Block incoming WAN traffic to Client using MAC address

I have 2 rules in my firewall to block one client from using the wan network.

config rule
    option name 'Block-CLIENT-to-WAN'
    list proto 'all'
    option src 'lan'
    option src_mac '02:12:34:56:78:90'
    option dest 'wan'
    option target 'REJECT'
---> Passes on firewall restart and works.

config rule
    option name 'Block-WAN-to-CLIENT'
    list proto 'all'
    option src 'wan'
    option dest 'lan'
    option src_mac '02:12:34:56:78:90'
    option target 'REJECT'
---> Doesn't pass on firewall restart and therefore probably also doesn't work.

Firewall log

Warning: Option @rule[12].dest_mac is unknown

Is the 2nd rule even neccessary and can it even work?

The second rule is not necessary and will not work. MAC address has link scope validity. Maybe you wanted to use dst_mac instead, but still no traffic from outside can reach the host inside, if the host doesn't initiate it.

2 Likes

Okay, then I will just delete the rule.

Thank you for pointing this out.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.