Block mac on guest network


I added all home devices to the static lease(192.168.10.x), but I want to block them from connecting to the guest network(192.168.20.x) i.e. they won't get ip address in guest network. If that is not possible or too difficult, I would like to block internet access for home devices if they are connected to guest network.


Yes. Put the home network into one zone, the guest network into another zone, and create a firewall rule dropping/rejecting traffic from the home zone to the guest zone.

sorry, I did not state clearly. I want to block them using guest network to access internet.

Ah. I see. What you're talking about is NAC, or Network Access Control. It can be implemented if you fancy sinking your teeth into 802.1x, RADIUS, and similar authentication/authorisation methods.

But if you're looking to do something with just the built-in features of OpenWRT without extra or external resources, I'm not sure what the best approach might be.

You could set up DHCP reservations ("static leases") for the devices in question on the guest subnet, and then implement firewall rules denying those devices if their IP addresses are in the guest subnet. But that's easy to circumvent, if the device user configures a static IP address which you haven't firewalled.

If you know the approved guest network devices ahead of time, you could set up DHCP reservations for them, and have firewall rules permitting the approved guest device IP addresses while blanket-denying everything else in the same subnet. But that doesn't work if you don't know the guest devices in advance.

I'm not sure if nftables can behave as a layer 2 (MAC address) firewall.

I could try this, I don't worry about static ip, but I did not find a way to do static lease in the GUI.

It's here:

Which version of OpenWRT are you using? The above screenshot is from 22.03.5.

I am using 22.03.4. But I already use static lease to assign ip address for home devices at 192.168.10.x home network. Use the same to assign ip address 192.168.20.x?

You know what? I've never tried using that feature with more than one subnet. I genuinely have no idea. I know that dnsmasq (the service which underpins this feature) is completely capable of doing it (my own network uses a discrete instance of dnsmasq for DHCP and internal DNS), but I don't know from direct experience how the UCI configuration translates.

Can't hurt to try, right? Give it a go and see if it does what you want.

Sure, will try if that works. Thanks

1 Like

You can use banIP to block clients, banIP supports concatenation of local MAC addresses with IPv4/IPv6 addresses, e.g. to enforce dhcp assignments. See online readme for details (


thanks. will check that