Looking for firewall help - block WAN access for one device

The motivation behind this is that I've produced a Smart-Home device using a Raspberry PI. For the terminally curious it's actually a meat roasting thermometer that reports the temp on a PC connected to the LAN.

It has no need to ever connect to the outside world, except in the unlikely event I update it. So for the vast majority of the time I want to block Internet traffic to and from this device. I have a firewall rule on the PI to block WAN traffic, i.e. anything outside the local subnet. While not really necessary, think of this in terms of "belt and suspenders". It's also a useful learning experience, which is my main reason for trying this.

I tried doing this once, to the best of my memory I added the following to "/etc/config/firewall"

config rule
        option src_mac '01:23:45:67:89:ab'
        option dest 'wan'
        option name 'Block-Thermometer'
        option target 'DROP'

The reason I say "to the best of my memory" is that applying this caused all connectivity to the router to fail, requiring a factory reset and reconfigure. Needless to say, the backup I'd made of the firewall config file was kinda useless at this point, since the whole thing got wiped with the factory reset.

Hence my reason for coming here to get help, I clearly don't know the exact incantation, and do not want to risk requiring a second reset.

Piggy-backing a second closely related question, I note that src_mac is available, but as far as I can tell dest_mac is not. Any ideas if this is the case, and if so why? And how might I block inbound traffic without having to resort to a static lease and dest_ip?

1 Like

Your rule is missing the source zone.
Destination MAC makes no sense for the L3 firewall.
Getting IP by MAC is limited to a broadcast domain.
You can use a separate VLAN/SSID to isolate and filter traffic.

Ahh. So while it's marked as optional, its absence changes the sematics of the rule from a forward rule to an outbound rule - definitely not what I want.

"L3 firewall" is the key phrase here. Now I have that in my head, I can see why it may be the case. I suspect it's not so much a matter of making sense, L2 vs L3, as a matter of ease of access. Working at L3, any packet coming by will have the source MAC in it, it's just a case of digging into the Ethernet header to find it. Thus the reason it's available as a filter option, even though I agree 100% it's an L2 property. Meanwhile, destination MAC is a bit harder to come by. The firewall would have to query the ARP table to find if the destination IP is associated with the MAC in question. Depending on how fast that query is, such an operation could seriously impact the performance of the firewall.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.