New to OpenWRT and am looking to do MAC address filtering.
How would I set up a Firewall Rule to Block ALL Outbound traffic to the internet EXCEPT from a list of MAC Addresses?
I've seen a few posts that will block specific MAC addresses from accessing the WAN (Internet) and otherwise allow all others access but I wish to do the inverse of that - block all outbound except a specific list of MAC addresses.
Thanks, but there is plenty out there to do this for wireless interfaces and that was not what I asked.
I wish to block ALL LAN traffic (Wi-Fi and Wired) EXCEPT a list of MAC addresses.
And I wish to NOT have to manage numerous lists for each node as well. Just ONE list of MAC addresses that are allowed internet access.
More correctly, I do not have ANY devices connected via the OpenWRT wireless interface as my wireless connectivity is provided by a separate access point that is connected as a wired device as far as the OpenWRT device is concerned.
Here is a basic idea of how my network is set up:
Cable Modem --> OpenWRT Device --> Network Switch --> Everything else.
And the network switch has wired devices connected to it to include the Access Point that provides Wi-Fi access.
Change the default rule for the WAN zone from allow to reject to block all outgoing traffic .
Then in the firewall rules add one rule per MAC address and set that rule to allow for the WAN zone
This will block the router, not the lan.
@mdp716 delete forwarding from lan to wan. Then create a rule to allow the desired source mac addresses from lan to wan.
uci add firewall rule
uci add_list firewall.@rule[-1].proto='all'
uci set firewall.@rule[-1].name='test'
uci set firewall.@rule[-1].dest='wan'
uci set firewall.@rule[-1].target='ACCEPT'
uci set firewall.@rule[-1].src='lan'
uci add_list firewall.@rule[-1].src_mac='00:11:22:33:44:55'
uci add_list firewall.@rule[-1].src_mac='00:66:77:88:99:AA'
uci add_list firewall.@rule[-1].src_mac='MORE_MACS'
uci -q delete firewall.@forwarding[0]
uci commit firewall
service firewall restart
That sounds like what I am looking for. Any chance those MAC addresses land in a file somewhere that I would be able to edit?
Also, when you say "delete forwarding from lan to wan" do you mean I should change the lan ==> wan Zone to Accept Accept Reject from what it is currently as depicted?
/etc/config/firewall
No, this is forward, not forwarding. Edit lan zone, look at the bottom and remove wan zone from Allow forward to destination zones:
Or you can run the commands I posted previously.
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.
