Hello,
The rules below have been tested and work perfectly with bridge /br1, br2. br3.../, but in OpenWrt this cannot happen. I offer three options. Would any of them work at the OpenWrt?
First otion - iptable with devices
Restrict eth0.2 from accessing eth0.3 and visa versa:
iptables -I FORWARD -i eth0.2 -o eth0.3 -m state --state NEW -j DROP
iptables -I FORWARD -i eth0.3 -o eth0.2 -m state --state NEW -j DROP
Restrict eth0.2 and eth0.3 from accessing the management interface of the router:
iptables -I INPUT -i eth0.2 -m state --state NEW -j DROP
iptables -I INPUT -i eth0.2 -p udp --dport 67 -j ACCEPT
iptables -I INPUT -i eth0.2 -p udp --dport 53 -j ACCEPT
iptables -I INPUT -i eth0.2 -p tcp --dport 53 -j ACCEPT
iptables -I INPUT -i eth0.3 -m state --state NEW -j DROP
iptables -I INPUT -i eth0.3 -p udp --dport 67 -j ACCEPT
iptables -I INPUT -i eth0.3 -p udp --dport 53 -j ACCEPT
iptables -I INPUT -i eth0.3 -p tcp --dport 53 -j ACCEPT
Devices:
eth0.1 - lan interface/admin/ - IP: 192.168.1.1/DHCP/ with a static lease at a specific mac address.
eth0.2 - Staff interface - IP: 10.0.5.1/DHCP/ with a static lease at a specific mac address.
eth0.3 - HR interface - IP: 10.0.4.1/DHCP/ with a static lease at a specific mac address
eth1 - wan and wan6 interfaces
eth0 - processor
WiFi - bridge with eth0.1
Interfaces:
wan/wan6
lan
Staff
HR
Second otion - iptable with interfaces
Restrict Staff from accessing HR and visa versa:
iptables -I FORWARD -i Staff -o HR -m state --state NEW -j DROP
iptables -I FORWARD -i HR -o Staff -m state --state NEW -j DROP
Restrict Staff and HR from accessing the management interface of the router:
iptables -I INPUT -i Staff -m state --state NEW -j DROP
iptables -I INPUT -i Staff -p udp --dport 67 -j ACCEPT
iptables -I INPUT -i Staff -p udp --dport 53 -j ACCEPT
iptables -I INPUT -i Staff -p tcp --dport 53 -j ACCEPT
iptables -I INPUT -i HR -m state --state NEW -j DROP
iptables -I INPUT -i HR -p udp --dport 67 -j ACCEPT
iptables -I INPUT -i HR -p udp --dport 53 -j ACCEPT
iptables -I INPUT -i HR -p tcp --dport 53 -j ACCEPT
Devices:
eth0.1 - lan interface/admin/ - IP: 192.168.1.1/DHCP/ with a static lease at a specific mac address.
eth0.2 - Staff interface - IP: 10.0.5.1/DHCP/ with a static lease at a specific mac address.
eth0.3 - HR interface - IP: 10.0.4.1/DHCP/ with a static lease at a specific mac address
eth1 - wan and wan6 interfaces
eth0 - processor
WiFi - bridge with eth0.1
Interfaces:
wan/wan6
lan
Staff
HR
Tlhird option - iptable with IP addresses of interfaces
Restrict 10.0.5.1/Staff/ from accessing 10.0.4.1/HR/ and visa versa:
iptables -I FORWARD -i 10.0.5.1 -o 10.0.4.1 -m state --state NEW -j DROP
iptables -I FORWARD -i 10.0.4.1 -o 10.0.5.1 -m state --state NEW -j DROP
Restrict 10.0.5.1/Staff/ and 10.0.4.1/HR/ from accessing the management interface of the router:
iptables -I INPUT -i 10.0.5.1 -m state --state NEW -j DROP
iptables -I INPUT -i 10.0.5.1 -p udp --dport 67 -j ACCEPT
iptables -I INPUT -i 10.0.5.1 -p udp --dport 53 -j ACCEPT
iptables -I INPUT -i 10.0.5.1 -p tcp --dport 53 -j ACCEPT
iptables -I INPUT -i 10.0.4.1 -m state --state NEW -j DROP
iptables -I INPUT -i 10.0.4.1 -p udp --dport 67 -j ACCEPT
iptables -I INPUT -i 10.0.4.1 -p udp --dport 53 -j ACCEPT
iptables -I INPUT -i 10.0.4.1 -p tcp --dport 53 -j ACCEPT
Devices:
eth0.1 - lan interface/admin/ - IP: 192.168.1.1/DHCP/ with a static lease at a specific mac address.
eth0.2 - Staff interface - IP: 10.0.5.1/DHCP/ with a static lease at a specific mac address.
eth0.3 - HR interface - IP: 10.0.4.1/DHCP/ with a static lease at a specific mac address
eth1 - wan and wan6 interfaces
eth0
WiFi - bridge with eth0.1
Interfaces:
wan/wan6
lan
Staff
HR