Port / device isolation AX88U

[cputoaster]

I am trying to isolate the one device on one port on my AX88U so it cannot see anything of the other ports / wifis / devices apart from the router in the simplest way. Tried different things, but nothing works, pings still work fine from the device on the port (eth4, ip 192.168.87.4) to other IPs on the network:

cat firewall-start
#!/bin/sh

ebtables -A FORWARD -i eth4 --logical-out br0 -j DROP
ebtables -A FORWARD -o eth4 --logical-in br0 -j DROP
iptables -A FORWARD 1 -i eth4 -o br0 -j DROP
iptables -A FORWARD 1 -o eth4 -i br0 -j DROP
iptables -I FORWARD 1 -s 192.168.87.4/32 -d 192.168.87.0/24 -j DROP

Any ideas? Is there some kind of direct bridging happening where all these rules don't apply?

I did see this: https://wu.renjie.im/blog/network/ax88u-vlan/ but it seems a bit complicated to do a whole vlan setup just for isolating a single device.

Merlin 3004.388.7

 

[eibgrad]

By default, any WLAN/LAN network interfaces are bridged. So you can't control traffic between those members of the bridge using the filter table of either iptables or ebtables. You can, however, use the BROUTING chain of the broute table of ebtables for such purposes.

ebtables -t broute -A BROUTING -p IPv4 -i eth4 --ip-dst 192.168.87.0/24 -j DROP

 

[cputoaster]

Thank you very much! I just tried that, pings and ssh still work between hosts though, so something is not exactly working as intended. In the man page of ebtables there is something about DROP not actually dropping but making it routed, which I did not get my head around yet. Just to be sure I added some iptable entries, but it did not help:

iptables -I FORWARD 1 -s 192.168.87.4/32 -d 192.168.87.0/24 -j DROP