Grouping MAC addresses for traffic rules

Hi - I want to create a rule to turn off the internet for my kids at 10.30ish. I've seen this article, ([Info] Limiting Download Speed based on MAC), regarding using traffic rules to accomplish this, but it seems that it's one rule per MAC address.

Given I've got 4 children with multiple devices + 3TVs, Blue Ray, and Playstation, it seems like a ton of work where one rule for a group of MAC addresses would do!?

Is there a solution to group MAC addresses for a rule rather than one rule per MAC?

If you want to treat all of your children with the same time restrictions, the same timetable, it would probably be easier to move them to their own bssid (on most wlan chipsets, you can create multiple (often up to 4) AP interfaces - see setting up a guest VLAN/ WLAN as an example) - and enabling/ disabling that via cron.


Except that your assumption is that all machines are WiFi - which in this case is not correct. I'm sure there must be a way to group MACs and then make a rule, so all I have to do is add a MAC to the group occasionally... :slight_smile:

Also I'm not sure that a rule based on SSID will work when I also plan to have another two AP mode OpenWRT routers.

You don't have a rule based on said, but create a Cron job to enable/disable that ssid at specific times. You can do the same on all AP.

Space separated value seems valid.

config rule
        option enabled '1'
        option target 'ACCEPT'
        option src 'lan'
        option name 'test'
        option src_mac '00:11:22:33:44:55 00:11:22:33:44:45'
        option dest 'wan'
        option weekdays 'Sun Mon Tue Wed Thu Fri Sat'
        option start_time '22:30:00'
        option stop_time '07:00:00'

and the rules created in iptables:

    0     0 zone_wan_dest_ACCEPT  tcp  --  *      *              MAC 00:11:22:33:44:55 TIME from 22:30:00 to 07:00:00 /* !fw3: test */
    0     0 zone_wan_dest_ACCEPT  tcp  --  *      *              MAC 00:11:22:33:44:45 TIME from 22:30:00 to 07:00:00 /* !fw3: test */
    0     0 zone_wan_dest_ACCEPT  udp  --  *      *              MAC 00:11:22:33:44:55 TIME from 22:30:00 to 07:00:00 /* !fw3: test */
    0     0 zone_wan_dest_ACCEPT  udp  --  *      *              MAC 00:11:22:33:44:45 TIME from 22:30:00 to 07:00:00 /* !fw3: test */

You could consider putting them on a subnet or into a known IP address range with DHCP reservations or VLANs, for example. Might be easier to maintain. Not really less “secure” than MAC addresses in my opinion, as both are often easily changed.

1 Like

That looks like it might be the business thank you. Now all I have to do is add the MAC addresses to the rule. Then create a separate rule for weekends! :slight_smile: I'll try it out in the next day or so and let you know. Thank you.

Frankly the rule is as much for me as the kids. Remembering to go to bed when there's so much to learn in the world! As a back up the power drops off the main router at midnight - poof - no more internet! :slight_smile:

1 Like

There are multiple devices in various places around the house, on differing WiFi APs and hard wired ports AND they move from one to another, so herding them all into one IP corral doesn't seem that easy.

I possibly could create differing SSIDs with different rules, but that would mean maintaining them on the different APs so defeats having one rule on one gateway device.

Trying to make things simpler not more complex! :slight_smile:

You could give them host reservations by MAC address into a "sub-subnet" and there you go. Now your rule can become 192.168.NNN.MMM/26 or what have you, rather than a bunch of disparate MACs (that you need to keep track of anyways).

1 Like