Firewall question - how to block one device from WAN

kornesque · January 1, 2021, 9:35pm

Hey all, happy 2021. I undertook what I thought to be a very straightforward task, to block one device on my router from any in/out WAN traffic so it is only accessible on the LAN - I am clearly missing something. Here's the entry that I'm expecting to prevent the device from getting traffic out to the world:

config rule
option src 'lan'
option name 'PS'
option dest 'wan'
list src_mac '4C:EB:42:10:DD:D1'
option target 'DROP'

The device still has no problem accessing websites. I am by no means an expert on networking, just basic familiarity and I always seem to have issues with simple stuff. Any tips are appreciated, thanks kindly.

ray308 · January 1, 2021, 9:57pm

network -> custom rules

iptables -A forwarding_rule -m mac --mac-source xx:xx:xx:xx:xx:xx --jump REJECT

restart firewall (status -> firewall -> restart firewall)

kornesque · January 1, 2021, 10:29pm

You truly are the man, that did the trick nicely. Help me understand the problem with the config I posted, should that rule not do the same thing? Or better still, what is the rule I posted actually doing? Much obliged!

trendy · January 1, 2021, 10:37pm

The rule is correct. You are missing the protocol, so tcp+udp is assumed. Maybe you tested with ping?

kornesque · January 1, 2021, 10:50pm

I had ping running to the outside while messing with it but also loaded various web sites too. So I'm not crazy, the rule should have worked. Now I'm super curious...

trendy · January 1, 2021, 10:53pm

Remove the custom rule, add the rule with list proto 'all' , do a fw3 restart and finally iptables-save -c -t filter | grep PS

system · January 11, 2021, 10:53pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.