Best practice - Firewall configuration with nftables - different subnetworks (guest, private, etc.)

Hello all,

we are currently setting up our router with a Bananpi R64. As operating system we use ArchLinux (thank FrankW and ericwoud for the support) and as firewall we are just about to configure appropriate rules with nftables. Has anyone any experience with this? We would like to set up several separate subnets (home, private, guest, maybe more). We would like to assign the subnetworks to the MAC addresses of the clients (lists with MAC addresses for home and private, all unknown MAC addresses to the guest network). Does this make sense from your point of view? Or are there better possibilities to seperate the network traffic for different authorization levels? So far we have connected the physical interfaces (WAN, multiple eth ports, wifi interface) with a bridge br0. The Wifi-AP is realized with hostapd and dnsmasq serves as DHCP and DNS server. Idea now was to split the network traffic based on the MAC address to more bridges “hanging in the air” to realize the subnets. Do you know if and how it is possible to forward the traffic to the different bridges with nftables? Do you have better ideas to create the subnets? Maybe VLANs based on the bridge interface? How would the assignment be done? Do you know what are the advantages and disadvantages to realize the network splitting with bridges instead of VLANs? It would be nice to get by with as few services as possible and implement as much as possible with nftables…

I am curious about your ideas and experiences:)

Afaik wifi can be splitted into multiple VIFs which then have all their own ip subnet and can be routed to local vlans.

A bridge normally does not separate networks…it bridges (brings them together on layer 2 - ethernet). A special case are vlan-aware bridges which can handle 802.1q protocol to not bridge different vlans and do the tagging/untagging.

You can work either with the interfaces itself if this enough and handle all through firewall. If you need multiple subnetworks on 1 interface you have to use vlan/vif and route between them (secured by firewall).

I have done a basic firewall in nftables which you can find in my wiki. Nothing special,but you can extend it with your new interfaces…basicly it is same.

I use something similar, but a bit more simple. At the moment I cannot access my setup files, I can share them in a couple of days.

Frank is right. Setup a second or third bss on 1 interface in hostapd configuration. You will get 1 or more extra virtual interfaces. Add them to different bridges and use vlan to get the traffic on the same copper network, but virtually separated

So you get your private network on 1 wifi network and a guest network on another wifi network. But eventually they both use 1 hardware interface. You could then use mac access control if you like for blocking, but basically guests log on to a different network.

I have this setup:

      ROUTER-R64                            ACCESSPOINT-R64
   lan1 lan2 lan3 lan4                  lan1 lan2 lan3 lan4 lan
                   |                     |
                  tagged traffic vid 2 & 3

In detail


                wan  -------------------------------------
                 |                                       |
              IPforward                               IPforward
                 |                                       |
            BRLAN vid 2                               BRGUEST                                         
lan1 lan2 lan3  lan4  wlan0 veth3a                veth3b  wlan0guest
  2    2    2  vid2&3    2   vid 3                  |
                   |          |                     |
                   |          -----------------------
                   |             untagged traffic
                 To AP


            BRLAN vid 2                               BRGUEST                                         
 lan1  lan2 lan3 lan4 wlan0 veth3a                veth3b  wlan0guest
vid2&3   2    2    2    2    vid 3                   |
     |                         |                     |
     |                         -----------------------
     |                                 untagged traffic
   To Router

I use nftables only to separate the traffic in the router.

This setup also allows for fast wifi roaming between AP’s and router. It is practically seemless. Fast roaming will work on the private network as well as on the guest network. This is because the setup is completely done at layer 2 level.

The hostapd launcher script in my Archlinux setup already helps a lot to get this setup right. It helps with the correct Mac nr, where there is enough space for virtual interface bss Mac numbers. (zeroing the last few least significant bits of the Mac number of the wlan0 interface). It also sets up roaming correctly in hostapd This is already setup if you use my Archlinux install script.

Thanks for your fast reply. Our idea was to use the bridges as some kind of “virtual interfaces” and seperate the traffic at layer 2 into the differnt subnetworks according to the MAC-Adress. First we wanted to realize this by virtual network interfaces (TAP/TUN) instead of bridges but the kernel modul is unfortunaly not available (CONFI_TUN). We are a bit unsure about the separation with VLANs. On the Internet we have found contradictory information regarding the OSI layers. Partly it is written that VLANs work in layer 3, partly that all happens in layer 2. Do you think the idea with the bridges makes sense? What would be the advantages of VLANs? Our first attempt to forward the traffic with nftables:

table netdev forwardTraffic { 
  chain ingress { 
   type filter hook ingress devices = $DEV_INTERNAL_PHY priority filter; policy accept;
   ether saddr @macs daddr set <targetMAC>

The forwarding seems to work with this rule. However, DHCP and DNS with dnsmasq doesn’t work yet. Probably with the idea we make everything more complicated again :slight_smile: Would be just nice to understand the advantages and disadvantages.


Vlan works at layer 2.

Since nftables is IP aware, it can work at layer 3. When only using Mac addresses, consider it some kind of layer 2 sort of …

You’ll make it yourself easier, if you let guests login to a different SSID. I have no experience using forwarding in this manner you describe.

I guess you would use Mac address access control to block one route at layer 2 and allowing another route for private users. And vice versa for guests. You could do this instead of forwarding.

You could also use hostapd’s Dynamic vlan tagging function. It uses a radius server to map Mac addresses to vlan.

I believe it creates a separate bridge for every vlanid used.

It does mean that the users log in to a radius server instead of WPA(2), but it might fit exactly what you are looking for.

If it turns out you really need this, it can be added to the prebuild kernel package I host. You could first try edit the package and build one yourself quite easily. I can give a few pointers how to build the edited kernel package.