Two devices on br-lan ethernet, firewall config so one machine has outgoing dropped

Greetings,

I am using OpenWrt 24.10.0 on a GL.iNet GL-AR300M NOR. I have two machines, one connected to eth0 and one connected to eth1, with both ethernet ports on the router added to br-lan, which is serving DHCP to the two connected machines. There is no WAN needed for this router, and no wifi; these two machines are just intended to connect to each other on an ethernet LAN with no internet access. I can do a reset if I ever need the WAN port back, but that is unlikely.

To do this, I've added eth1 to br-lan in /etc/config/network as follows, so both ports on the GL-AR300M are on the same LAN:

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'
        list ports 'eth1'

This works. Both machines connected to the GL-AR300M by ethernet get DHCP, can communicate with each other, and if either exposes services to the LAN, the other can connect to the service, going in either direction, as expected.

My next networking and firewall goal is to configure so the machine on eth0 can connect to any port offering a service on the machine on eth1, but that the machine on eth1 can't connect to any port on eth0, even if there is a service there. My understanding of how to do this with OpenWrt's current firewall approach is that there should be a new zone in OpenWrt's config called (for example) eth1device, and it should drop all outgoing and accept all incoming. Here is what I have added to /etc/config/firewall and then restarted the firewall:

config zone
        option name 'eth1device'
        option input 'ACCEPT'
        option output 'DROP'
        option forward 'REJECT'
        option network 'lan'
        option device 'eth1'

However, this isn't working – I can connect to open services on the eth0 machine from the eth1 machine. nmap can also find open ports, although scans take a very long time.

Would someone be willing to walk me through configuring the firewall to accomplish my goal of being able to have the eth0 machine connect to ports/services on devices on eth1, but devices on eth1 can't connect to ports/services on devices on eth0, while both are on br-lan? Thanks very much for any assistance.

If you want to restrict hosts on the same network segment then install a host firewall, or create a new vlan, move one of the ports, assign new layer 3 addresses, create firewall rules.

Thank you for your response. Could I ask you to elaborate on how I install a host firewall on Openwrt? I think I may not have the ability to create vlans on this router (but maybe that is incorrect – when I have followed other instructions here about creating a vlan, the interface that is referred to is not visible in my OpenWrt install).

Or if "install a host firewall" is referring to a software/OS firewall on the machine on eth0, this isn't a good solution for this requirement. It's a goal to have the firewall on the router so any device that connects to eth0 can be expected to not have incoming from the device on eth1.

Then this sound like you want and need a new vlan segment with its own IP addresses and a new firewall zone. You can limit traffic to and from that new zone.

@ClearZebra
Don't forget to edit DHCP, too, to add an address pool for the new network.

Thank you, I will give it a try based on the OpenWrt vlan docs and come back if I hit any snags.

OK, I did this just using the WAN interface as the starting point for the second vlan and it went fine, thank you for the pointer that this was an offered feature.

could you just create a guest network and allow forwardng from lan to guest but not from guest to lan?

And... how do you think a guest network is set up....

oh i saw the vlan portion of the convo later, same thing different way

It's exactly the same. If not, enlighten me please.

nope, same thing, i didnt see that you recommended that method. my bad

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.