I have implemented some basic client isolation on a switch connected to multiple hap (on ether1, ether2) . The uplink router with mac AA:BB:CC:DD:EE:FF is connected via sfp.
So the first rule allows only allows traffic to the uplink router, the second rule allows the uplink router to communicate to all clients. The third rule allows broadcast, so that DHCP would work. The last rule blocks everything else.
The third rule is not very selective, and I am wondering if there is a possibility to process packets that fall here with a bridge/firewall filter, while keeping all other rules active to be run under hardware offloading.
My CPU usage is low; everything is indeed hardware offloaded. My thinking was to use the firewall or bridge filter for broadcast traffic. Is that possible? Having some packets being hardware offloaded while others are being processed by the CPU?
No, it won’t work nicely. You’re using device as a switch, so you’re looking at using software bridge. And there aren’t any fine-tuning knobs as to what to offload from bridge to hardware and what not. If you’d go via ip-firewall on bridge, all the traffic would have to pass software bridge (CPU bound) and additionally firewall filters (even harder hit on CPU).
As @mkx states it is unlikely to work nicely. As the ethernet ports presented in the UI are logically multiplexed over a single connection between the switch chip and CPU, using proprietary vendor headers added to the packets, there can be undocumented interactions between software features and programming the switch directly.
For broadcast packets if the original ingress port is preserved when using an ACL entry to redirect to the CPU port it may be possible to use bridge filters (or IP filters with use-ip-firewall=yes), it would need experimentation.
