• This how-to describes the method for setting up bridge firewall on OpenWrt.
• Follow Splitting VLANs to be able to filter traffic between VLAN ports.
• Follow Wireless configuration to isolate wireless clients from each other.

• Filter traffic between bridged interfaces.
  • Isolate LAN clients from each other.

Install the packages and enable bridge firewall.

# Install packages
opkg update
opkg install kmod-br-netfilter
 
# Configure kernel parameters
cat << EOF >> /etc/sysctl.conf
net.bridge.bridge-nf-call-arptables=1
net.bridge.bridge-nf-call-iptables=1
net.bridge.bridge-nf-call-ip6tables=1
EOF
/etc/init.d/sysctl restart

Use ping, ping6 or nmap between LAN clients to verify your firewall configuration.

Collect and analyze the following information.

# Log and status
/etc/init.d/firewall restart
 
# Runtime configuration
iptables-save; ip6tables-save; brctl show
lsmod | grep -e br_netfilter; sysctl net.bridge
 
# Persistent configuration
uci show firewall; grep -v -e "^#" -e "^$" /etc/sysctl.conf

Isolate LAN clients from each other.

# Disable LAN to LAN forwarding
uci rename firewall.@zone[0]="lan"
uci set firewall.lan.forward="REJECT"
uci commit firewall
/etc/init.d/firewall restart