MAC Filtering uhttp port 80


I want to block some MAC address to access my WebServer.

I followed this tutorial Link

and in /etc/config/firewall I got

config rule
	option enabled '1'
	option name '-Locked'
	option src_mac 'devicemac'
	option target 'REJECT'
	option proto 'all'
	option src '*'
	option dest '*'

But I still can connect to my webserver on port 80.
I want to lock the src_mac and that it cannot reach the webserver.
What am I doing wrong?

MAC address has link validity only. If you are trying to block some MAC from the wan and your server is in the lan it won't work. For that you'll need IP address.
Also src '*' and dst '*' doesn't look very elegant, you'd better make it more specific.

Thank you for your reply.
So how do I set the rule if I want to block MAC device AA and this device cannot reach webserver on IP ?

The problem is option dest '*'. As soon as any dest is specfied, the firewall will create a forward rule. But in order to prevent access to uhttpd you need an input rule.

Remove option dest '*' and it should work.

Where is the device located? In the LAN? In the internet? The belongs to the OpenWrt router or some other host?

I did this:

config rule
	option enabled '1'
	option src_mac 'deviceMAC'
	option target 'REJECT'
	option proto 'all'
	option name 'Locked'
	option src 'lan'
	option dest_ip ''
	option dest_port '80'
	option src_ip ''

Now if I try to set an IP in on device mac I cannot reach the webserver.

Is it correct?

Is it possible to do the opposite? Allow only this device with this MAC to reach the WebServer and all other device with a different MAC are not allowed?

You didn't answer my questions, so it is hard to help you.


device is in the LAN, and IP of WebServer is
IP belongs to the OpenWRT router.

There you go

config rule
	option enabled '1'
	option src_mac '00:0U:5B:PO:CB:RT'
	option target 'REJECT'
	option proto 'tcp'
	option name 'Block HTTP'
	option src 'lan'
	option dest_port '80'
1 Like

Thanks! it works correctly!

What if I want to allow only this device 00:0U:5B:PO:CB:RT to reach the WebServer and block all the others device(MAC address)?
Is it possibile to provide also a list i.e. allow devices that MAC starts with 00:0U:5B:* ?

Change the option target to ACCEPT for this mac and below make another rule to REJECT dest_port 80 from lan.
I don't think you can use wildcard on mac address, you'll have to make a rule for each mac you want to permit.