Block All except MAC address list

New to OpenWRT and am looking to do MAC address filtering.

How would I set up a Firewall Rule to Block ALL Outbound traffic to the internet EXCEPT from a list of MAC Addresses?

I've seen a few posts that will block specific MAC addresses from accessing the WAN (Internet) and otherwise allow all others access but I wish to do the inverse of that - block all outbound except a specific list of MAC addresses.

Thanks, but there is plenty out there to do this for wireless interfaces and that was not what I asked.

I wish to block ALL LAN traffic (Wi-Fi and Wired) EXCEPT a list of MAC addresses.

And I wish to NOT have to manage numerous lists for each node as well. Just ONE list of MAC addresses that are allowed internet access.

More correctly, I do not have ANY devices connected via the OpenWRT wireless interface as my wireless connectivity is provided by a separate access point that is connected as a wired device as far as the OpenWRT device is concerned.

Here is a basic idea of how my network is set up:

Cable Modem --> OpenWRT Device --> Network Switch --> Everything else.

And the network switch has wired devices connected to it to include the Access Point that provides Wi-Fi access.

Change the default rule for the WAN zone from allow to reject to block all outgoing traffic .

Then in the firewall rules add one rule per MAC address and set that rule to allow for the WAN zone

This will block the router, not the lan.

@mdp716 delete forwarding from lan to wan. Then create a rule to allow the desired source mac addresses from lan to wan.

uci add firewall rule
uci add_list firewall.@rule[-1].proto='all'
uci set firewall.@rule[-1].name='test'
uci set firewall.@rule[-1].dest='wan'
uci set firewall.@rule[-1].target='ACCEPT'
uci set firewall.@rule[-1].src='lan'
uci add_list firewall.@rule[-1].src_mac='00:11:22:33:44:55'
uci add_list firewall.@rule[-1].src_mac='00:66:77:88:99:AA'
uci add_list firewall.@rule[-1].src_mac='MORE_MACS'
uci -q delete firewall.@forwarding[0]
uci commit firewall
service firewall restart
1 Like


That sounds like what I am looking for. Any chance those MAC addresses land in a file somewhere that I would be able to edit?


Also, when you say "delete forwarding from lan to wan" do you mean I should change the lan ==> wan Zone to Accept Accept Reject from what it is currently as depicted?


No, this is forward, not forwarding. Edit lan zone, look at the bottom and remove wan zone from Allow forward to destination zones:
Or you can run the commands I posted previously.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.