Layer 3 filtering or someting like that

layer 3 filtering

i have openwrt box and mesh wireless system, configured as follow:

 inet         openwrt            mesh wireless system        local network
wan ip      192.168.11.1      192.168.11.2 - 192.168.5.1     192.168.5.0/24

i want block facebook or youtube for certain ip address such as 192.168.5.3, 192.168.5.167. i tried with firewall bur it didint recognize 192.168.5 ip's. i tried with mac address but no success.

how can i do this? is there any l3 filtering for openwrt?

:confused:

Yes, the firewall is a Layer 3-based firewall.

Maybe you should fix your subnets first.

What method are you using to identify those IPs and block them?

You never stated...in fact, you noted you tried in the firewall; but given you cannot block by domain...that's unclear...

You can enter any IP in the firewall, so this is confusing.

:thinking:

(FYI, blocking by domains would be a higher abstraction than Layer 3...maybe you should clearly what you want to do...also let us know if your device is the DNS and gateway of this mesh.)

what do u mean?

yes openwrt box is dns and gateway for the mesh.


in fact, it will be enough to just block certain ip addresses. but openwrt ip subnet 192.168.11. and mesh network 192.168.5. so i tried to add block rule to the firewall for 192.168.5.5, but it didint work.

please guide me to add a block rule for 192.168.5.5...

To block 192.168.5.5 from what?

sorry, i want block 192.168.5.5 from lan to wan.

config rule
	list proto 'all'
	option name 'test'
	list src_ip '192.168.5.5'
	option dest 'wan'
	option target 'DROP'
	option src 'lan'

See: https://openwrt.org/docs/guide-user/firewall/firewall_configuration

1 Like

it doesnt work. but if i change ip address to 192.168.11.X it works very well. so the firewall does not recognize any subnet other than its own subnet.

what can i do?

The firewall cannot filter packets on subnets that it does not see.

inet         openwrt            mesh wireless system        local network
wan ip      192.168.11.1      192.168.11.2 - 192.168.5.1     192.168.5.0/24

The mesh system appears to be performing NAT, right? This means that the OpenWrt router can not see into that network -- everything that happens on that network that is headed towards the internet appears as traffic from a single IP address: 192.168.11.2. You cannot filter granularly in this case.

The solution is to disable NAT on the mesh device so that the local network exists on the same network (192.168.11.0/24) and then each device will have an IP that can be seen by the OpenWrt router.

2 Likes

the tenda mw6 doesnt allow this. but if there is layer3 packet filtering i can do this, right?

If the tenda has appropriate firewall functions, yes. You would set the rules on that device, not the openwrt router.

2 Likes

yes there is. but it only blocks wireless clients. i have to block my wired clients too.

i also tried to block with mac address but there was no success.

MAC addresses are a layer 2 concept - a firewall can only filter based on MAC if it is able to see it as a member of the same L2 network.

Bottom line: your Tenda mesh router system uses NAT masquerading and a firewall such that the OpenWrt router (or any upstream device) sees all the traffic as originating from returning to a single MAC / IP address - the address of the Tenda device itself. This means there is no ability to selectively filter any devices on the Tenda mesh network - it is all or none. Period.

Your solution is to disable NAT (you said that this option is not present), use the firewall on the Tenda (you implied that it doesn’t have all the necessary capabilities), or remove the Tenda and use the OpenWrt router only (and figure out a non-NAT wireless solution if you need better WiFi).

2 Likes

i know this but @lleachii was wrote:

so its wrong?

anyway i think there is no solution for this situation.

No, what @lleachii wrote is correct. The firewall works at L3 but can filter by MAC addresses when those devices are directly connected to its own LAN (which is basically the boundary of L2 and L3). The reason you cannot filter by MAC address for the devices connected to the mesh system is they are no longer L2 visible since they have gone through the NAT routing layer (L2 to L3) of that mesh system.

2 Likes

thank you... and sorry @lleachii

1 Like