we are currently setting up our router with a Bananpi R64. As operating system we use ArchLinux (thank FrankW and ericwoud for the support) and as firewall we are just about to configure appropriate rules with nftables. Has anyone any experience with this? We would like to set up several separate subnets (home, private, guest, maybe more). We would like to assign the subnetworks to the MAC addresses of the clients (lists with MAC addresses for home and private, all unknown MAC addresses to the guest network). Does this make sense from your point of view? Or are there better possibilities to seperate the network traffic for different authorization levels?
So far we have connected the physical interfaces (WAN, multiple eth ports, wifi interface) with a bridge br0. The Wifi-AP is realized with hostapd and dnsmasq serves as DHCP and DNS server. Idea now was to split the network traffic based on the MAC address to more bridges “hanging in the air” to realize the subnets. Do you know if and how it is possible to forward the traffic to the different bridges with nftables? Do you have better ideas to create the subnets? Maybe VLANs based on the bridge interface? How would the assignment be done? Do you know what are the advantages and disadvantages to realize the network splitting with bridges instead of VLANs?
It would be nice to get by with as few services as possible and implement as much as possible with nftables…
Afaik wifi can be splitted into multiple VIFs which then have all their own ip subnet and can be routed to local vlans.
A bridge normally does not separate networks…it bridges (brings them together on layer 2 - ethernet). A special case are vlan-aware bridges which can handle 802.1q protocol to not bridge different vlans and do the tagging/untagging.
You can work either with the interfaces itself if this enough and handle all through firewall. If you need multiple subnetworks on 1 interface you have to use vlan/vif and route between them (secured by firewall).
I have done a basic firewall in nftables which you can find in my wiki. Nothing special,but you can extend it with your new interfaces…basicly it is same.
I use something similar, but a bit more simple. At the moment I cannot access my setup files, I can share them in a couple of days.
Frank is right. Setup a second or third bss on 1 interface in hostapd configuration. You will get 1 or more extra virtual interfaces. Add them to different bridges and use vlan to get the traffic on the same copper network, but virtually separated
So you get your private network on 1 wifi network and a guest network on another wifi network. But eventually they both use 1 hardware interface. You could then use mac access control if you like for blocking, but basically guests log on to a different network.
I have this setup:
wan
ROUTER-R64 ACCESSPOINT-R64
lan1 lan2 lan3 lan4 lan1 lan2 lan3 lan4 lan
| |
-----------------------
tagged traffic vid 2 & 3
In detail
ROUTER
wan -------------------------------------
| |
IPforward IPforward
| |
192.168.1.1 192.168.2.1
BRLAN vid 2 BRGUEST
lan1 lan2 lan3 lan4 wlan0 veth3a veth3b wlan0guest
2 2 2 vid2&3 2 vid 3 |
| | |
| -----------------------
| untagged traffic
|
To AP
I use nftables only to separate the traffic in the router.
This setup also allows for fast wifi roaming between AP’s and router. It is practically seemless. Fast roaming will work on the private network as well as on the guest network. This is because the setup is completely done at layer 2 level.
The hostapd launcher script in my Archlinux setup already helps a lot to get this setup right. It helps with the correct Mac nr, where there is enough space for virtual interface bss Mac numbers. (zeroing the last few least significant bits of the Mac number of the wlan0 interface). It also sets up roaming correctly in hostapd This is already setup if you use my Archlinux install script.
Thanks for your fast reply. Our idea was to use the bridges as some kind of “virtual interfaces” and seperate the traffic at layer 2 into the differnt subnetworks according to the MAC-Adress. First we wanted to realize this by virtual network interfaces (TAP/TUN) instead of bridges but the kernel modul is unfortunaly not available (CONFI_TUN). We are a bit unsure about the separation with VLANs. On the Internet we have found contradictory information regarding the OSI layers. Partly it is written that VLANs work in layer 3, partly that all happens in layer 2.
Do you think the idea with the bridges makes sense? What would be the advantages of VLANs?
Our first attempt to forward the traffic with nftables:
The forwarding seems to work with this rule. However, DHCP and DNS with dnsmasq doesn’t work yet.
Probably with the idea we make everything more complicated again Would be just nice to understand the advantages and disadvantages.
Since nftables is IP aware, it can work at layer 3. When only using Mac addresses, consider it some kind of layer 2 sort of …
You’ll make it yourself easier, if you let guests login to a different SSID. I have no experience using forwarding in this manner you describe.
I guess you would use Mac address access control to block one route at layer 2 and allowing another route for private users. And vice versa for guests. You could do this instead of forwarding.
If it turns out you really need this, it can be added to the prebuild kernel package I host. You could first try edit the package and build one yourself quite easily. I can give a few pointers how to build the edited kernel package.
Would be just nice to understand the advantages and disadvantages.