How to allow only devices with specific MAC address on LAN using Luci for configuration?

I have a OpenWRT 23.05.3 router with 2 LAN interfaces: A Guest LAN on ethernet port 2 that allows normal internet access but prohibits managenent access to the router. And the normal LAN on ethernet port 1 that still grants access to Luci and SSH. So in order to manage the router, you have to connect to ethernet port 1.

As an additional measure, I would like to allow only one specific laptop to connect to ethernet port 1, which should simply refuse to communicate with devices that do not have an allowed MAC-address. A physical form of 2 factor authentication. I am aware the mac-addresses can be spoofed, but it raises the bar a bit.

Could you point me in the right direction in Luci how to configure the LAN interface or firewall to allow only a specific MAC-address(es) to access ethernet port 1?

I appreciate your guidance.

Thank you!

Does anyone have an idea how to solve this? Thanks!

Not really.

Add a rule that accepts traffic from the desired MAC address from the normal LAN firewall zone to the device. Set input to reject on the normal LAN firewall zone.

Just to be clear though, it's not a good idea to do this.

Why do you think this is not a good idea? @krazeh

Because it doesn't provide any useful security benefits. All it does is add an additional layer of frustration when something goes wrong (which it will sooner or later).

If you have threat actors within your LAN who you are concerned will defeat things like strong passwords or SSH keys then

1 Like

I understand. Using a complex password is easy.

However, SSH keys and tunneling looks quiet a bit more complex to setup on first sight:

https://openwrt.org/docs/guide-user/security/secure.access

https://openwrt.org/docs/guide-user/luci/luci.secure

I mainly want to use Luci for router management.

What would be the most "user-friendly" authentication method that increases access control beyond a simple password in this regard?

I also don't want to be in the situation that I locked myself out of the router because I messed up my authentication system... :wink: