Why does traffic rule based on source firewall zone not work correctly?

I am trying to mark and SNAT packets based on the port that receives packet with a specific source IP.

I have 3 physical ports configured as follows:
All ports bridged.
Bridge VLAN filtering enabled (port0 => VLAN1, port1 => VLAN2, port2 => VLAN3, all untagged).
VLAN interfaces are assigned separate firewall zones (VLAN1 => zone1, VLAN2 => zone2, VLAN3 => zone3). Forwarding is only allowed between zone2/3 and zone1. Forwarding is rejected between zone2 and zone3.

Goal is to send packets from physical ports 1 and 2 to port0 while separate devices connected to port1 and port2 uses the same IP address. The source IP of these packets will then be set with different marks based on the firewall zone that receive them and then be SNAT based on the marks set.

Result observed was that the packets received from both devices end up being SNAT to the same IP. This seems to indicate that the packets from both devices somehow arrived on the same firewall zone, despite the bridge VLAN interfaces being assigned different firewall zones?

Can someone tell me what I did wrong?

Thanks in advance.

Communication between devices on the same subnet cannot be controlled by the firewall because that data is switched (L2) not routed (L3).

Let's take a look at your config so we can better understand your current state:

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/firewall

Oh right, I totally forgot about that. And to think I just learnt that in a separate post.

I have removed the bridging and the ports are now separate interfaces with no VLANs. This still does not work. The result is the same as my previous attempt with bridged VLANs. Why?

I am not currently able to get the configuration. Will post that when I can.

Can't guess without seeing the config... so yes, please post it wheny you can.

/etc/config/network

config interface 'loopback'
option device 'lo'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'

config globals 'globals'
option ula_prefix 'fd9b:c3e2:c879::/48'
option packet_steering '1'

config interface 'lan'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option device 'br-lan'
option ipaddr '192.168.123.120'

config device
option name 'br-lan'
option type 'bridge'
option bridge_empty '1'
list ports 'lan0'
list ports 'lan3'

config interface 'lan1'
option proto 'static'
option device 'lan1'
option ipaddr '192.168.124.121'
option netmask '255.255.255.0'

config interface 'lan2'
option proto 'static'
option device 'lan2'
option ipaddr '192.168.124.122'
option netmask '255.255.255.0'

/etc/config/firewall

config defaults
option custom_chains '1'
option synflood_protect '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'

config include
option path '/etc/firewall.user'

config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'lan'

config nat
option src '*'
option src_ip '192.168.124.124'
option target 'SNAT'
option snat_ip '192.168.123.125'
option mark '9991'
list proto 'all'

config nat
option src '*'
option src_ip '192.168.124.124'
option target 'SNAT'
option snat_ip '192.168.123.126'
option mark '9992'
list proto 'all'

config zone
option name 'lan1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'lan1'

config zone
option name 'lan2'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'lan2'

config forwarding
option src 'lan'
option dest 'lan1'

config forwarding
option src 'lan'
option dest 'lan2'

config forwarding
option src 'lan1'
option dest 'lan'

config forwarding
option src 'lan2'
option dest 'lan'

config rule
option src 'lan1'
list src_ip '192.168.124.124'
option target 'MARK'
option set_mark '9991'
option dest '*'

config rule
option src 'lan2'
list src_ip '192.168.124.124'
option target 'MARK'
option set_mark '9992'
option dest '*'

/etc/firewall.user is empty

One sender (192.168.124.124) is connected to "lan1" port and another (also 192.168.124.124) to "lan2" port and the receiver (192.168.123.124) is connected to "lan0" port.

Since you can define SRC zone with the SNAT rule, why are you attempting to perform an extra [uncessary] step of [target] marking the packets first before [target] SNATting them?

That's because I configured it via luci and there isn't a field for source zone, only destination zone, for SNAT. At least I didn't see one.

Specifiy by SRC IP or subnet (i.e., just fix your SNAT rules and delete the mark rules). Unless there's a reason to mark, I didn't understand the reply.

There's no need to make the rules so complicated.

?

(Whatever src is, seems configurable.)

Luci is the web user interface... There is no source zone option when configuring SNAT using the web user interface, only destination zone. I assumed that meant source zone is not configurable for SNAT.

I'm aware of this.

It's called "outbound zone" in LuCI.

Consider the configuration as the following: "specifying the destination where the SNAT has to be used."

I'm trying to understand why you're trying to mark the SRC zone, instead of just making a SNAT rule. In other words to be clear: you don't need to mark nor specify the SRC zone.

Im trying to SNAT the same source IP to different IPs based on the physical port the frame is received on.

• IP (Layer 3) are packets/datagrams, not Ethernet frames (Layer 2)
• Hence I asked if you can specify the SRC IP/range instead of interface/port?

Edit to the specify the SRC IP or SRC range of the network.

Apologies, I meant packets.

I have two devices with the same IP address. The devices are connected to different ports.

I have specified the source IP. This is shown in the config I posted.

Edited as reply to user