Is changing TTL to 1 for a device will prevent it from Hotspoting my Wifi?
The scenario is we have a niece that is connected to our OpenWRT (I've implemented MAC Filtering to allow only listed MACs) but I found out that he is sharing is connectivity via turning on Hotspot and allows his friends to connect to his HotSpot. Any way we can prevent such from happening?
check the TTL for incoming packets from the wireless client.
Can you help to share more info on how can I check the incoming TTL, sorry for the noob question.
Your niece has broken the rules, block him from the network entirely.
1 Like
Limit bandwidth to 1Mbps, much better than blocking
can you help me to share how can I implement this in the GUI? What is the recommended bandwidth for a mobile phone for browsing/fb and some games like Minecraft
| Hostname | OpenWrt |
|---|---|
| Model | Linksys WRT1900ACS |
| Architecture | ARMv7 Processor rev 1 (v7l) |
| Target Platform | mvebu/cortexa9 |
| Firmware Version | OpenWrt 22.03.2 r19803-9a599fee93 / LuCI openwrt-22.03 branch git-22.288.45147-96ec0cd |
| Kernel Version | 5.10.146 |
| Local Time | 2025-02-18 14:38:19 |
| Uptime | 38d 16h 26m 45s |
| Load Average | 0.00, 0.00, 0.00 |
1 Like
you probably can't.
I'm sure google knows this.
your hw isn't really relevant here ..
stolen from NFT-QoS unable to ratelimit using mac address - #2 by pavelgl.
nft add table bridge nft-qos-ttl
nft add chain bridge nft-qos-ttl download '{type filter hook postrouting priority 0; policy accept; }'
nft insert rule bridge nft-qos-ttl download ip ttl 63 limit rate over 1 mbytes/second drop
you'll have to experiment with the TTL value, and install the kmod-nft-bridge package.
there are probably prettier ways of solving it, but I'm not really familiar with nft.
this was tested on 24.10.0.
you probably can't.
I'm sure google knows this.
your hw isn't really relevant here ..
stolen from NFT-QoS unable to ratelimit using mac address - #2 by pavelgl.
nft add table bridge nft-qos-ttl
nft add chain bridge nft-qos-ttl download '{type filter hook postrouting priority 0; policy accept; }'
nft insert rule bridge nft-qos-ttl download ip ttl 1
can't really test it though 
@pavelgl some assistance ?
Yes, but it'll also stop everything connected to it from using the Internet. It may be better to block devices with a TTL less than x.
Where x equals your niece's normal TTL.
In the end, if you can manipulate TTLs, so can your niece... or maybe they could just run a single VPN tunnel over the WiFi link, then your TTL tricks likely get you nowhere.
But what is your concern here, lack of control over agreed upon behaviour or capacity/data volume conservation for other users? These likely have different solutions.
2 Likes
it is the lack of control over agreed upon behaviour
If the idea is to limit the bandwidth of a device by MAC address using LuCI,
luci-app-nft-qos can be used after applying this modification.
I checked, it works on 24.10 as well. As a bonus, there is a monitoring table that keeps information about the traffic generated by each client device.
1 Like
Ah, thanks, I guess I have nothing useful to comment, as that is a harder problem and only partially open to technical solutions. Good luck.
But still want to check if anything we can do from the Router side.
Can you help me to redirect as well from limiting via IP address. Thanks
The rate limiting by IP works out-of-the-box. Just install the app and set the dl/upl limits.
Additionally, a new Rate tab will appear in Realtime Graphs, where you will be able to see the current and total traffic consumed by each client (limited or not) since the last reboot.
1 Like
Make him surprises he can't refuse
Thanks for this, these works now!
1 Like
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.