[Solved] Firewall rule for distinguishing ethernet vs wireless traffic

I have a default install where my wireless and lan cable connections are all part of the “br-lan” bridge. I want to add a firewall rule that only applies to ethernet connections, not wifi.

More specifically, I want to block certain outbound traffic to the wan if it originates from an ethernet port, but not block it if it originates from a wifi connection.

I cannot for the life of me figure out how to do this. Any help would be greatly appreciated!

This is not possible directly because the two physical interfaces belong to the same network.

There are two ways you can approach this:

  • create a different subnet for WiFi

Or

  • specify dhcp reservations for the devices known to connect to either WiFi or Ethernet and then apply the firewall rules to those specific addresses.

Thank you for the reply! I was hoping to avoid doing that with some trickery like bridge filtering or vlan-id checking, but if I have to I’ll give up and just make separate subnets and then figure out how to link them somehow.

You could try bridge firewall - I’ve never used it, but it may work for this purpose.

VLANs are not applicable if you are using a dongle subnet.

1 Like

Just in case anyone reading this in the future is looking to do something similar, I can confirm that bridge firewalls work, as psherman suggested. Basically just need to install the "kmod-nft-bridge" package and then add something like this:

table bridge firewall {
	chain input {
		type filter hook input priority filter; policy accept;
		ct state vmap { invalid : drop, established : accept, related : accept }
		iif "lan1" log "intercepted outbound request from lan port 1!"
	}

Great! Glad to hear it worked!

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
Thanks! :slight_smile:

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.