Isolating two hosts by MAC

Hi all,

I would like to isolate two hosts in my lan connect through my openwrt router.

Is there a way to isolate them on layer 2, so all the packages (uni and multicast) will be transmitted between these two hosts only?

I tried a rule on ebtables but it crashed my whole network.

you can share the inserted ebtables rule

Something like this

# Create a new chain for isolated devices
ebtables -N ISOLATED

# Add devices by their MAC addresses to the isolated chain
ebtables -A ISOLATED -s ab:05:94:d5:6a:bf -d 07:74:ef:4c:81:9d -j ACCEPT
ebtables -A ISOLATED -s 07:74:ef:4c:81:9d -d ab:05:94:d5:6a:bf -j ACCEPT

# Drop all other packets
ebtables -A ISOLATED -j DROP

# Apply the isolated chain to the FORWARD chain

The point here is to use the infrastructure to connect this two hosts as if they are directly connected without any interference from the other hosts or the router.

you could put these two hosts in separate VLAN compared to your main LAN, if your router supports DSA it will be very easy if it has not yet been ported to DSA you can do it with the old swconfig system

Thanks for the reply.

The thing is I try to isolate them in the same router interface, and I need to process all the packages on layer 2, they won't have an ip assigned.
Is there a way to move them to a VLAN just based on their MAC address?
Ideally, they won't be even able to communicate with the router ( which will be acting more as switch).

My openwrt is running on x86.

how these two hosts are connected to the x86 router:

ethernet cable (they pass through a managed switch)

or other

They are both connect by a unmanaged switch then to the lan port (with the rest of the lan) of the openwrt router.

Is it possible to replace the switch with a managed switch?

or since I quote what you said:

host A <--> host B

but they don't have to have access to anything else why not try:

1 Like

VLAN is the de facto choice for layer 2 isolation.

Without a managed switch, you'll likely need some other method to tag their packets, or block access through complex firewall rules(If they won't spoof their MAC).

OpenWrt uses nftables by default, it's recommended to insert your firewall rules into firewall4, see wiki for details.


With an unmanaged switch between the two devices in question, there is absolutely no way to isolate them from each other. The router does not ever see the traffic as it is switched directly on the unmanaged switch, so they will always be able to connect to each other (unless they have host-level firewalls to prevent such connections).

Managed switches in the business market often have port isolation features. Consumer grade/entry level managed switches often do not have these features.

1 Like

Thank you all for the answers.

It's clear now to me, that the package should be tagged to openwrt filter since it's coming from a port with severals host. With that on mind, I was able to tag VLAN 20 to both hosts from their entrypoint ( one is proxmox network adapter and other is a wifi).

Taking in consideration both hosts will send packages tagged as VLAN 20, what steps are necessary to make sure openwrt will make the connection on VLAN 20 possible?

You're almost certainly going to need a managed switch.

Can you provide a sketch of your network topology?

1 Like

Here it's.
My goal is to have a connection between the interface in SERVER 3 and HOST 1 totally apart of all the rest.

Then you need a managed, rather than unmanaged, switch