AX86U not a BROUTER, but a Bridge + Router??

[Climber]

Was trying to do some ethernet level filtering for the LAN/WLAN via ebtables -t broute and it appears that none of the destinations on the local subnet, except for the router itself, are passing through here and thus also not iptables? Also see that several SNB members suggest removing ethX from br0 if you want to isolate it.
So, am I correct in thinking the bridging used in the router for the local LAN/WLAN is completely done BEFORE it gets to ebtables processing? And there are no rules you can setup for it to filter/firewall?

Thanks for and help,
Climber

 

[Climber]

Bump!

 

[drinkingbird]

Was trying to do some ethernet level filtering for the LAN/WLAN via ebtables -t broute and it appears that none of the destinations on the local subnet, except for the router itself, are passing through here and thus also not iptables? Also see that several SNB members suggest removing ethX from br0 if you want to isolate it.
So, am I correct in thinking the bridging used in the router for the local LAN/WLAN is completely done BEFORE it gets to ebtables processing? And there are no rules you can setup for it to filter/firewall?

Thanks for and help,
Climber

Local subnet traffic (for wired devices) just passes directly via the switch. It won't hit ebtables/iptables until it goes to the CPU. At least that is how it is on my older AC model, but as far as I know that is the general design of all these home based routers, otherwise you'd be bogging the CPU down and probably not hitting 1G throughput on your LAN. The switch is basically dumb until you need to do something that involves the CPU, and wired LAN to LAN traffic is not one of those things. Similar for WLAN to WLAN if Guest isn't being used (though WLAN uses actual interfaces instead of just ports so it may be possible to do some filtering there).

The only time it would come into play is wired <-> wireless (and only certain scenarios) as that may pass through different bridges and even hit the CPU sometimes. I don't think regular wireless will pass through EBTABLES or IPTABLES since it is just another interface in the same bridge, but could be wrong there. If you really want full filtering ability you'll want to use a guest network to create that isolation, then you should be able to filter to your heart's content. You can even use YazFi to get some more functionality right in the GUI for guest networks too.

 

[Climber]

Forgot to mention it's an AX86U running on Merlin 386.7_2.
It doesn't seem like a simple hardware switch either, since I can remove an ethernet port from bridge br0 and add it to bridge br1 that is created by guest network #1 with intranet disabled, so different IP addresses assigned.

 

[drinkingbird]

Forgot to mention it's an AX86U running on Merlin 386.7_2.
It doesn't seem like a simple hardware switch either, since I can remove an ethernet port from bridge br0 and add it to bridge br1 that is created by guest network #1 with intranet disabled, so different IP addresses assigned.

Software defined bridge groups or interfaces is not uncommon on switches (even if it isn't always visible to the user). But you'll notice that you can no longer achieve 1gpbs between a guest port and a LAN port as that traffic now has to go to the CPU. But you can now use iptables and ebtables with it like I mentioned.