Bridge firewall

• This how-to describes the method for setting up bridge firewall on OpenWrt.
• Follow Splitting VLANs to be able to filter traffic between VLAN ports.
• Follow Wireless configuration to isolate wireless clients from each other.

• Filter and intercept transit traffic on bridged interfaces.

Assuming a setup with bridged LAN and WAN interfaces. Install the required packages. Enable bridge firewall intercepting DNS queries and filtering transit traffic from eth0 to eth1.

# Install packages
opkg update
opkg install kmod-nft-bridge
 
# Configure firewall
cat << "EOF" > /etc/nftables.d/bridge.sh
. /lib/functions/network.sh
network_flush_cache
network_find_wan NET_IF
network_get_device NET_DEV "${NET_IF}"
NET_MAC="$(ubus -S call network.device status \
"{'name':'${NET_DEV}'}" | jsonfilter -e "$['macaddr']")"
nft add table bridge filter
nft flush table bridge filter
nft add chain bridge filter prerouting \
{ type filter hook prerouting priority dstnat\; }
nft add rule bridge filter prerouting meta \
l4proto { tcp, udp } th dport 53 pkttype set host \
ether daddr set "${NET_MAC}" comment "Intercept-DNS"
nft add chain bridge filter forward \
{ type filter hook forward priority filter\; }
nft add rule bridge filter forward iifname "eth0" \
oifname "eth1" drop comment "Deny-eth0-eth1"
EOF
uci -q delete firewall.bridge
uci set firewall.bridge="include"
uci set firewall.bridge.path="/etc/nftables.d/bridge.sh"
uci commit firewall
service firewall restart

Set up DNS hijacking and DNS filtering.

Use nslookup, ping, ping6 on LAN clients to verify the firewall configuration.

Collect and analyze the following information.

# Log and status
service firewall restart
 
# Runtime configuration
lsmod | grep -e bridge
nft list ruleset
 
# Persistent configuration
uci show firewall

• nftables wiki: Bridge filtering
• NetDev: Bridge filtering with nftables