Blocking traffic on physical port (but changing client mac address)

I want to block all traffic (with the exception of 80 and 443) on a physical port (LAN).
AFAIK the built-in firewall only allows those blocks when you know the MAC-address of the device.
What if I want to block all traffic to WAN except http/https on the device which is say plugged in the second LAN-port of the openwrt device?
Is it possible?

So here is a small pictogramm:

+------------------------+                          |         |
|  Device with unknown  no access to WAN except 80/4|3        |
|     MAC-address        +--------------------------+Port 1   |
+------------------------+     all access to LAN    |         |
                                                    |         |
  +-------------------+                             | openwrt |                          +----------+
  |    device 2       |                             |         +------------------------->+Internet  |
  |                   +-----------------------------+Port 2   |                          +----------+
  +-------------------+                             |         |
                                                    |         |
  +-------------------+                             |         |
  |    device 3       |                             |         |
  |                   +-----------------------------+Port 3   |
  +-------------------+                             +---------+

Create a separate VLAN, assign it to a custom firewall zone and allow only specific traffic to forward from that zone to the WAN.

It should be similar to the following:

Just skip the wireless part and assign your guest VLAN interface to the guest network.


Is it possible to still communicate with the other devices on the LAN?

Add firewall forwardings between the LAN and guest zones.


I've called the VLAN "LAN_SECURE" as you can see on the picture (interface). I've given it a new subnet (is this necessary?).
Now I've added new traffic rules but I cannot connect to the device in LAN_Secure.
Am I missing some routing issue? Does the gateway need to be changed (now it's not filled out and gray).

What do you mean by "I cannot connect" exactly? How are you trying to connect? And from where?


Ok, I need to correct myself. The device did not get an IP address. The status page lied to me :wink: It was from a former attempt.

@eduperez: I'm trying to connect from LAN and ssh into the device

Because you have INPUT set to REJECT, it cannot receive DHCP requests.

1 Like

Fix this first, everything else comes later.

1 Like

Repeat the guest Wi-Fi instructions, specifically the firewall part.
It should create a separate zone as well as the necessary rules for DNS and DHCP.
Make sure your guest network is assigned to the guest firewall zone.