WiFi Bridge & transparent firewall

  • Hi

    I have a LAN VLAN interface and another VLAN with wireless traffic. They are both on the same physical interface trunk.

    Now they are routed, but I'd like to permit IGMP and multicast between the two. Since IGMP proxy is broken I'm thinking about bridging the two interfaces.
    I saw many guides about bridging wifi and LAN, but I don't know if this can work also with VLANs.

    And I'd would like also to do transparent firewall between LAN and WIFI, but the guides about transparent firewall are for WAN/LAN.

    So this is what I'm planning:

    • remove ip from LAN interface

    • remove association between em1_VLAN10 and LAN (using some temporary interface to keep settings)

    • remove ip from WIFI interface

    • remove association between em1_VLAN30 and WIFI

    • create bridge0 with em1_VLAN10 and em1_VLAN30

    • associate bridge0 with LAN and assign LAN address to it

    • associate em1_VLAN10 to OPT_WIRED interface and em1_VLAN30 to OPT_WIFI interface to have the tabs in firewall rules.

    I have a physical interface only for management so I will not be cut out of the firewall.


    Are firewall rules and dhcp settings retained?

    The rules once applied to LAN are applied to bridge0, so to hosts on every interface of the bridge?

    How can I enable firewall rules between em1_VLAN10 and em1_VLAN30, while keeping also LAN outbound rules?

    Can I have problems with NAT from WAN to hosts on LAN (only the wired part)?

    Do I have to change net.link.bridge.pfil_member or net.link.bridge.pfil_bridge from default?

    Thanks for every help

  • Ok, now I have the LAN interface assigned to bridge0, with all the old firewall rules and dhcp settings.

    I set net.link.bridge.pfil_bridge =1 so rules are now applied to the whole bridge

    I also kept net.link.bridge.pfil_member =1 and I created two catch all any any rules: from wireless to wired and from wired to wireless. I enabled logging so I'm seeing the traffic traversing the bridge.

    Lan devices works as before. I still have to test the wireless part because I'm not home.

    Now I must start writing some rule for the wireless part to limit access to the wired one and do some testing.

  • Everything is working fine  :D
    I only had a problem on the ubiquiti APs: SLAAC assign duplicated IPs on bridge interfaces inside the AP causing ARP loops. Disabling ipv6 support in the AP solves the issue

Log in to reply