I want to regulate who can access my wifi (there is a guest wifi for the rest) I want to do this with option macfilter 'allow'. So only the correct mac adresses can access wan through WiFi. (I know that ios devices spoof mac adresses, but you can turn this off, or use guest wifi )
But somehow the option doesn't work, offcourse I restarted the router / services.
@eduperez Sorry for the confusion.
The devices on the list can connect (that is how it should work I gues)
But when I spoof another mac or remove it from the list, it still can connect.
If I change it to deny, and test a device, it still can connect.
I found the problem, I use airport extreme's as a bridge, this is why it is not working, If I disconnect them, it works.
Can I regulate the traffic in LAN with mac allow/deny? That would do the trick too, because all others go trought Guest->WAN
Then I only need to add those who can access the LAN.
Devices connected through the Airport Extreme are already connected to LAN, there is nothing you can do on the router to kick them out. You can block them at the DHCP server, but that is "good enough" depending on your needs.
Perhaps you can block those devices on the Airport Extreme, too.
Anyway, those devices can connect to the main network because someone configured the wireless password... can't you just change the password?
@eduperez offcourse I can change the password, but with all the ios devices, you only have to lay them alongside and your password is shared with the other device.
The airports extreme's are on lan, that is indeed the problem, I have a guest wifi on those airports to, with an extra vlan on 1003. So the router thinks everything is on lan.
What I just did minutes ago and seems to works....
I made a firewall accept rule on al mac adresses that can have access and below that one I made a rule that deny access from lan to wan/vpn. (so all wifi and utp are setup this way)
(No one in the house on a videocall or game screamed the line was dead, so fingers crossed )
Nice thing that happend, is that I left all IoT out the list, so they are now confined to only lan automatically.