I tried your copy only replacing the mac. When I then run fw3 restart it gives me errors, then when I remove the section and try again. It complains about something else. When I replace the firewall file with a backup. it works again (without any custom rule). I'm at a loss of why any of this happens. It seems reloading the firewall with those setting corrupted the file somehow.
This is the warning when I try your config
Warning: Option @rule[9].target has invalid value 'DROPâ
option src lanâ'
When I ran with my rule it didn't complain and listed the rule and said that it assumed tcp udp. (recalling from memory) so Im not sure proto is required
After adding the rule, try echo f > /proc/net/nf_conntrack to flush the conntrack table, otherwise yet-open conenctions (in the conntrack sense) might still be allowed through, even if the rule would otherwise hit.
Package iptables-mod-ipopt (1.4.21-3) installed in root is up to date
I've tried that now, and restarted firewall after. Makes no difference I'm afraid.
Strange, I don't see that. I'm reasinf (under rule) that it is not required but it defaults to tcpudp. Am I reading from the wrong section?
I'm sorry I didn't mean to be confrontational. I'm happy for the help you are giving me. I just reported what the output was when I restarted the firewall.
config rule
option target 'DROP'
option dest 'wan'
option name 'Drop_MAC_Rule'
option family 'ipv4'
option proto 'all'
option src_mac '00:00:00:00:00:00'
(i.e. remove src LAN)
also, confirm your WAN is actually named 'wan'
Confirm that you don't have any corrupt characters saved in the firewall file.
Confirm that your default policy for the zone is is DROP or REJECT. If the default rule is ACCEPT, that could be the issue.
This isn't a spoofed MAC, is it?
Also, restart the firewall to ensure that there are no current connections. If you are unsure, reboot the LEDE.
That's it! I didn't think of that. Thank you! I still don't know how to solve the problem but at least now I know what the problem is.
The client was connected through a second client router. It's the real MAC but it has "jumped" once. The lede router is the only dhcp server, and it didn't work even when I tried to use the static ip instead of the MAC so I didn't think that was the problem. Clearly I was wrong. When I connect directly to the lede router it works just as intended without any further alterations.
I still don't understand why this is a problem. If I look in routes in luci I can see the MAC and ip just fine so why can I not use it in the FW rules? How do I get this to work?
MAC is Layer 2, IP is Layer 3...You can only use MAC if it's directly connected to the device the rule is placed on. If the device is not physically connected to the LEDE, you'll have to use IP address.
I kinda doubt that it's configured properly...since it would be impossible to do so based on your statement:
Please provide the IP of the device as the LEDE sees it.
Do not provide the WAN IP of the second router. If the LEDE can only see the WAN IP of the second router, THAT'S YOUR PROBLEM; because that means it only sees the MAC of the second router as well.
I highly suggest you review some basic networking and firewalling tutorials.
It is possible, of course, that it is not configured correctly. But if I look in the sys log when it connected first to the lede router then disconnect and connect to the client router it looks exactly the same. I.e. it is given the same ip and it sees the same mac.
I am absolutely not using the MAC or IP of the client router. I know the difference. The ip used is the same ip and (and mac) that I can see on the device itself.
I see that this device is Wireless (you never mentioned that before.)
You have not described how the second device is configured, but it cannot be a router, based by what you described and your logs (as you claim to connect to either access point, on either device, and the client appears in the LEDE's log - HOW?).
If you connected to the AP of the second device, you shouldn't be able to see the MAC in the LEDE's log.
If you have a second downstream router with the same subnet on both sides, that device is misconfigured. Please ensure that all local networks are numbered differently.
Have you tried connecting directly to the LEDE and setting up the client? Forgetting about the second router??
I'm trying to understand how you connect to two different APs, on two different devices, yet appears in the upstream's as one MAC.
I'm also trying to understand why you believe you can see the MAC of a WIreless device in the LEDE log, when its connected to the AP of a second device.