Bridge firewall

• This how-to describes the method for setting up bridge firewall on OpenWrt.
• Follow Splitting VLANs to be able to filter traffic between VLAN ports.
• Follow Wireless configuration to isolate wireless clients from each other.

• Filter traffic between bridged interfaces.

Install the required packages. Enable bridge firewall.

# Install packages
opkg update
opkg install kmod-nft-bridge

Use ping, ping6 or nmap between LAN clients to verify your firewall configuration.

Collect and analyze the following information.

# Log and status
/etc/init.d/firewall restart
 
# Runtime configuration
lsmod | grep -e bridge
nft list ruleset
 
# Persistent configuration
uci show firewall

Restrict traffic forwarding between bridged interfaces.

# Disable LAN to LAN forwarding
uci rename firewall.@zone[0]="lan"
uci set firewall.lan.forward="REJECT"
uci commit firewall
/etc/init.d/firewall restart

Selective traffic forwarding between bridged interfaces.

# Deny LAN1 to LAN2 forwarding
uci -q delete firewall.lan1
uci set firewall.lan1="zone"
uci set firewall.lan1.name="lan1"
uci set firewall.lan1.input="ACCEPT"
uci set firewall.lan1.output="ACCEPT"
uci set firewall.lan1.forward="ACCEPT"
uci add_list firewall.lan1.device="lan1"
uci -q delete firewall.lan2
uci set firewall.lan2="zone"
uci set firewall.lan2.name="lan2"
uci set firewall.lan2.input="ACCEPT"
uci set firewall.lan2.output="ACCEPT"
uci set firewall.lan2.forward="ACCEPT"
uci add_list firewall.lan2.device="lan2"
uci -q delete firewall.lan1_lan2
uci set firewall.lan1_lan2="rule"
uci set firewall.lan1_lan2.name="Deny-LAN1-LAN2"
uci set firewall.lan1_lan2.src="lan1"
uci set firewall.lan1_lan2.dest="lan2"
uci set firewall.lan1_lan2.proto="all"
uci set firewall.lan1_lan2.target="REJECT"
uci commit firewall
/etc/init.d/firewall restart