On Openwrt 22.03, I am trying to block all Raspberry to access internet from my LAN. To block a single or a few entries is easy, via the webui or directly in /etc/config/firewall. But how to block all devices whose MAC address starts with B8:27:EB ?
Something like this:
config rule
option name 'Deny raspberry to Wan'
list proto 'all'
list src_mac 'B8:27:EB:*'
option src 'lan'
option dest 'wan'
option target 'REJECT'
As a last resort, I could list each and any single Raspberry, but this is borring and I may miss some... and I'd like to learn new things about Openwrt
As far as I know there is no wildcard or mac address mask, so you'd have to list them all. Otherwise assign them in a separate firewall zone without forwarding to wan zone.
Ah, but it appears there is. I knew about IPvx ranges, but wondered about ether ranges and they appear to work. I just did this:
$ nft -e add set inet fw4 'mac_range { type ether_addr ; flags interval ; }'
add set inet fw4 mac_range { type ether_addr; flags interval; }
# new generation 11316 by process 29880 (nft)
$ nft -e add element inet fw4 mac_range { aa:bb:cc:00:00:00/24 }
add element inet fw4 mac_range { aa:bb:cc:00:00:00-aa:bb:cc:ff:ff:ff }
# new generation 11317 by process 29994 (nft)
$ nft list set inet fw4 mac_range
table inet fw4 {
set mac_range {
type ether_addr
flags interval
elements = { aa:bb:cc:00:00:00-aa:bb:cc:ff:ff:ff }
}
}
Once you've got the set, then you can add a rule using the set to match the source address:
$ nft add rule inet fw4 <whatever> ether saddr @mac_range reject comment '"Punt all the aa:bb:cc:* devices"'
$ nft list chain inet fw4 <whatever>
table inet fw4 {
chain <whatever> {
ether saddr @mac_range reject comment "Punt all the aa:bb:cc:* devices"
}
}
I used a fake chain where you see <whatever>, you'd have to dig into the existing rules (nft list ruleset) to see where it would be most appropriate. Maybe put the rule in user_pre_input in /etc/nftables.d/10-custom-filter-chains.nft?
