Hello!
I'm trying to achieve complete isolation between two bridges that still reach 0.0.0.0/0 via one interface on a single vrf: main.
My hardware is a hAP AC running ROS 7.1.3.
Right now, I'm doing this in a very dirty way. (Interfaces in bold)
I have created two bridges: bridge and bridge-guest.
VRF main has all interfaces enabled.
ether4 is directly connected to my router, the default route.
ether4 has IP address 192.168.87.2 with gateway 192.168.87.1.
The bridge bridge is home to 192.168.88.0/24, my home network.
The bridge bridge has ports ether1,2,3,5 and wlan1,2.
The bridge bridge has MAC address CC:00:00:00:00:11.
The bridge-guest bridge is home to 10.0.0.0/24, my guest network.
The bridge-guest bridge has ports wlan3(Virtual, parent wlan1, 2.4GHz).
The bridge-guest bridge has MAC address CC:00:00:00:00:12.
The goal is DHCP visibility only for the clients in 10.0.0.2-254 talking to 10.0.0.1 and the bare minimum for Internet reachability.
I also wanted the guest network to be isolated for broadcast traffic as well, hence a separate bridge.
They are not permitted to reach anything on the bridge bridge interface, 192.168.88.0/24 or 192.168.87.0/24.
I have the following firewall rules for isolation as well as route rules. It's very dirty and I'm not happy with it.
What I am trying to prevent is any routing between the two bridges and basically achieve 100% isolation between the two subnets
while maintaining routing to the default route reachable via ether4 which is in VRF main.
I know I have over-complicated the approach and that there is a simpler solution.
My guess is that it's something to do with the VRF table and routing between CC:00:00:00:00:11 and CC:00:00:00:00:12 being disallowed, or the subnets?
I understand that using one VRF, WinBox and SSH will still be visible services via 10.0.0.1, hence the drop rules.
What am I missing? What is the simpler solution that I have foregone? Can I buy anyone a coffee?