Marking packets from different wifi-iface

exp · December 17, 2022, 11:49pm

Hi,
I have a router with only one local network (192.168.1.0/24) and use different routes for few categories of devices.
I use separate routing tables and packet marking (by MAC) to chose a proper route:

/etc/config/firewall:
---------------
config rule
	option name 'iot'
	option src 'lan'
	option src_mac '11-22-33-44-55-66'
	option dest '*'
	list proto 'all'
	option target 'MARK'
	option set_mark '42'

/etc/config/network:
---------------
config route 'iot_traffic'
	option target '0.0.0.0/0'
	option interface 'wg_iot'
	option table '42'
	option metric 10

config rule
	option mark   '42'
	option lookup '42'

But it's not convenient to separate devices by mac. I'd like to create few wifi-iface to separate devices. But I have no ideas how to mark packets from specific wifi-iface (considering they are connected to the same interface).
I know that I can use different interfaces for each wifi-iface, but I want all devices to be in the same network and the devices to use the same IP (doesn't matter which wlan they connected to).
So, is it possible to mark packets by wifi-iface? If not, is there another way to separate traffic in the same network interface or probably a better solution?

mmstano · December 17, 2022, 11:55pm

Why not just use vlans?

pavelgl · December 18, 2022, 12:31pm

This will only work if you are using firewall4.

The default inet fw4 table cannot be used, because all wireless interfaces are members of the lan bridge.

Install the kmod-nft-bridge package and create a custom table of bridge family, e.g.

nft add table bridge mangle
nft add chain bridge mangle prerouting_mangle '{type filter hook prerouting priority -150; }'
nft add rule bridge mangle prerouting_mangle iifname "wlan1" counter meta mark set 0x1
nft add rule bridge mangle prerouting_mangle iifname "wlan1-1" counter meta mark set 0x2

Check the rules for hits by running nft list ruleset bridge

root@Home:~# nft list ruleset bridge
table bridge mangle {
        chain prerouting_mangle {
                type filter hook prerouting priority -150; policy accept;
                iifname "wlan1" counter packets 368 bytes 45187 meta mark set 0x00000001
                iifname "wlan1-1" counter packets 195 bytes 29695 meta mark set 0x00000002
        }
}

For automatic creation of the custom table see the link below, but there may be a better solution that I am not aware of...

https://openwrt.org/docs/guide-user/firewall/firewall_configuration#config_include_section_with_shell_script

I would also set specific names for the wireless interfaces by adding option ifname '...' to each wifi-iface section in /etc/config/wireless.

jow · December 18, 2022, 1:32pm

An nft style include (implicit or explicit) with position ruleset-pre or ruleset-post should do the trick.

See also Help me update my HFSC shaper scripts for fw4/nftables - #116 by jow

# /usr/share/nftables.d/ruleset-post/01-my-bridge-table.nft

table bridge mangle
flush table bridge mangle
table bridge mangle {
        chain prerouting_mangle {
                type filter hook prerouting priority -150; policy accept;
                iifname "wlan1" meta mark set 0x1
                iifname "wlan1-1" meta mark set 0x2
        }
}

exp · December 18, 2022, 4:26pm

Could you please clarify what exactly you mean? Some hints how vlan could help? I know that vlans usually used to isolate networks (but if I get it right it's even not necessary for wifi). But in my case I do want to use single network.

mmstano · December 18, 2022, 5:58pm

You’re right. They are usually used to separate and isolate networks. But they do tag packets with the vlan ID and you could configure a route and your firewall so that the subnets of each network can see each other simulating one network. Essentially using it just to tag the packets for certain devices connected to a particular interface.

I guess it ultimately depends on your use case. Are you just marking packets so you can monitor their network flow? What @pavelgl and @jow mentioned is a more suitable method to mark packets, I just mentioned vlans cause I find that setting them up is very easy to do within luci. Maybe my idea is bogus and shouldn’t be done at all

mmstano · December 18, 2022, 6:17pm

Thinking about it more, you could even use the same subnet, just split up the DHCP range on each interface and use static IP’s for the interfaces out of the DHCP range. Then you wouldn’t have to create a route. You’d just have to forward each networks to the others destination zone in the firewall.

exp · December 18, 2022, 6:33pm

I still don't understand... The main idea is to use single network (to achieve stable ip for the same mac between different ssid, broadcast, etc.).
Did I get it right that you suggest "emulating" one /24 by using two /25 networks? If so, none of the tasks will be achieved.
Or somehow it is possible to use the same interface for vlans and not to lose information about a initial vlan? If so, could you please give me a simple example?

mmstano · December 18, 2022, 6:51pm

If you’re wanting to use just one interface, then vlans wouldn’t be the route to go. It would require two network interfaces so you can keep the traffic to those interfaces tagged with the vlan ID accordingly.

exp · December 18, 2022, 7:18pm

Thank you, it works just as expected!

system · December 28, 2022, 7:19pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.