I need to set up a simple home network, but so that no network client (lan, wlan) sees the MAC addresses of their neighbors, but at the same time they can connect to each other through the router's gateway. That is isolation, but with routing of clients among themselves.
So that information about the mac addresses of clients is available only to the router, and the router itself, based on it, routes local clients among themselves.
How can i do this in openwrt?
I am using OpenWrt 22.03.3 via ssh without luci.
/etc/config/network
config interface 'loopback'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
option device 'lo'
config globals 'globals'
option packet_steering '1'
config interface 'lan'
option proto 'static'
option ipaddr '10.0.1.1'
option netmask '255.255.255.0'
option delegate '0'
option device 'br-lan'
config interface 'wan'
option proto 'dhcp'
option delegate '0'
option device 'br-wan'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
config device
option name 'br-wan'
option type 'bridge'
list ports 'usb0'
Traditionally, this is not possible to do when you're tlaking about a single subnet. That is because the hosts on your network are not routed (L3), but switched (L2), so the traffic between them never passes through the firewall.
You can use wifi client isolation (which is a wifi specific thing) to achieve this goal, but it will not isolate wired <-> wireless connections.
There is something called a bridge firewall which can theoretically be used to do this type of isolation, but I've never setup a bridge firewall and I don't really know how well it works (there may be some quirks). It will only work if the two devices need to connect through the router's hardware itself -- an external switch will bypass any such efforts.
The other way to do this is to use a managed switch that has a feature called "port isolation", or you can setup VLANs for each of the sets of devices that should be isolated from each other.
depends on your use case and the hardware you're using.
How many devices are you trying to isolate from each other? Will there be multiple devices on each VLAN (which are allowed to talk to each other), or are you going to end up setting up a VLAN per device?
A typical use case is a trusted lan, IoT, and guest networks... often, these each have multiple devices that fit into each category, and the networks are isolated from each other (and you can also set more granular firewall rules to allow different types of access), but devices on each network are allowed to talk to each other.
I'm going to start a VM and give it external ssh access, but I didn't want it to have LAN access, only WAN. I know I can set this up on the host, but I need a way to isolate it on the router side.
In addition, I plan to give guests LAN access via wifi to access the Internet, but at the same time, so that guests cannot see each other directly (do not receive mac neighbors), including lan (wired) clients, but can ping each other via router gateway
My biggest concern is the privacy of MAC addresses between clients.
I'm interested how to do this. And for the same reason, people gloss over the MAC in the screenshots.
Also, for example, I might have an internal service that is filtered by my local IP associated with the MAC, and if someone knows my MAC, they can spoof it and gain access.
While it's obviously your network and you're free to set it up as you wish, I think you may be overthinking the security 'risks' involved. Just don't rely on using MAC addresses as a form of authentication (which noone should be doing anyway) and the security risks of making them visible locally (or even globally) are pretty much zero.
As far as I know, you cannot have direct client-to-client traffic on the same network, without sharing MAC addresses. So, you will have to put each client on a separate network, then allow traffic between networks (but this will break broadcast traffic).
For wired clients, as long as you four or less clients, you can break the LAN bridge, and configure a different network on each LAN port, using VLANs. If you have more than 4 clients (but less than 4096), then you will need to use an external managed switch, and configure a VLAN for each port on the switch, truck all the VLANs, then configure a different LAN on each VLAN.
For wireless clients, there is a "client isolation" option; but then I do not know how to allow traffic between the clients, unless you define a SSID and a network per client.
So far, this looks like a lot of work for a supposed security / privacy...
Any client can spoof the IP address from any other client, even without knowing the MAC address...