I have a mixed ipv4/ipv6 network and am trying to set up a 'Firewall - Traffic Rule' for 3 MAC addresses and was unsuccessful getting it to work for the MAC addresses. I tried on the 'Advanced Settings' to put the MAC addresses of the 4 devices and was unable to get it to work. I ended up putting all the various IPv4 and IPv6 addresses in the 'Source Address' bar and can get the rule to work. It is a 'Kids Rule' to deny internet from evening till morning for 4 MAC addresses.
Also, when I make a change to any firewall rule, access to the internet is shut down and I need to reboot the router to get any routing to work again. Is this normal?
@ vgaetera Thanks for the response, but I do not get the gist.
That is basically what I did. Added a firewall rule for 'kids weekday' and 'kids weekend' with their MAC addresses and rebooted the router. Are you saying that there needs to be an order to the the rules to have the time restrictions work? With the IP address rule I made, it is listed last on the UI and that does seem to work. (Kids gripe when the internet goes down at night...) I can try it again with the MAC address and see if it works, but I spent a while on this last weekend and was unable to get it to work with the MAC. Only with IP addresses.
The clip of the UI is not current on the link. The mac address portions are on the 'Advanced Settings' tab. I put in the MAC address in there and rebooted the router and it did not shut down the route to the internet from that device.
Please run the following commands (copy-paste the whole block) and paste the output here, using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have
ubus call system board; \
uci export network; \
uci export dhcp; uci export firewall; \
head -n -0 /etc/firewall.user; \
iptables-save -c; ip6tables-save -c; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; \
ip -6 addr ; ip -6 ro li tab all ; ip -6 ru
@trendy This may take a while.... @vgaetera So, when I run the script on that page to re-order the rules, there are some errors and when I reboot the router, the 2 traffic rules are still at the bottom of the UI page:
root@OpenWrt:~# cat << "EOF" >> /etc/sysupgrade.conf
> /etc/firewall.estab
> EOF
root@OpenWrt:~# uci -q delete firewall.estab
root@OpenWrt:~# uci set firewall.estab="include"
root@OpenWrt:~# uci set firewall.estab.path="/etc/firewall.estab"
root@OpenWrt:~# uci set firewall.estab.reload="1"
root@OpenWrt:~# uci commit firewall
root@OpenWrt:~# /etc/init.d/firewall restart
Warning: Section @rule[12] (Kids Weekday MAC) does not specify a protocol, assuming TCP+UDP
Warning: Section @rule[13] (Kids Weekend MAC) does not specify a protocol, assuming TCP+UDP
Warning: Section @redirect[0] (MineOS) does not specify a protocol, assuming TCP+UDP
Warning: Section @redirect[1] (Plex) does not specify a protocol, assuming TCP+UDP
Warning: Section @redirect[2] (Garage) does not specify a protocol, assuming TCP+UDP
Warning: Section @redirect[3] (MineOS_Mgmt) does not specify a protocol, assuming TCP+UDP
Warning: Section @redirect[4] (WireGuard) does not specify a protocol, assuming TCP+UDP
* Flushing IPv4 filter table
* Flushing IPv4 nat table
* Flushing IPv4 mangle table
* Flushing IPv4 raw table
* Flushing IPv6 filter table
* Flushing IPv6 mangle table
* Flushing conntrack table ...
* Populating IPv4 filter table
* Rule 'ubus:igmpproxy[instance1] rule 0'
* Rule 'ubus:igmpproxy[instance1] rule 1'
* Rule 'ubus:igmpproxy[instance1] rule 2'
* Rule 'ubus:igmpproxy[instance1] rule 3'
* Rule 'Allow-DHCP-Renew'
* Rule 'Allow-Ping'
* Rule 'Allow-IGMP'
* Rule 'Allow-IPSec-ESP'
* Rule 'Allow-ISAKMP'
* Rule 'Allow-OpenVPN'
* Rule 'Kids Weekday MAC'
* Rule 'Kids Weekend MAC'
* Redirect 'MineOS'
* Redirect 'Plex'
* Redirect 'Garage'
* Redirect 'MineOS_Mgmt'
* Redirect 'WireGuard'
* Forward 'lan' -> 'wan'
* Zone 'lan'
* Zone 'wan'
* Populating IPv4 nat table
* Redirect 'MineOS'
* Redirect 'Plex'
* Redirect 'Garage'
* Redirect 'MineOS_Mgmt'
* Redirect 'WireGuard'
* Zone 'lan'
* Zone 'wan'
* Populating IPv4 mangle table
* Zone 'lan'
* Zone 'wan'
* Populating IPv4 raw table
* Zone 'lan'
- Using automatic conntrack helper attachment
* Zone 'wan'
* Populating IPv6 filter table
* Rule 'Allow-DHCPv6'
* Rule 'Allow-MLD'
* Rule 'Allow-ICMPv6-Input'
* Rule 'Allow-ICMPv6-Forward'
* Rule 'Allow-IPSec-ESP'
* Rule 'Allow-ISAKMP'
* Rule 'Allow-OpenVPN'
* Rule 'Kids Weekday MAC'
* Rule 'Kids Weekend MAC'
* Forward 'lan' -> 'wan'
* Zone 'lan'
* Zone 'wan'
* Populating IPv6 mangle table
* Zone 'lan'
* Zone 'wan'
* Set tcp_ecn to off
* Set tcp_syncookies to on
* Set tcp_window_scaling to on
* Running script '/etc/firewall.user'
* Running script '/usr/lib/bcp38/run.sh'
! Skipping due to path error: No such file or directory
* Running script '/usr/share/miniupnpd/firewall.include'
* Running script '/etc/firewall.estab'
sed: unsupported command [
sed: unsupported command [
Well, The internet did not turn off for those MAC addresses last night. I must be doing something wrong.
The steps I took:
In the UI: Network -> Firewall -> Traffic Rules added a new rule 'Kids Weekday'
General Settings: Protocols: TCP,UDP; Source Zone: wan,wan6; Destination Zone: lan: Action: Reject
Advanced Settings: 'Put in the MAC addresses'
Time Restrictions: Sunday-Thursday; Start Time: 22:30:00; Stop Time: 07:00:00
then I hit save
then from the CLI, I copied and pasted this:
# Reorder firewall rules
cat << "EOF" > /etc/firewall.estab
for IPT in iptables ip6tables
do ${IPT}-save -c -t filter \
| sed -e "/FORWARD.*ESTABLISHED.*ACCEPT/d;
/FORWARD.*reject/i $(${IPT}-save -c -t filter \
| sed -n -e "/FORWARD.*ESTABLISHED.*ACCEPT/p")" \
| ${IPT}-restore -c -T filter
done
EOF
cat << "EOF" >> /etc/sysupgrade.conf
/etc/firewall.estab
EOF
uci -q delete firewall.estab
uci set firewall.estab="include"
uci set firewall.estab.path="/etc/firewall.estab"
uci set firewall.estab.reload="1"
uci commit firewall
/etc/init.d/firewall restart
and this resulted:
Warning: Unable to locate ipset utility, disabling ipset support
Warning: Section @rule[10] (Kids Weekend ) does not specify a protocol, assuming TCP+UDP
Warning: Section @rule[11] (Kid Weekday) does not specify a protocol, assuming TCP+UDP
Warning: Section @redirect[1] (WireGuard) does not specify a protocol, assuming TCP+UDP
Warning: Section @redirect[2] (MineOS) does not specify a protocol, assuming TCP+UDP
Warning: Section @redirect[3] (Plex) does not specify a protocol, assuming TCP+UDP
Warning: Section @redirect[4] (Garage) does not specify a protocol, assuming TCP+UDP
Warning: Section @redirect[5] (MineOS_Mgmt) does not specify a protocol, assuming TCP+UDP
* Flushing IPv4 filter table
* Flushing IPv4 nat table
* Flushing IPv4 mangle table
* Flushing IPv4 raw table
* Flushing IPv6 filter table
* Flushing IPv6 nat table
* Flushing IPv6 mangle table
* Flushing conntrack table ...
It did not finish, but did last night as I am remote and connected via VPN. I can run this again tonight, but it finished yesterday and did not have anything that looked strange.
Ok, what am I doing wrong? It did not work, again, tonight. It is as if iptables cannot deal with MAC addresses. I can make the rule work if I put in all the ipv4 and ipv6 addresses, but with MAC it fails every time. Also when I use the IP addresses, I reverse the source and destination and it worked. It is just a pain to put in all the IP addresses. If that is what I have to do, I'll do it; but this just seems silly that iptables cannot block a MAC address.
This is the rule:
config rule
option name 'Kid Weekday'
list src_mac 'xx:xx:xx:xx:xx'
( then I list 4 more)
option weekdays 'Sun Mon Tue Wed Thu'
option start_time '22:30:00'
option stop_time '07:00:00'
option target 'REJECT'
option src 'lan'
option dest 'wan'
I am running local time on the router and the clock does show local time when I type 'date'
Tue Nov 3 22:47:19 CST 2020
The UI shows it as enabled and I ran that script. I must be doing something wrong.
@lleachii 'Fail' means the reject rule does not work to shut down the internet to these devices. Both kids phones are Android, but the MAC stays consistent on both of them. @vgaetera I can do this for tonight, but doesn't the 'save and apply' from the UI do this anyway?
A bit more detail. The list of devices I want to deny internet to is: 2 tower computers, 2 android phones, a Smart TV and a Roku. I do have these devices in my 'Static Lease' list. Does having them in a Static Lease (ipv4) mess with iptables somehow?