• This how-to describes the method for setting up bridge firewall on OpenWrt.
• Follow Splitting VLANs to be able to filter traffic between VLAN ports.
• Follow Wireless configuration to isolate wireless clients from each other.

• Filter traffic between bridged interfaces.
  • Isolate LAN clients from each other.

Install the packages and enable bridge firewall.

# Install packages
opkg update
opkg install kmod-br-netfilter
 
# Enable bridge firewall
cat << EOF >> /etc/sysctl.conf
net.bridge.bridge-nf-call-arptables=1
net.bridge.bridge-nf-call-iptables=1
net.bridge.bridge-nf-call-ip6tables=1
EOF
/etc/init.d/sysctl restart

Customize LAN to LAN forward if required.

# Disable LAN to LAN forward
uci rename firewall.@zone[0]="lan"
uci set firewall.lan.forward="REJECT"
uci commit firewall
/etc/init.d/firewall restart

Use ping, ping6 or nmap between LAN clients to verify your firewall configuration.

Collect and analyze the following information.

# Log and status
/etc/init.d/firewall restart
 
# Runtime configuration
lsmod | grep -e br_netfilter
sysctl net.bridge
iptables-save
ip6tables-save
 
# Persistent configuration
cat /etc/sysctl.conf
uci show firewall