Setup a LAN without direct routing of clients to each other

I need to set up a simple home network, but so that no network client (lan, wlan) sees the MAC addresses of their neighbors, but at the same time they can connect to each other through the router's gateway. That is isolation, but with routing of clients among themselves.

So that information about the mac addresses of clients is available only to the router, and the router itself, based on it, routes local clients among themselves.

How can i do this in openwrt?

I am using OpenWrt 22.03.3 via ssh without luci.

/etc/config/network

config interface 'loopback'
    option proto 'static'
    option ipaddr '127.0.0.1'
    option netmask '255.0.0.0'
    option device 'lo'

config globals 'globals'
    option packet_steering '1'

config interface 'lan'
    option proto 'static'
    option ipaddr '10.0.1.1'
    option netmask '255.255.255.0'
    option delegate '0'
    option device 'br-lan'

config interface 'wan'
    option proto 'dhcp'
    option delegate '0'
    option device 'br-wan'

config device
    option name 'br-lan'
    option type 'bridge'
    list ports 'lan1'
    list ports 'lan2'
    list ports 'lan3'
    list ports 'lan4'

config device
    option name 'br-wan'
    option type 'bridge'
    list ports 'usb0'

Traditionally, this is not possible to do when you're tlaking about a single subnet. That is because the hosts on your network are not routed (L3), but switched (L2), so the traffic between them never passes through the firewall.

You can use wifi client isolation (which is a wifi specific thing) to achieve this goal, but it will not isolate wired <-> wireless connections.

There is something called a bridge firewall which can theoretically be used to do this type of isolation, but I've never setup a bridge firewall and I don't really know how well it works (there may be some quirks). It will only work if the two devices need to connect through the router's hardware itself -- an external switch will bypass any such efforts.

The other way to do this is to use a managed switch that has a feature called "port isolation", or you can setup VLANs for each of the sets of devices that should be isolated from each other.

1 Like

it turns out, it is better to me to configure VLAN?

depends on your use case and the hardware you're using.

How many devices are you trying to isolate from each other? Will there be multiple devices on each VLAN (which are allowed to talk to each other), or are you going to end up setting up a VLAN per device?

A typical use case is a trusted lan, IoT, and guest networks... often, these each have multiple devices that fit into each category, and the networks are isolated from each other (and you can also set more granular firewall rules to allow different types of access), but devices on each network are allowed to talk to each other.

1 Like

I'm going to start a VM and give it external ssh access, but I didn't want it to have LAN access, only WAN. I know I can set this up on the host, but I need a way to isolate it on the router side.
In addition, I plan to give guests LAN access via wifi to access the Internet, but at the same time, so that guests cannot see each other directly (do not receive mac neighbors), including lan (wired) clients, but can ping each other via router gateway

My biggest concern is the privacy of MAC addresses between clients.

Why is that?

Are we talking about wired or wireless clients?

I'm interested how to do this. And for the same reason, people gloss over the MAC in the screenshots.

Also, for example, I might have an internal service that is filtered by my local IP associated with the MAC, and if someone knows my MAC, they can spoof it and gain access.

Wired and wireless

While it's obviously your network and you're free to set it up as you wish, I think you may be overthinking the security 'risks' involved. Just don't rely on using MAC addresses as a form of authentication (which noone should be doing anyway) and the security risks of making them visible locally (or even globally) are pretty much zero.

1 Like

OK I understand. But I will be glad if there are any tips in the direction of setting up such isolation.
Thanks for replies.

As far as I know, you cannot have direct client-to-client traffic on the same network, without sharing MAC addresses. So, you will have to put each client on a separate network, then allow traffic between networks (but this will break broadcast traffic).

For wired clients, as long as you four or less clients, you can break the LAN bridge, and configure a different network on each LAN port, using VLANs. If you have more than 4 clients (but less than 4096), then you will need to use an external managed switch, and configure a VLAN for each port on the switch, truck all the VLANs, then configure a different LAN on each VLAN.

For wireless clients, there is a "client isolation" option; but then I do not know how to allow traffic between the clients, unless you define a SSID and a network per client.

So far, this looks like a lot of work for a supposed security / privacy...

Any client can spoof the IP address from any other client, even without knowing the MAC address...

Thanks for reply

This I know. But I assume the router will control this if I can do the isolation described in the first post.

MAC filtering is not the main method of authorization, but simply as one of the barriers to unauthorized access, like 2fa

It shouldn't be a barrier in any sense. Don't even consider using MAC addresses as any level of authorisation.

1 Like

Not exactly by the MAC address, but by the IP address associated with it on the side of the router. And this is only within my local network.