Access via whitelist by mac address

Hello everyone.
I'm trying to set up Internet access for certain hosts from the local network via a white list.
wl

It doesn't work.
Can anyone tell me how to implement this task?
OpenWrt 23.05.0 r23497-6637af95aa / LuCI openwrt-23.05 branch git-23.236.53405-fc638c8

installed packages:
adblock-fast
dnsmasq-full
https-dns-proxy
ipset
ipset-dns
kmod-ipt-ipset

host, or internet access white list ?

sorry crystal ball's sent back to manufacturer for an upgrade (wifi finally, yay!), you'll need to provide more info.

you should probably update to .4.

Thank you for your attention, I understand you about the ball.
in the local network, some machines should have access to the Internet to resources from
only the white list, clients are connected via wifi,
I tried different solutions found in the community, maybe something broke in the configuration, I can draw conclusions about the necessary sections

after update 23.05.4 I had to reset all settings

is it a long list ?
if not, try Block DNS resolution or internet access of specific IoT clients - #4 by frollic

no, there are only two addresses, if I understood you correctly, you need to add
1 - /etc/config/firewall
config rule
option name 'whitelist'
list proto 'all'
option src 'fox'
option ipset 'allow-fox'
option dest 'wan'
option target 'ACCEPT'

config ipset
option name 'whitelist'
option family 'ipv4'
list match 'dest_ip'

2 - /etc/config/dhcp
config ipset
list name 'whitelist'
option table_family 'inet'
list domain 'ipchicken.com'
list domain 'ipleak.net'

3 - add traffic rules for mac adress - advanced settings -
use ipset - whitelist
source mac adress - 11:22:33:44:55:66

right?

you don't need to touch any of those files, just add the three server= entries (0.0.0.0 + 2x ip*) to the dnsmsq config.

keep in mind, this will affect all devices using the dnsmasq where this change is made.

At the moment there is not enough knowledge on this issue, is it possible to do this through the web interface?

there's

but you need to generate the file manually.

you can do

echo "server=/ipchicken.com/8.8.8.8" > /tmp/resolv.dnf.conf
echo "server=/ipleak.net/8.8.8.8" >> /tmp/resolv.dnf.conf
echo "server=0.0.0.0" >> /tmp/resolv.dnf.conf

add it to your local startup script, before the exit 0 line.

point to the file in the box on the screen shot.

might also need to add a service dnsmasq restart after the 3rd echo line.

maybe I explained it wrong.
there are 2 MAC addresses that will only have access to 20 domains, the rest of the devices will have no restrictions.

theoretically I can make 20 lines like
echo "server=ipchicken.com/8.8.8.8" > /tmp/resolv.dnf.conf
how to assign them to specific MAC addresses?

you can use https://openwrt.org/docs/guide-user/base-system/dhcp_configuration#dhcp_options option 6 to point all unrestricted clients to say, 8.8.8.8.

then provide the 192.168.x.x DNS to the two which require the filtered DNS, using option 6 in https://openwrt.org/docs/guide-user/base-system/dhcp_configuration#client_classifying_and_individual_options

maybe this is possible?

ipset create wlist iphash
ipset=/google.com/wlist

iptables -I lwflist -p tcp 192.168.1.16/28 -m set --match-set wlist dst -j ACCEPT