I tried your copy only replacing the mac. When I then run fw3 restart it gives me errors, then when I remove the section and try again. It complains about something else. When I replace the firewall file with a backup. it works again (without any custom rule). I'm at a loss of why any of this happens. It seems reloading the firewall with those setting corrupted the file somehow.
This is the warning when I try your config
Warning: Option @rule.target has invalid value 'DROPâ
option src lanâ'
After adding the rule, try echo f > /proc/net/nf_conntrack to flush the conntrack table, otherwise yet-open conenctions (in the conntrack sense) might still be allowed through, even if the rule would otherwise hit.
That's it! I didn't think of that. Thank you! I still don't know how to solve the problem but at least now I know what the problem is.
The client was connected through a second client router. It's the real MAC but it has "jumped" once. The lede router is the only dhcp server, and it didn't work even when I tried to use the static ip instead of the MAC so I didn't think that was the problem. Clearly I was wrong. When I connect directly to the lede router it works just as intended without any further alterations.
I still don't understand why this is a problem. If I look in routes in luci I can see the MAC and ip just fine so why can I not use it in the FW rules? How do I get this to work?
MAC is Layer 2, IP is Layer 3...You can only use MAC if it's directly connected to the device the rule is placed on. If the device is not physically connected to the LEDE, you'll have to use IP address.
It is possible, of course, that it is not configured correctly. But if I look in the sys log when it connected first to the lede router then disconnect and connect to the client router it looks exactly the same. I.e. it is given the same ip and it sees the same mac.
I am absolutely not using the MAC or IP of the client router. I know the difference. The ip used is the same ip and (and mac) that I can see on the device itself.
I see that this device is Wireless (you never mentioned that before.)
You have not described how the second device is configured, but it cannot be a router, based by what you described and your logs (as you claim to connect to either access point, on either device, and the client appears in the LEDE's log - HOW?).
If you connected to the AP of the second device, you shouldn't be able to see the MAC in the LEDE's log.
If you have a second downstream router with the same subnet on both sides, that device is misconfigured. Please ensure that all local networks are numbered differently.
Have you tried connecting directly to the LEDE and setting up the client? Forgetting about the second router??
I'm trying to understand how you connect to two different APs, on two different devices, yet appears in the upstream's as one MAC.
I'm also trying to understand why you believe you can see the MAC of a WIreless device in the LEDE log, when its connected to the AP of a second device.