures to isolate Wired LAN clients from WLAN clients? - #5 by Pablomagno

1 Like

You said you have a forward reject/drop rule you created (per another thread). So I merely assumed inquired if you allowed traffic since you proceeded to block it with a custom rule.

My apologies if I misunderstood.

Cool, I understand.

Those default rules are good. You don't allow forwarding between zones by default.

You can test by trying to ping a device in the other subnet. It should silently fail (drop) or show a denied/etc. (Reject).

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.