With my openwrt I would like to achieve the following:
a network (lan) with internet access (that works)
a second network (local) with full access to the network lan, but no internet access
a third network (fam) with internet access and access to single devices in lan
a fourth network (outdoor) without internet access and access to single services in lan (e.g. PC1, port 80, UDP)
lan should have access to all networks
After studying the documentation, I realized that I needed a bridge-firewall for that, not a routing-firewall, so I need a common IP range for all networks, like 192.168.x.y.
I found two approaches in the documentation: relayd ans ebtables. I'm not sure what to use. Or is there a completely different way? Some of the documentation on this topic is very old.
What's about the CPU-load? I have a BananaPI (two cores, 1GHz) and would like to reach over 100mb/s. Is this realistic?
It's a long way to go. Also for partial answers I am very grateful.
You can achieve that with a routing firewall. iptables will do exactly what you want.
Create separate subnets for each network segment (lan, local, fam, outdoor, etc.)
Set up firewall zones and rules which permit specific traffic between the network segments, according to your requirements. It's possible to allow all traffic in one direction, but only a single port/IP address in the reverse direction.
Really? At first sight, I do not see anything that cannot be done using a router, and it is simpler (in my experience) to configure and maintain than a bridge. I have a similar configuration, where each network is configured in a different IP range, and everything is done using the standard tools.
after some further consideration, I also believe that it is feasible with routing firewall. However, I can not get a route to another network to run. I'm doing a different theme on this.