LAN whitelisting

nkenv · February 24, 2025, 9:35am

Hi. I have a main openwrt 24.10 router with another openwrt routers connected to it as access points, they use same wireless SSID and password. The purpose is to block any network activity from unauthorized wireless devices, like whitelisting. Now I use static dhcp in bundle with firewall traffic rule to allow only certain devices to go uplink.
Some thoughts:

synchronize wireless whitelist on all openwrt routers, but how?
use dhcp with arp filtering (like “arp: reply-only” in mikrotik), haven’t found anything like this.

brada4 · February 24, 2025, 10:59am

First you have to authorize device, like radius aka wpa-eap

Anyone can forge elses MAC
Anyone can set static ARP mappings

nkenv · February 24, 2025, 12:19pm

Thanks! And can I do whitelisting with ethernet connected clients?

brada4 · February 24, 2025, 3:03pm

In Cisco's parlance that is called "port access list" of mac addresses allowed to talk on ports.
No interface with checkboxes available but you can insert bridge firewall next to "inet fw4" firewall
https://wiki.nftables.org/wiki-nftables/index.php/Bridge_filtering

something like

iif lan5 ether saddr vmap {"02:00:00:00:00" : return , "02:00:00:00:01" : return } drop

Obviously does not work with uncontrolled interfaces like wifi or link between 2 switches.

nkenv · February 25, 2025, 10:34am

Thank you! I’ll try it