On Openwrt 25.12, I set up a guest wifi bridge onto LAN,
config wifi-iface 'wifinet2'
option device 'radio1'
option mode 'ap'
option ssid 'xxxx'
option encryption 'sae-mixed'
option key 'xxxxxxx'
option ocv '0'
option ieee80211w '2'
option ifname 'wifi-guest'
option network 'lan'
However, I want to block hosts on the guest wifi from reaching other hosts on br-lan except the router.
I used the following config.
in /root/guest_isolate.nft
table bridge guest_isolation
delete table bridge guest_isolation
table bridge guest_isolation {
chain forward {
type filter hook forward priority 0; policy accept
iifname "wifi-guest" counter drop
}
}
in /etc/config/firewall
config include
option type 'nftables'
option path '/root/guest_isolate.nft'
option position 'ruleset-post'
kmod-nft-bridge package must be installed.
