Filter Internet access by MAC

Hi there, there are a lot of topics regarding blocking connection by MAC, however I couldn't find how to perform easy clearance by mac.

We are using internet connection for our Lab and the school blocked our internet. They demand that connection must be allowed by MAC! I don't much have a choice.

So far, I'm using /etc/config/wireless to perform that:

list maclist '60:03:08:9E:60:AA'

However, it doesn't block ethernet and VPN. I think the correct way is to use firewall rules. I'm terrible with that.

We have, around 50 devices. Would be easy just to fill a list with MAC. Any help is really welcome.

1 Like

If you connect to the network by ethernet you would MAC clone your WAN interfaces to an allowed address.

LuCI-->Network-->Interfaces-->WAN/WAN6-->Override MAC address

If you connect by WiFi you would accomplish the same thing by connecting via WiFi as a client (AP-STA) with a cloned MAC address of an allowed device by adding this line...

option macaddr 'xx:xx:xx:xx:xx:xx'

....to the appropriate WiFi network listed under:

vim /etc/config/wireless

Thanks @16F84, however I did not make myself clear. They will only allow our router to access the school network if I filter all connection to the router.
The school will not see those MACs since they are all behind the NAT, however I need to present to them that I'm doing that.

The solution you proposed regards the WAN interface, which is not the problem. I must filter (allow) LAN and radio0 connection by MAC. In other words, If an unauthorized person plugs his notebook with ethernet cable, but his MAC is not in the whitelist, he will not be able to connect.

LuCI-->Network-->Wireless-->edit SSID-->MAC-Filter-->Allow listed only

...and then further to that you may want to disable masquerading on your WAN firewall to show the net admin what clients are connected - that I am not to sure about as you are disabling major security features etc. - you may want to confirm that with them / get a second opinion.

1 Like

Hi @16F84, that is exactly what I'm doing.

/etc/config/wireless
list maclist '60:03:08:9E:60:AA'

However, it only works for Wifi, not for eth0 or tun0 (VPN).

That I do not know. Here is an older solution. Maybe someone else knows?

HTH

Parental controls > Restrict access to Wi-Fi by MAC address

1 Like

Hi @vgaetera, your suggestions follows the same problem. I don't want to block specific MACs.

I want to block all, except MAC1, MAC2, MAC3,...

Sorry, but I'm still confused.

Allow listed only is for Wifi only, or am I missing something? Sorry, but I'm still confuse of firewall usage.

1 Like
  1. Navigate to LuCI > Network > Firewall > Traffic Rules.
  2. Click Add and specify:
    • Name: Allow-Internet-Access
    • Protocol: Any
    • Source zone: lan
    • Destination zone: wan
    • Action: accept
  3. On the Advanced Settings tab specify:
    • Source MAC address:
      • 11:22:33:44:55:66
      • aa:bb:cc:dd:ee:ff
  4. Click Save.
  5. Navigate to LuCI > Network > Firewall > General Settings > Zones.
  6. Click Edit next to the lan zone.
  7. On the General Settings tab specify:
    • Allow forward to destination zones: Uncheck all
  8. Click Save, then Save & Apply.
1 Like

I have one more question.

This is working, however the VPN connection can't access internet as well. Should I add Source zone with wan as well?

You can assign the VPN interface to the WAN firewall zone.
This should apply the same restrictions by MAC for VPN users.

You mean here:

It's unspecified. Just add tun0?

1 Like

I couldn't get it to work. At least changing the WAN zone.

I was looking under LAN zone and found that tun+ is included.

Doesn't that mean that if I connect with VPN I'm inside the LAN?
Shouldn't I have internet connection? I can't understand.

The LAN zone is typically used when you run a VPN server on your router.
If you run a VPN client with a commercial VPN provider, then use the WAN zone.

Sorry, I didn't explain correctly. I have a VPN server running inside Openwrt. When I connect (externally) to the Openwrt, I can access LAN but my internet connection is not redirected. My internet connection is blocked.

1 Like
  1. Navigate to LuCI > Network > Firewall > Traffic Rules.
  2. Click Add and specify:
    • Name: Allow-Internet-Access-VPN
    • Protocol: Any
    • Source zone: lan
    • Source address: VPN subnet, e.g. 192.168.8.0/24
    • Destination zone: wan
    • Action: accept
  3. Click Save, then Save & Apply.
1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.