I’m having trouble with the “to-client” attribute for firewall rules.
Imho, the definition of “to-client” should be packets destined to ip addresses that appear in the “to-address” of the hostpot->hosts list.
Said that, it seems to fail in these cases:
- Firewall rules in filter->output chain don’t miss the “to-client” attribute.
- Also, packets flowing from a hotspot client to another in filter->forward also miss the “to-client” attribute (like they were not destined to clients).
I have just confirmed the last one in version 4.16.
I use the “to-client” stuff to filter out junk traffic to public addresses that have not been assigned to clients.