I run 22.03.5 on a basic Wi-Fi range extender device that I have configured as a network bridge, so that Wi-Fi clients are directed to the Ethernet port where my actual router/gateway computer and the WAN is.
By default OpenWRT will itself switch client-to-client Wi-Fi traffic so that clients on the access point can reach eachother. If I enable "isolate clients" OpenWRT will instead drop all client-to-client traffic. Regardless of what mode, OpenWRT always deals with this traffic itself. What I am looking to achieve is to make OpenWRT instead always forward client-to-client traffic to the Ethernet port so that I on the router computer can control what Wi-Fi clients get to speak to eachother. I cannot find how/where to do this. I don't mind editing config files over ssh.
What you are asking is not possible as a general thing. If wifi client isolation is enabled, wifi devices will be unable to communicate with each other (at least those connected to the same AP). If it is disabled, they will communicate via switching principles and it will happen at the AP, so you can't have another device filtering these connections.
That said, there are some options you can consider...
There is the idea of the bridge firewall -- I've never tried to setup a bridge firewall and it may have some strange quirks. Layer 2 is not normally where firewall operations happe.
WPA2/WPA3 Enterprise with RADIUS and 802.1x authentication can give you more granular controls here, but this is a fairly significant increase in complexity.
If you are trying to isolate categories of devices from each other (such as IoT or guest devices from your trusted LAN), this is easy using multiple subnets and associated SSIDs. This is easy to filter since it involves routing (L3) which will allow you to have your main router handle all the firewall operations.
Ahhh, OK. I had no idea OpenWRT had such a hard limitation. I was certain that it would be possible to fully wrestle with the Wi-Fi traffic by engaging directly with nftables (or iptables), because I can achieve this perfectly fine with for example OpenBSD whose packet filter always handles traffic for wireless interfaces in HostAP mode. But I will take a look at the "bridge firewall" suggestion, maybe that's the solution. Thanks!
This is not an OpenWrt limitation... it is true of almost all consumer and small business networking equipment. This capability is only really available natively in enterprise gear.