My goal is to be able to SSH or LuCI into my router from the internet but securely using my phone's MAC address only. I have a guest network that turns on/off via the WPS button and a Web Server. Firewall config included but would it be a rule or a forward that I would use?
#> uci show firewall
firewall.@defaults[0]=defaults
firewall.@defaults[0].syn_flood='1'
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.@zone[0]=zone
firewall.@zone[0].name='lan'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].network='lan'
firewall.@zone[0].forward='REJECT'
firewall.@zone[1]=zone
firewall.@zone[1].name='wan'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].masq='1'
firewall.@zone[1].mtu_fix='1'
firewall.@zone[1].network='wan wan6'
firewall.@zone[1].forward='REJECT'
firewall.@zone[1].input='REJECT'
firewall.@rule[0]=rule
firewall.@rule[0].proto='tcp'
firewall.@rule[0].src_port='1234'
firewall.@rule[0].src='wan'
firewall.@rule[0].name='G8toSSH'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[0].dest_port='1234'
firewall.@rule[0].src_mac='MA:CA:DD:RE:SS'
firewall.@rule[0].enabled='0'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-DHCP-Renew'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='udp'
firewall.@rule[1].dest_port='68'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[1].family='ipv4'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-Ping'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='icmp'
firewall.@rule[2].icmp_type='echo-request'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[2].enabled='0'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-IGMP'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='igmp'
firewall.@rule[3].family='ipv4'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[3].enabled='0'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-DHCPv6'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='udp'
firewall.@rule[4].src_ip='fc00::/6'
firewall.@rule[4].dest_ip='fc00::/6'
firewall.@rule[4].dest_port='546'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-MLD'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].src_ip='fe80::/10'
firewall.@rule[5].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[5].enabled='0'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Input'
firewall.@rule[6].src='wan'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[6].enabled='0'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-ICMPv6-Forward'
firewall.@rule[7].src='wan'
firewall.@rule[7].dest='*'
firewall.@rule[7].proto='icmp'
firewall.@rule[7].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[7].limit='1000/sec'
firewall.@rule[7].family='ipv6'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[7].enabled='0'
firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-IPSec-ESP'
firewall.@rule[8].src='wan'
firewall.@rule[8].dest='lan'
firewall.@rule[8].proto='esp'
firewall.@rule[8].target='ACCEPT'
firewall.@rule[8].enabled='0'
firewall.@rule[9]=rule
firewall.@rule[9].name='Allow-ISAKMP'
firewall.@rule[9].src='wan'
firewall.@rule[9].dest='lan'
firewall.@rule[9].dest_port='500'
firewall.@rule[9].proto='udp'
firewall.@rule[9].target='ACCEPT'
firewall.@rule[9].enabled='0'
firewall.@include[0]=include
firewall.@include[0].path='/etc/firewall.user'
firewall.@zone[2]=zone
firewall.@zone[2].output='ACCEPT'
firewall.@zone[2].name='guest'
firewall.@zone[2].masq='1'
firewall.@zone[2].network='guest'
firewall.@zone[2].input='REJECT'
firewall.@zone[2].forward='REJECT'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].dest='wan'
firewall.@forwarding[0].src='guest'
firewall.@forwarding[1]=forwarding
firewall.@forwarding[1].dest='wan'
firewall.@forwarding[1].src='lan'
firewall.@rule[10]=rule
firewall.@rule[10].src='guest'
firewall.@rule[10].name='Block Guest to Guest [ISOLATE]'
firewall.@rule[10].target='REJECT'
firewall.@rule[10].dest='guest'
firewall.@rule[11]=rule
firewall.@rule[11].src='guest'
firewall.@rule[11].name='Disable Router Access [HTTP]'
firewall.@rule[11].dest_port='80'
firewall.@rule[11].target='REJECT'
firewall.@rule[12]=rule
firewall.@rule[12].src='guest'
firewall.@rule[12].name='Disable Router Access [HTTPS]'
firewall.@rule[12].dest_port='443'
firewall.@rule[12].target='REJECT'
firewall.@rule[13]=rule
firewall.@rule[13].src='guest'
firewall.@rule[13].name='Disable Router Access [SSh]'
firewall.@rule[13].target='REJECT'
firewall.@rule[13].dest_port='1234'
firewall.@rule[14]=rule
firewall.@rule[14].src='guest'
firewall.@rule[14].name='Disable Router Access [Telnet]'
firewall.@rule[14].dest_port='23'
firewall.@rule[14].target='REJECT'
firewall.@rule[15]=rule
firewall.@rule[15].name='Disable Guest LAN Access'
firewall.@rule[15].src='guest'
firewall.@rule[15].dest='lan'
firewall.@rule[15].target='REJECT'
firewall.@rule[15].proto='all'
firewall.@redirect[0]=redirect
firewall.@redirect[0].src='wan'
firewall.@redirect[0].target='DNAT'
firewall.@redirect[0].name='G8'
firewall.@redirect[0].dest_port='1234'
firewall.@redirect[0].proto='tcp udp'
firewall.@redirect[0].src_dport='1234'
firewall.@redirect[0].src_mac='MA:CA:DD:RE:SS'
firewall.@redirect[0].dest_ip='192.168.1.1'
firewall.@redirect[0].enabled='0'
firewall.@redirect[1]=redirect
firewall.@redirect[1].src='wan'
firewall.@redirect[1].target='DNAT'
firewall.@redirect[1].dest_ip='192.168.1.111'
firewall.@redirect[1].dest='lan'
firewall.@redirect[1].dest_port='80'
firewall.@redirect[1].name='wan2port80'
firewall.@redirect[1].src_dport='80'
firewall.@redirect[1].proto='tcp'
firewall.@redirect[2]=redirect
firewall.@redirect[2].dest_port='1234'
firewall.@redirect[2].src='wan'
firewall.@redirect[2].name='wan2port1234'
firewall.@redirect[2].src_dport='1234'
firewall.@redirect[2].target='DNAT'
firewall.@redirect[2].dest_ip='192.168.1.111'
firewall.@redirect[2].dest='lan'
firewall.@redirect[2].proto='tcp'