Data limitation per Mac address

Hello everybody,

I'm working on board of a ship, on which we installed a network over a mobile data plan.
It is a unlimited plan, but with a fair usage policy.
Now we have the problem of some people secretly downloading and streaming a lot of stuff which makes us hit our fair usage policy in half a month.
Now I would like to limit each users data, by giving everybody a certain quota a day per MAC address.
The only thing I could find was a 2 year old project called quotas by someone called lemonsqueeze, but this hasn't been updated in a long time.
Also it disables the built-in firewall for openwrt because it overwrites iptables each time quotas is started.
Is there a way to achieve what I'am trying to do?

Greetings Jasper

If they don't follow common sense now, what makes you believe they won't change their MAC address regularly, once you've implemented your new policy? If you really want to solve this, the situation gets a little more complicated, e.g. with an IEEE802.1x setup and usage restrictions enforced on a per-user (unique username/ password) by a (free-)RADIUS setup.

Well, what makes me believe is that the average crew on board of our ship knows his way around basic internet stuff, but things like MAC spoofing isn't something a majority of them would know anything about.
The network we've set-up is a crew only network, so no passengers or guests are on it.
So if it would be possible by using nftables or iptables that would be my preference.
I don't know how gargoyle implemented their quotas system exactly, but it looks like I'm trying to achieve what they have implemented, but I'm guessing they're using iptables or something similiar as well.
But i'll make sure to checkout the Radius server as well, but I favour the system of not having to create multiple user accounts.

Update 1: I quickly read about the free-Radius set-up in the OpenWRT documentation, but it looks like that option is out of the question in our configuration.

Our network configuration is as follows:
We've got 3 mobile internet (4G) modems which have all been wired up to a TP-Link Archer C7 v5 router, using a mwan3 set-up. This TP-Link router is our interface between the modem and our internal Wi-Fi network.
Our internal Wi-Fi network consists of multiple routers which are in AP mode connected to the main router.

Ran across this, may be able to get something out of it.

I have a pixel 3a, and it uses a random MAC address on the wifi network by default for privacy reasons. It changes all by itself from time to time.

Perhaps tracking based on MAC address wont work.

nlbwmon might be a stop-gap work-around, in that you can quantify the traffic volume by IP address/MAC address, that is not a fixed quota, but you can at least post-hoc figure out the device responsible for the traffic. That knowledge with a bit of considerate letting the crew know, might help to get everybody to remember to treat the shared resource "internet" more considerate?
And/or, luci-app-nft-qos/nft-qos to selectively throttle offending devices to a crawl to get their owner's attention.