I have a OpenWRT 23.05.3 router with 2 LAN interfaces: A Guest LAN on ethernet port 2 that allows normal internet access but prohibits managenent access to the router. And the normal LAN on ethernet port 1 that still grants access to Luci and SSH. So in order to manage the router, you have to connect to ethernet port 1.
As an additional measure, I would like to allow only one specific laptop to connect to ethernet port 1, which should simply refuse to communicate with devices that do not have an allowed MAC-address. A physical form of 2 factor authentication. I am aware the mac-addresses can be spoofed, but it raises the bar a bit.
Could you point me in the right direction in Luci how to configure the LAN interface or firewall to allow only a specific MAC-address(es) to access ethernet port 1?
Add a rule that accepts traffic from the desired MAC address from the normal LAN firewall zone to the device. Set input to reject on the normal LAN firewall zone.
Just to be clear though, it's not a good idea to do this.
Because it doesn't provide any useful security benefits. All it does is add an additional layer of frustration when something goes wrong (which it will sooner or later).
If you have threat actors within your LAN who you are concerned will defeat things like strong passwords or SSH keys then
