Bridge firewall

• This how-to describes the method for setting up bridge firewall on OpenWrt.
• Follow Splitting VLANs to be able to filter traffic between VLAN ports.
• Follow Wireless configuration to isolate wireless clients from each other.

• Filter traffic between bridged interfaces.

Install the required packages. Enable bridge firewall.

# Install packages
opkg update
opkg install kmod-br-netfilter
 
# Configure kernel parameters
cat << EOF >> /etc/sysctl.conf
net.bridge.bridge-nf-call-arptables=1
net.bridge.bridge-nf-call-iptables=1
net.bridge.bridge-nf-call-ip6tables=1
EOF
/etc/init.d/sysctl restart

Use ping, ping6 or nmap between LAN clients to verify your firewall configuration.

Collect and analyze the following information.

# Log and status
/etc/init.d/firewall restart
 
# Runtime configuration
iptables-save -c; ip6tables-save -c; brctl show
lsmod | grep -e br_netfilter; sysctl net.bridge
 
# Persistent configuration
uci show firewall; grep -v -e "^#" -e "^$" /etc/sysctl.conf

Restrict traffic forwarding between bridged interfaces.

# Disable LAN to LAN forwarding
uci rename firewall.@zone[0]="lan"
uci set firewall.lan.forward="REJECT"
uci commit firewall
/etc/init.d/firewall restart

Selective traffic forwarding between bridged interfaces.

# Install packages
opkg update
opkg install iptables-mod-physdev
 
# Deny LAN1 to LAN2 forwarding
uci -q delete firewall.lan1_lan2
uci set firewall.lan1_lan2="rule"
uci set firewall.lan1_lan2.name="Deny-LAN1-LAN2"
uci set firewall.lan1_lan2.src="lan"
uci set firewall.lan1_lan2.dest="lan"
uci set firewall.lan1_lan2.extra="-m physdev --physdev-in lan1 --physdev-out lan2"
uci set firewall.lan1_lan2.proto="all"
uci set firewall.lan1_lan2.target="REJECT"
uci commit firewall
/etc/init.d/firewall restart