I tried VLANs, but had trouble using DNS-over-HTTPS with them, so thought I'd try what I assumed would be foolproof traffic rules.
Allow the router (192.168.8.1) to talk to all my devices
Allow all devices to talk to the router (192.168.8.1)
Drop all traffic on 192.168.0.0/16
It's stopped pings / nmap port scans, but if I run this from an ethernet port:
nmap 192.168.8.0/24 -sL
it is still listing the names of every device on 192.168.8.* (-sL is "list targets to scan", only takes 5 seconds).
I've transferred my ethernet ports to different subnets (192.168.21.* / 192.168.22.* / etc), and they can't be scanned or scan each other, but every ethernet port can scan 192.168.8.0/24.
Confusingly, trying nmap 192.168.8.0/24 -sL from a wifi device on that subnet doesn't list any other devices, but scanning that subnet from any ethernet port lists all the wifi devices.
How do I stop 192.168.8.0/24 leaking data, or is there an easier way to isolate every LAN and wifi device?
Not sure if nmap discovers devices through arp. If yes, arp broadcast may not be blocked and can still reach all devices.
iptables -I FORWARD -i br-lan -o br-lan -j DROP
iptables -I INPUT -i br-lan -j ACCEPT
iptables -I FORWARD -i br-lan -o wan -j ACCEPT
uci add firewall include
uci set firewall.@include[-1].path='/etc/firewall.user'
uci commit firewall
It seems a bit strange. Since mentioned that it cannot scan the devices in other subnets 192.168.21.0/24, 192.168.22.0/24, etc., it also should not be able to scan to 192.168.8.0/24.
Thank you, I've included your code in "Network - Traffic - Custom Rules", saved and rebooted the router, but it didn't help.
Things on the LAN are still able to see hostnames of every wifi device (on both normal wifi and guest wifi).
LAN devices - can see wifi devices, but not ping them.
Wifi devices - can't see or ping anything on the home network.
I did some tests, and think whatever is handling wifi is bugged and ignoring some of the rules.
I tried turning off Isolate Clients ("Network - Wireless - Advanced - Isolate Clients") in case if was was overruling the iptables.
With Isolate Clients turned off:
LAN devices can see wifi devices, but not ping them (exactly as before)
Wifi devices - can see and ping each other, but cannot see the LAN devices.
The rules in "Network - Firewall - Traffic Rules" and "Network - Firewall - Custom Rules" both say there should be no communication between any devices, and are being ignored by any wireless device.
Well the solution is not easy, please let me explain:
For wireless client isolation has been done through hostapd, the downside is that it only does it on the wireless aspect, on the wireless there will no client to client communication, it is some driver hook which does it directly on the bridge which is layer2 but it ignores ethernet clients.
Ethernet however is layer2, and firewall is layer3, a firewall isn't able to filter client to client isolation like hostapd does, and arp and broadcast are layer2.
So what are your choices?
You need to install something called: ebtables
And a isolation command works as follows:
ebtables --append FORWARD --logical-in br-lan -j DROP, you could add this line as startup via luci.
Ebtables filters on the bridge itself, thus isolation is possible, and likely does also on the wireless clients, meaning the current wireless isolation is not necessary anymore.
Vlans however only isolate per network, but does not isolate per client
You might want to edit the command to the derived vlan device which must be a child of br-lan or the parent bridge it belongs to.
