Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision Next revisionBoth sides next revision | ||
| docs:guide-user:firewall:fw3_configurations:bridge [2020/07/15 19:19] – [Testing] vgaetera | docs:guide-user:firewall:fw3_configurations:bridge [2023/10/14 05:41] – use service invocation vgaetera | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| ====== Bridge firewall ====== | ====== Bridge firewall ====== | ||
| - | {{section> | + | {{section> |
| ===== Introduction ===== | ===== Introduction ===== | ||
| - | * This how-to describes the method for setting up bridge firewall on OpenWrt. | + | * This how-to describes the method for setting up [[wp> |
| + | * Follow [[docs: | ||
| + | * Follow [[docs: | ||
| ===== Goals ===== | ===== Goals ===== | ||
| - | * Filter traffic | + | * Filter |
| - | * Isolate LAN clients from each other. | + | |
| - | ===== Instructions | + | ===== Command-line instructions |
| - | Install the packages | + | Assuming a setup with bridged LAN and WAN interfaces. |
| + | Install the required | ||
| + | Enable | ||
| <code bash> | <code bash> | ||
| # Install packages | # Install packages | ||
| opkg update | opkg update | ||
| - | opkg install kmod-br-netfilter | + | opkg install kmod-nft-bridge |
| - | # Enable bridge | + | # Configure |
| - | cat << EOF >> /etc/sysctl.conf | + | cat << |
| - | net.bridge.bridge-nf-call-arptables=1 | + | . / |
| - | net.bridge.bridge-nf-call-iptables=1 | + | network_flush_cache |
| - | net.bridge.bridge-nf-call-ip6tables=1 | + | network_find_wan NET_IF |
| + | network_get_device NET_DEV " | ||
| + | NET_MAC=" | ||
| + | " | ||
| + | nft add table bridge | ||
| + | nft flush table bridge | ||
| + | nft add chain bridge filter prerouting \ | ||
| + | { type filter hook prerouting priority dstnat\; } | ||
| + | nft add rule bridge filter prerouting meta \ | ||
| + | l4proto { tcp, udp } th dport 53 pkttype set host \ | ||
| + | ether daddr set " | ||
| + | nft add chain bridge | ||
| + | { type filter hook forward priority filter\; } | ||
| + | nft add rule bridge | ||
| + | oifname " | ||
| EOF | EOF | ||
| - | /etc/init.d/sysctl | + | uci -q delete firewall.bridge |
| + | uci set firewall.bridge=" | ||
| + | uci set firewall.bridge.path=" | ||
| + | uci commit firewall | ||
| + | service firewall | ||
| </ | </ | ||
| - | Customize LAN to LAN forward if required. | + | Set up [[docs: |
| - | + | ||
| - | <code bash> | + | |
| - | # Disable LAN to LAN forward | + | |
| - | uci rename | + | |
| - | uci set firewall.lan.forward=" | + | |
| - | uci commit firewall | + | |
| - | / | + | |
| - | </ | + | |
| ===== Testing ===== | ===== Testing ===== | ||
| - | Use [[man>ping]], [[man>ping6]] or [[man>nmap]] between | + | Use [[man>nslookup(1)|nslookup]], [[man>ping(1)|ping]], [[man>ping6(1)|ping6]] on LAN clients to verify |
| ===== Troubleshooting ===== | ===== Troubleshooting ===== | ||
| Line 44: | Line 57: | ||
| <code bash> | <code bash> | ||
| # Log and status | # Log and status | ||
| - | / | + | service |
| # Runtime configuration | # Runtime configuration | ||
| - | lsmod | grep -e br_netfilter | + | lsmod | grep -e bridge |
| - | sysctl net.bridge | + | nft list ruleset |
| - | iptables-save | + | |
| - | ip6tables-save | + | |
| # Persistent configuration | # Persistent configuration | ||
| - | cat / | ||
| uci show firewall | uci show firewall | ||
| </ | </ | ||
| + | |||
| + | ===== Extras ===== | ||
| + | ==== References ==== | ||
| + | * [[https:// | ||
| + | * [[https:// | ||