Hi there, I've got an OpenWRT router with my two laptops linked in. So the 2 laptops are in the same lan. Laptop A's IP is 192.168.2.101, the other ones' is 192.168.2.102.
Now I'm trying to use iptables to filter some tcp packets which have some particular string like "hello world" between the 2 laptops, but I failed. I even execute iptables -I INPUT -d 192.168.2.101 -j DROP, as a result, I just can't access to my router luci interface, but I can still access to a website deployed on laptop B.
It seems the packets inside the lan won't go through the firewall, they just work on second layer. So is there any way to filter the packets between my 2 laptops? Thanks alot
The packets won't even go through the router at all if the laptops are on the same subnet and wired.
Laptop A will broadcast a "who has" ARP request for 192.168.2.102 (if it doesn't have it already). Laptop B will respond with its MAC address. Laptop A will now put its packet on the wire with the MAC address of Laptop B. The router ignores the packet as it is a unicast Ethernet packet not addressed to the router.
If one of the laptops are wireless, then the packet will be seen by the wireless-Ethernet bridge in the router. If both are wireless, then it may be seen by the router, depending on how your wireless is configured.
1 Like
- Use source/destination host firewall.
- Use VLANs.
- Use different subnets.
How are those laptops connected to the router? Wired or wireless?
Are you asking for a long-term solution, or just a proof of concept?
Either long-term solution or proof is OK. But I don't want to block all the packets between them, only the packets which contain some specific strings will be blocked.
If wired, you'll need to "force" the packets to pass through the router (or another firewalling device). That won't happen as long as they're on the same subnet as each will see the other as link local.
One "hack" would be to put them on separate segments and join the two segments with a bridge in the router CPU. One way to do that would be to tag "LAN 1" on the switch with one VLAN, "LAN 2" with another VLAN, create two tagged interfaces on the CPU's Ethernet device, and supply static routes in the router via the respective VLANs. Ugly, but functional. Different subnets would be much easier.
Thanks for your explain, but in my case, I need my laptops are both connected with wire
Understood, but if they're on the same wire and same subnet, the router never participates in communication between them. That's how Ethernet works.
Edit: Assuming you haven't given both devices specific, static routes to each other, and that they "ignore" that they are link-local with respect to each other.
"It just works" is enough 
I'll try the VLAN later. Thanks!
Put each port on the switch in it's own VLAN, then bridge the vlans in the router, then turn on bridge netfilter, and use iptables to filter.
1 Like
I put 2 ports in different VLAN and bridge them. Now they can ping each other. But I'm confused when turn on bridge netfilter.
Should I install some modules?
Kmod-br-netfilter and enable sysctls related https://wiki.libvirt.org/page/Net.bridge.bridge-nf-call_and_sysctl.conf
Now iptables gets called, and your FORWARD chain will have to have rules allowing appropriate traffic
Many thanks, it works just an hour before you reply. And the details like config the bridge netfilter and FORWARD chain are completely as you said. Thanks again!
I've also read a quite similar post on the forum: Firewall on the same Network
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.