Bridge firewall

  • This how-to describes the method for setting up bridge firewall on OpenWrt.
  • Follow Splitting VLANs to be able to filter traffic between VLAN ports.
  • Follow Wireless configuration to isolate wireless clients from each other.
  • Filter traffic between bridged interfaces.

Install the required packages. Enable bridge firewall.

# Install packages
opkg update
opkg install kmod-nft-bridge

Use ping, ping6 or nmap between LAN clients to verify your firewall configuration.

Collect and analyze the following information.

# Log and status
/etc/init.d/firewall restart
# Runtime configuration
lsmod | grep -e bridge
nft list ruleset
# Persistent configuration
uci show firewall

Restrict traffic forwarding between bridged interfaces.

# Disable LAN to LAN forwarding
uci rename firewall.@zone[0]="lan"
uci set firewall.lan.forward="REJECT"
uci commit firewall
/etc/init.d/firewall restart

Selective traffic forwarding between bridged interfaces.

# Deny LAN1 to LAN2 forwarding
uci -q delete firewall.lan1
uci set firewall.lan1="zone"
uci set"lan1"
uci set firewall.lan1.input="ACCEPT"
uci set firewall.lan1.output="ACCEPT"
uci set firewall.lan1.forward="ACCEPT"
uci add_list firewall.lan1.device="lan1"
uci -q delete firewall.lan2
uci set firewall.lan2="zone"
uci set"lan2"
uci set firewall.lan2.input="ACCEPT"
uci set firewall.lan2.output="ACCEPT"
uci set firewall.lan2.forward="ACCEPT"
uci add_list firewall.lan2.device="lan2"
uci -q delete firewall.lan1_lan2
uci set firewall.lan1_lan2="rule"
uci set"Deny-LAN1-LAN2"
uci set firewall.lan1_lan2.src="lan1"
uci set firewall.lan1_lan2.dest="lan2"
uci set firewall.lan1_lan2.proto="all"
uci set"REJECT"
uci commit firewall
/etc/init.d/firewall restart
This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.More information about cookies
  • Last modified: 2023/01/16 23:27
  • by vgaetera