How to prevent communication between two bridges?

mrmut · July 14, 2018, 11:49am

Hello all, I am puzzled currently; the configuration is as follows:
eth1 - wan
eth2-6 bridge1
eth9-10 bridge2

Each bridge has different IP and there are two DHCP servers working on each bridge. Everyone gets to internet, and DHCP works, etc. I have default Firewall rules.

What gets me is that devices from two different bridges can see each other, even if they are on different subnets. How can I prevent that? I have two different networks that use the same router and internet access, but must not see each other.

huntah · July 14, 2018, 12:12pm

use ip firewall filter and chain forward.

Drop subnet a to subnet b and vice vera.

Or use search on forum. It has been asked and answered multiple times

ingdaka · July 14, 2018, 12:19pm

ip firewall filter add chain=forward src-address=XXX.XXX.XXX.XXX/X dst-address=YYY.YYY.YYY.YYY/Y action=drop
ip firewall filter add chain=forward src-address=YYY.YYY.YYY.YYY/Y dst-address=XXX.XXX.XXX.XXX/X action=drop

XXX.XXX.XXX.XXX/X - Bridge1 Subnet example 192.168.1.0/24
YYY.YYY.YYY.YYY/Y - Bridge2 Subnet example 192.168.2.0/24

mrmut · July 14, 2018, 12:24pm

Thank you guys.

mrmut · July 14, 2018, 12:29pm

Maybe it is a dumb question, but is it possible to do this with in interface - out interface? Or interface lists?

Thanks

mkx · July 14, 2018, 1:31pm

I’m almost certain that it is possible to do it with interfaces. My view, however, is that it is un-intuitive as you’re trying to prevent L3 connectivity using L1 filtering.

pe1chl · July 14, 2018, 1:36pm

Yes that is possible by using the bridge as the in- or out-interface. Lists are possible too.
It is in fact better (especially for the incoming interface) as it does not rely on the “valid” addresses on that interface
so it blocks invalid addresses as well. (packets sent with forged source address)

mrmut · July 19, 2018, 3:49pm

Thanks!