Running 21.02:
I build a guest network based on multiple VLANs (one per physical port and per WiFi interface) all bridged together (because the physical guest network is spread over the router and 2 dumb AP)
The guest forward is set to reject.
I install kmod-br-netfilter and set the "net.bridge.bridge-nf-call-iptables = 1" (in sysctl.conf).
The behaviour is as follow:
Internet acces is OK for all clients
All connected clients share the same DHCP server .
None of the client are able to communicate to any other (full client separation)
Running 22.03:
build the same guest setup (21.02 and 22.03 use both DSA), kmod-br-netfilter installed and setted the same
The behaviour is as follow:
Internet acces is OK for all clients
All connected clients share the same DHCP server .
client are still able to communicate to any other (reject forward for guest zone is not working)
I understand that 21.02 is fw3 and 22.03 is fw4 but i din't found what is missing to make it working with fw4.
in addition nothing is displayed (in 22.03) when running " /etc/init.d/firewall restart" therefore it is not that easy to see if something goes wrong in the firewall setting
I have to add some more details to mitigate the above message.
Running 21.02 and 22.03 with "net.bridge.bridge-nf-call-iptables = 1" makes
guest are not pingable from each other
No accès to a guest web server acces by an other guest
Therefore isolation between guest seems to be OK
However using a net analyzer appli from my phone delivers different info depending on Openwrt version
on 21.02 : only the guest scanning device and the gateway are reported (name, IP, MAC)
on 22.03: any guest (guest name, guest IP and guest MAC) is reported as well as the gateway
I'm not enough expert in networking to understand how those data can be accessible and the risk level it generates while the others guest are not pingable.