Simple Firewall rule not working, why?

I'm trying to restrict Internet access for a single mac address

with:

config rule
	option src                        'lan'
	option name                    'RuleName'
	option dest                      'wan'
	option target                   'REJECT'
	option src_mac               macAddress

Seems simple enough, but it still lets all traffic through. Why?

Do I need do install additional packages then the ones that came as default? What's the problem here? How do I troubleshoot this?

I can only think:

  • You didn't specify protocol family as 'ipv4' or 'ipv6' (but this is NOT REQUIRED)
  • You didn't specify IP protocol as 'all' (THIS OPTION IS REQUIRED)

This is a copy of a rule that works on my device:

config rule                                         
        option target 'DROP'                        
        option src 'lan'                    
        option dest 'wan'                                   
        option name 'Drop_MAC_Rule'                  
        option family 'ipv4'                        
        option proto 'all'                      
        option src_mac 'xx:xx:xx:xx:xx:xx'

I tried your copy only replacing the mac. When I then run fw3 restart it gives me errors, then when I remove the section and try again. It complains about something else. When I replace the firewall file with a backup. it works again (without any custom rule). I'm at a loss of why any of this happens. It seems reloading the firewall with those setting corrupted the file somehow.

This is the warning when I try your config

Warning: Option @rule[9].target has invalid value 'DROPâ
option src lanâ'

I used notepad++ when I edited the file.

When I ran with my rule it didn't complain and listed the rule and said that it assumed tcp udp. (recalling from memory) so Im not sure proto is required

Are you running LEDE Reboot 17.01.4?

I'm using a TP-Link TL-WDR4300 v1 in case it matters.

  • What are those corrupt characters you pasted!? That may be the problem.
  • Also, you may need to install the package iptables-mod-ipopt as this adds libipt_mac

Also see: https://wiki.openwrt.org/doc/howto/netfilter

Yes, I am running 17.01.4.

Those were just copied ad verbatim from the putty instance.
It was the output from restarting the firewall

It says not required in the manual under rule.

In any case if I use luci it gives:

config rule
	option enabled '1'
	option src 'lan'
	option dest 'wan'
	option name 'Name'
	option proto 'all'
	option src_mac 'mac'
	option target 'REJECT'

And it still doesn't work.

After adding the rule, try echo f > /proc/net/nf_conntrack to flush the conntrack table, otherwise yet-open conenctions (in the conntrack sense) might still be allowed through, even if the rule would otherwise hit.

1 Like

Did you install iptables-mod-ipopt as I noted???

From the link i sent:

proto protocol name or number yes

Package iptables-mod-ipopt (1.4.21-3) installed in root is up to date

I've tried that now, and restarted firewall after. Makes no difference I'm afraid.

Strange, I don't see that. I'm reasinf (under rule) that it is not required but it defaults to tcpudp. Am I reading from the wrong section?

I'm sorry I didn't mean to be confrontational. I'm happy for the help you are giving me. I just reported what the output was when I restarted the firewall.

When I restart the firewall it seems to be working but it isn't

https://justpaste.it/1gdb3

Odd, then you probably didn't notice that the default is:

tcpudp

You must specify option proto 'all'.

I have. Still doesn't work

Try:

config rule
option target 'DROP'
option dest 'wan'
option name 'Drop_MAC_Rule'
option family 'ipv4'
option proto 'all'
option src_mac '00:00:00:00:00:00'

  • (i.e. remove src LAN)
  • also, confirm your WAN is actually named 'wan'
  • Confirm that you don't have any corrupt characters saved in the firewall file.
  • Confirm that your default policy for the zone is is DROP or REJECT. If the default rule is ACCEPT, that could be the issue.
  • This isn't a spoofed MAC, is it?

Also, restart the firewall to ensure that there are no current connections. If you are unsure, reboot the LEDE.

1 Like

That's it! I didn't think of that. Thank you! I still don't know how to solve the problem but at least now I know what the problem is.

The client was connected through a second client router. It's the real MAC but it has "jumped" once. The lede router is the only dhcp server, and it didn't work even when I tried to use the static ip instead of the MAC so I didn't think that was the problem. Clearly I was wrong. When I connect directly to the lede router it works just as intended without any further alterations.

I still don't understand why this is a problem. If I look in routes in luci I can see the MAC and ip just fine so why can I not use it in the FW rules? How do I get this to work?

Then you can't use MAC.

MAC is Layer 2, IP is Layer 3...You can only use MAC if it's directly connected to the device the rule is placed on. If the device is not physically connected to the LEDE, you'll have to use IP address.

1 Like

I've tried that before, and now I tried it again. It doesn't work with ip either.

I kinda doubt that it's configured properly...since it would be impossible to do so based on your statement:

Please provide the IP of the device as the LEDE sees it.

  • Do not provide the WAN IP of the second router. If the LEDE can only see the WAN IP of the second router, THAT'S YOUR PROBLEM; because that means it only sees the MAC of the second router as well.
  • I highly suggest you review some basic networking and firewalling tutorials.

It is possible, of course, that it is not configured correctly. But if I look in the sys log when it connected first to the lede router then disconnect and connect to the client router it looks exactly the same. I.e. it is given the same ip and it sees the same mac.

I am absolutely not using the MAC or IP of the client router. I know the difference. The ip used is the same ip and (and mac) that I can see on the device itself.

:slightly_frowning_face:

Unless the second device is not a router, that isn't possible.

@TheBigD, I've read your private message:

  • I see that this device is Wireless (you never mentioned that before.)
  • You have not described how the second device is configured, but it cannot be a router, based by what you described and your logs (as you claim to connect to either access point, on either device, and the client appears in the LEDE's log - HOW?).
  • If you connected to the AP of the second device, you shouldn't be able to see the MAC in the LEDE's log.

If you have a second downstream router with the same subnet on both sides, that device is misconfigured. Please ensure that all local networks are numbered differently.

  • Have you tried connecting directly to the LEDE and setting up the client? Forgetting about the second router??

  • I'm trying to understand how you connect to two different APs, on two different devices, yet appears in the upstream's as one MAC.

  • I'm also trying to understand why you believe you can see the MAC of a WIreless device in the LEDE log, when its connected to the AP of a second device.