Firewall: how to block with MAC prefix (or wildcard)?


On Openwrt 22.03, I am trying to block all Raspberry to access internet from my LAN. To block a single or a few entries is easy, via the webui or directly in /etc/config/firewall. But how to block all devices whose MAC address starts with B8:27:EB ?

Something like this:

config rule
        option name 'Deny raspberry to Wan'
        list proto 'all'
        list src_mac 'B8:27:EB:*'
        option src 'lan'
        option dest 'wan'
        option target 'REJECT'

As a last resort, I could list each and any single Raspberry, but this is borring and I may miss some... and I'd like to learn new things about Openwrt :slight_smile:

So, any help will be appreciated!
Thank you

Provide them with no or bogus default gateway and DNS IPs?

As far as I know there is no wildcard or mac address mask, so you'd have to list them all. Otherwise assign them in a separate firewall zone without forwarding to wan zone.

Ah, but it appears there is. I knew about IPvx ranges, but wondered about ether ranges and they appear to work. I just did this:

$ nft -e add set inet fw4 'mac_range { type ether_addr ; flags interval ; }'
add set inet fw4 mac_range { type ether_addr; flags interval; }
# new generation 11316 by process 29880 (nft)

$ nft -e add element inet fw4 mac_range { aa:bb:cc:00:00:00/24 }
add element inet fw4 mac_range { aa:bb:cc:00:00:00-aa:bb:cc:ff:ff:ff }
# new generation 11317 by process 29994 (nft)

$ nft list set inet fw4 mac_range
table inet fw4 {
        set mac_range {
                type ether_addr
                flags interval
                elements = { aa:bb:cc:00:00:00-aa:bb:cc:ff:ff:ff }

Once you've got the set, then you can add a rule using the set to match the source address:

$ nft add rule inet fw4 <whatever> ether saddr @mac_range reject comment '"Punt all the aa:bb:cc:* devices"'

$ nft list chain inet fw4 <whatever>
table inet fw4 {
        chain <whatever> {
                ether saddr @mac_range reject comment "Punt all the aa:bb:cc:* devices"

I used a fake chain where you see <whatever>, you'd have to dig into the existing rules (nft list ruleset) to see where it would be most appropriate. Maybe put the rule in user_pre_input in /etc/nftables.d/10-custom-filter-chains.nft?

edit: typo

1 Like