Show pagesourceOld revisionsBacklinksBack to top × Table of Contents Bridge firewall Introduction Goals Command-line instructions Testing Troubleshooting Extras References Bridge firewall This article relies on the following: Accessing web interface / command-line interface Managing configs / packages / services / logs Introduction This how-to describes the method for setting up bridge firewall on OpenWrt. Follow Splitting VLANs to be able to filter traffic between VLAN ports. Follow Wireless configuration to isolate wireless clients from each other. Goals Filter and intercept transit traffic on bridged interfaces. Command-line instructions Assuming a setup with bridged LAN and WAN interfaces. Install the required packages. Enable bridge firewall intercepting DNS queries and filtering transit traffic from eth0 to eth1. # Install packages opkg update opkg install kmod-nft-bridge # Configure firewall cat << "EOF" > /etc/nftables.d/bridge.sh . /lib/functions/network.sh network_flush_cache network_find_wan NET_IF network_get_device NET_DEV "${NET_IF}" NET_MAC="$(ubus -S call network.device status \ "{'name':'${NET_DEV}'}" | jsonfilter -e "$['macaddr']")" nft add table bridge filter nft flush table bridge filter nft add chain bridge filter prerouting \ { type filter hook prerouting priority dstnat\; } nft add rule bridge filter prerouting meta \ l4proto { tcp, udp } th dport 53 pkttype set host \ ether daddr set "${NET_MAC}" comment "Intercept-DNS" nft add chain bridge filter forward \ { type filter hook forward priority filter\; } nft add rule bridge filter forward iifname "eth0" \ oifname "eth1" drop comment "Deny-eth0-eth1" EOF uci -q delete firewall.bridge uci set firewall.bridge="include" uci set firewall.bridge.path="/etc/nftables.d/bridge.sh" uci commit firewall service firewall restart Set up DNS hijacking and DNS filtering. Testing Use nslookup, ping, ping6 on LAN clients to verify the firewall configuration. Troubleshooting Collect and analyze the following information. # Log and status service firewall restart # Runtime configuration lsmod | grep -e bridge nft list ruleset # Persistent configuration uci show firewall Extras References nftables wiki: Bridge filtering NetDev: Bridge filtering with nftables This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.OKMore information about cookies Last modified: 2023/10/14 01:41by vgaetera