Mac filtering does not appear to work


I am new to openwrt but not necessarily networking.

Attached is a diagram of my network

network for OWRT

Addional information.

Thee are many devices on the subnet hard wired and the family mobiles/tablets use the D7000. The area where the media player resides has no cat 5 so its is attached by using a tplink 801 in client mode attached to the D7000.

The NAS uses DLNA and DHCP is provided by my secondary ip firewall.

This has been a stable working network for many years but with a samsung smart TV not LG. Since installing the LG the media player has started to reset every 2m 10s whilst playing from the NAS. Interestingly the media player which can be controlled by ethernet also gets hit at 2m 10s intervals which is noticable because the power led illuminates.

Replacing the media player with a laptop running wireshark its eveident that at the 2m 10s interval the LG sends a broadcast frame which I believe to be associated with apple products (not that we have any).

clearly the media player has a less than robust ip stack but its now 6 years old and I doubt the manufacturer ( pioneer) would change it.

My thought was to prevent the broadcaste from the TV IP be that at IP level or MAC and sadly my D7000 has acess control disabled in AP Mode. I have setup owrt on a Pi v1 mode B and I have connectivity. Becuase I get my DHCP from ipfire and I need DLNA I installed relayd thinking I could perform a MAC filter.

I have connectivity but there is no filtering and all I have done is provide the same mechanism and have the same problem.

Below is my config for wireless.

config wifi-device 'radio0'
option type 'mac80211'
option path 'platform/soc/20980000.usb/usb1/1-1/1-1.3/1-1.3:1.0'
option band '2g'
option htmode 'HT40'
option channel '9'
option cell_density '0'

config wifi-iface 'wifinet0'
option device 'radio0'
option mode 'sta'
option network 'wwan'
option ssid ''
option encryption 'psk2'
option key '
option macfilter 'deny'
list maclist 'ac:5a:f0:76:f3:05' MAC addreess of LG TV

What am I missing? why does this not work?

Any help from OWRT gurus would be most welcome.

Many thanks in advance

That rule would block the LG TV from connecteing to the "wifinet0" access point completely... I guess that is not what you need. If you want to block traffic between the LG TV and the XH82, I would do it at the IP address level, either on the D7000 or the WA801N.

Many thanks for taking the time to read and reply to my post.

If we refer to my simplified network diagram and refer to everything up to and including the D7000 as zone M and eveyrthing including the TPLINK and to its right as zone K.

The rule I want will prevent any traffic from the LG TV in zone M traversing to zone K. i.e its droppped into the bit bucket before its forwarded to the ethernet port and indeed thats what I thought it would do.

Sadly the D7000 has no ability to perform IP interception and worse when used in AP mode it hard disbles the MAC filtering so no hope there, In a similar fashion the TP link in client mode also hard disables the mac filtering. By hard disabling I mean the memues are greyed out. In short I cant filter at any level at the head end in zone M.

This is why I switched to opewrt to replace the TP-Link. I was hoping initially that the internal frame routing between processes within Owrt would be as below.

Wifi <-> relayd <-> firewall <-> Ethernet

I have tried adding an IP level firewall rule and that does not work hence the atttempt at Layer 2 to block the LG MAC which does not work. I am guessing that when using Relayd frames are never sent via the firewall instance based on what I am seeing. It would be nice to be able to see a firewall or relayd log to see what is happenin as I am down to guessing.

If I could find either a decent AP or client mode device which had filtering I would buy it however since people have put a lot of really good work into owrt I thought I would give it a go. I also need it for else where so I am using it as a learning exercise.

Does anyone know if my assumptions on internal frame routing are correct or if any logs are available or better still am I being stupid in expecting owrt to be able to filter at a MAC level and deny all access to a single MAC address.

Again many a product it looks llike its really well thought out and implimented so keep up the good work.

UPDATE:---- OK I am being dumb. of course the mac address recieved by the client is not the one in the original frame. Looks like it has to be at an IP level. Dohhh!!!!!