Also, if you are spoofing a MAC, that could be a problem. You cannot have 2 devices, with the same MAC, within 3 degrees of separation. There should be no reason to spoof a MAC to accomplish what you described (with a cursory understanding of networking).
Lastly, is your second device a wireless extender or repeater?
I couldn't reply yesterday, because of that new users limit but here is the setup.
LEDE main router (dhcp server and AP)
|
|
|wirelessly 5Ghz
|
v
Client Router (Not dhcp server, not lede but padavan FW https://bitbucket.org/padavan/rt-n56u)
|
|
|wirelessly 2.4Ghz
|
v
Device (that I wish to restrict with firewall rules, I'm using an android phone during testing)
So to answer your question, everything is wireless. The client router is bridged with 5GHz and the creates a second repeater AP on 2.4GHz.
The client router performs MAC-addresses translation
So Every thing is in 192.168.1.0/24
Main 192.168.1.1
Client router 192.168.1.11
And dhcp pool 192.168.1.100-200
Static IP:s 192.168.1.50-99
So no matter if I connect directly to the main router or the client router if I'm reading the Main router's sys log correctly Lede gives me the same ip because it sees the same MAC. Note that I'm not looking at the sys log in the client router at any time. This is what the main router sees.
So, if we call these devices Main, Client and phone in an attempt not to confuse things further.
Let me tell you what I see (everything is done wirelessly).
If I connect the phone with the FW rule in place it blocks both for MAC and IP when I connect to Main.
If I connect the phone with the FW rule in place it does NOT block for either MAC nor IP when I connect to Client.
From what I can tell, your description of the IP network is not valid, you keep insisting that it is.
THIS BEHAVIOR IS EXPECTED, THAT'S HOW IT'S SUPPOSED TO WORK.
Are you running a WDS system?
Is client system a router or a bridge or repeater or what?
Have you done tcpdump on main router?
Could you specify what that means. daemon.info dnsmasq-dhcp in the sys log sees the same mac regardless if I connect to the main or client. Is that enough? So does daemon.info hostapd.
I've installed lede on the client router now to see if it works better. I tried wds first but it was so unstable that it wasn't feasible so I'm now using relayd. The difference is that daemon.info hostapd, when I'm using lede with relayd on the client router, report the router mac for wlan1 before it sees the device behind. Using padavan you always see wlan0.
I can't tell you why that is.
Until you can, you probably won't be able to solve your issue.
I suggest you simply setup 2 routers reset to their defaults, connecting the 2nd via WiFi; and stop trying to relay DHCP and spoof MACs. If you want to block the client, simply do it on the second device, you've installed LEDE now - so you should know how to do so.
Now with two lede routers:
Fascinating.... when I try a simple firewall rule with a single static ip on the main router. It DOESN'T block when I connect to that main router but DOES block when I connect to the client router.
I need clients connected to both routers to able to see each other. I'm not sure how the setup you propose would look like.
The first variant I tried was a router set to act like a repeater.
YOU NEVER MENTIONED THIS BEFORE!!! NOW THINGS MAKE SENSE, YOU'VE BEEN TRYING TO MERGE THESE TWO LANs!!! Well...ensure your device is not a Broadcom, as you cannot configure Wireless Bridging with LEDE on some devices - AND THAT'S WHAT YOU NEED (I provide another solution below).
OK! That make sense.
One option for you is to turn off NAT, and allow the traffic to route across the devices. The devices will have different IP ranges; but you will be able to talk to both networks (and hence, can block by IP address). To do so, you just:
Besides the blocking component of your question what exactly is the object of your network setup? Do you want simply to extend the range of a single large subnet?
mainly that, yes. Also to provide a wired connection where the client router is.
Ok, the "right way" to do this is WDS, unfortunately WDS is not exactly standardized and has limitations and reliability issues on some hardware. If you have LEDE on both devices, I suggest you set up "main" as a WDS AP and the 5ghz on "client" as a WDS client to the "main" and then try that method. when you mixed operating systems on the two devices it might have been much less reliable.
If that doesn't give you reliability, then are you sure you can't put a wire between main and client? This is in general the best way... but I understand it can be difficult to get wires where you need them.
Next thing to ask is are you ok with a routed network? You could have two separate networks that route to each other as suggested by @lleachii but this will not work for roaming between the networks, so they should probably have separate SSIDs
Once you settle on technology you're going to use to provide the network, only then can you decide how to limit the access.
That was the first thing I tried once I installed lede on the client router. but it dropped out constantly. When I tried with the padavan (repurposed asus firmware) I didn't use wds.
That would solve a lot. but tricky in this case.
Would this work with just one firewall rule for MAC on the main router?
I'm ok with different ssid:s.
none of them are
That sounds like a viable idea. I'll see if I can find some guide for that. I don't think I could manage that without some hand holding.
Could you explain why this is? There is something very fundamental I don't understand about firewall rules because this makes no sense to me whatsoever.
The complication here is that (I think) without WDS you don't get bridging between wireless points without alteration of the MAC addresses. Basically client reads in a packet from phone, then mangles the source MAC to something different and sends the packet to Main... and it is specifically dependent on how the firmware is programmed, there's not really a standard method here as far as I know.
If WDS is unreliable, then you can set up "client" to be a wireless client of the "main" device, and then set up a separate subnet on "client" and have it advertise itself as the router. Then everyone on "client" subnet routes through "client" to get anywhere. You turn off masquerading on "client" so that all the individual ips behind "client" are routed rather than NATted
system looks like this:
on main: 2ghz and 5ghz regular APs set up with SSID "MyFavoriteSSID1", and second SSID on 5ghz called "backhaul"
on client: 2ghz and 5ghz regular APs set up with SSID "MyFavoriteSSID2", and also second interface on 5ghz that's a client to "backhaul"
Turn DHCP on for MyFavoriteSSID1 and MYFavoriteSSID2
on client: change the physical settings for "Wan" to use the client for backhaul as the physical WAN. Turn OFF masquerade on WAN...
that's the basics.
First, you never clearly described your setup and it's been made clear that you cannot number both networks with the same IP address range... Next, you have to understand this is incorrect:
MACs are physical, IPs are electronic. If your devices don't PHYSICALLY connect to each other, you cannot make firewall rules based on MAC. To explain, it's likely that you spoofed MACs and there was just a serious Layer 2 (physical layer) issue because of it.
There's not much more than what I just told you:
But I used the IP not the mac for the FW rule.
The routing idea is very appealing though. I'll try it tomorrow. Thank you both for all your help.
Without a lot of details on how you tried that and what configuration was in place it's impossible to know why various things worked. One thing I suspect is perhaps masquerade/NAT was involved somehow.
No problem...For testing, and if you want all devices to talk to each other, you may also wish to:
And as @dlakelan said:
Which would then be by IP for the client you desire to block in your OP:
You could, in fact, in the client router do filtering on MAC address, prevent that MAC from sending packets with dst ip outside the LAN ranges. This avoids having to deal with ensuring that this MAC always gets the same IP address.