Simple Firewall rule not working, why?

Also, if you are spoofing a MAC, that could be a problem. You cannot have 2 devices, with the same MAC, within 3 degrees of separation. There should be no reason to spoof a MAC to accomplish what you described (with a cursory understanding of networking).

Lastly, is your second device a wireless extender or repeater?

I couldn't reply yesterday, because of that new users limit but here is the setup.

LEDE main router (dhcp server and AP)
|wirelessly 5Ghz
Client Router (Not dhcp server, not lede but padavan FW
|wirelessly 2.4Ghz
Device (that I wish to restrict with firewall rules, I'm using an android phone during testing)

So to answer your question, everything is wireless. The client router is bridged with 5GHz and the creates a second repeater AP on 2.4GHz.

The client router performs MAC-addresses translation

So Every thing is in

Client router
And dhcp pool
Static IP:s

So no matter if I connect directly to the main router or the client router if I'm reading the Main router's sys log correctly Lede gives me the same ip because it sees the same MAC. Note that I'm not looking at the sys log in the client router at any time. This is what the main router sees.

So, if we call these devices Main, Client and phone in an attempt not to confuse things further.

Let me tell you what I see (everything is done wirelessly).
If I connect the phone with the FW rule in place it blocks both for MAC and IP when I connect to Main.
If I connect the phone with the FW rule in place it does NOT block for either MAC nor IP when I connect to Client.

  • You've lost me this some AP control software???
  • Is that why you believe that you can put the 2.4 AP on the same IP subnet as the 5.4 router???
  • MAC Address Translation...WHAT!?!?! That's spoofing!!! Why are you spoofing a MAC???
  • If you're connecting to the 2.4, please explain EXACTLY HOW the MAC is seen on the LEDE (as you should actually see the MAC of 2nd device's 5.4 linking to the LEDE)

From what I can tell, your description of the IP network is not valid, you keep insisting that it is.


Are you running a WDS system?

Is client system a router or a bridge or repeater or what?

Have you done tcpdump on main router?

Could you specify what that means. dnsmasq-dhcp in the sys log sees the same mac regardless if I connect to the main or client. Is that enough? So does hostapd.

I've installed lede on the client router now to see if it works better. I tried wds first but it was so unstable that it wasn't feasible so I'm now using relayd. The difference is that hostapd, when I'm using lede with relayd on the client router, report the router mac for wlan1 before it sees the device behind. Using padavan you always see wlan0.

I can't tell you why that is.

Until you can, you probably won't be able to solve your issue.


  • Why are you relaying DHCP requests???
  • You didn't answer @dlakelan's questions. They're very important in understanding your configuration.
  • You still havent explained why you're spoofing a MAC address.

I suggest you simply setup 2 routers reset to their defaults, connecting the 2nd via WiFi; and stop trying to relay DHCP and spoof MACs. If you want to block the client, simply do it on the second device, you've installed LEDE now - so you should know how to do so.

Now with two lede routers:

Fascinating.... when I try a simple firewall rule with a single static ip on the main router. It DOESN'T block when I connect to that main router but DOES block when I connect to the client router.

I need clients connected to both routers to able to see each other. I'm not sure how the setup you propose would look like.

The first variant I tried was a router set to act like a repeater.

YOU NEVER MENTIONED THIS BEFORE!!! NOW THINGS MAKE SENSE, YOU'VE BEEN TRYING TO MERGE THESE TWO LANs!!! Well...ensure your device is not a Broadcom, as you cannot configure Wireless Bridging with LEDE on some devices - AND THAT'S WHAT YOU NEED (I provide another solution below).

OK! That make sense.

One option for you is to turn off NAT, and allow the traffic to route across the devices. The devices will have different IP ranges; but you will be able to talk to both networks (and hence, can block by IP address). To do so, you just:

  • Turn off NAT (masquerading) on the WAN Firewall Zone of the 2nd router
  • Make a static route to the 2nd LAN subnet on the 1st LEDE

Besides the blocking component of your question what exactly is the object of your network setup? Do you want simply to extend the range of a single large subnet?

1 Like

mainly that, yes. Also to provide a wired connection where the client router is.

Ok, the "right way" to do this is WDS, unfortunately WDS is not exactly standardized and has limitations and reliability issues on some hardware. If you have LEDE on both devices, I suggest you set up "main" as a WDS AP and the 5ghz on "client" as a WDS client to the "main" and then try that method. when you mixed operating systems on the two devices it might have been much less reliable.

If that doesn't give you reliability, then are you sure you can't put a wire between main and client? This is in general the best way... but I understand it can be difficult to get wires where you need them.

Next thing to ask is are you ok with a routed network? You could have two separate networks that route to each other as suggested by @lleachii but this will not work for roaming between the networks, so they should probably have separate SSIDs

Once you settle on technology you're going to use to provide the network, only then can you decide how to limit the access.

1 Like

That was the first thing I tried once I installed lede on the client router. but it dropped out constantly. When I tried with the padavan (repurposed asus firmware) I didn't use wds.

That would solve a lot. but tricky in this case.

Would this work with just one firewall rule for MAC on the main router?

I'm ok with different ssid:s.

none of them are

That sounds like a viable idea. I'll see if I can find some guide for that. I don't think I could manage that without some hand holding.

Could you explain why this is? There is something very fundamental I don't understand about firewall rules because this makes no sense to me whatsoever.

The complication here is that (I think) without WDS you don't get bridging between wireless points without alteration of the MAC addresses. Basically client reads in a packet from phone, then mangles the source MAC to something different and sends the packet to Main... and it is specifically dependent on how the firmware is programmed, there's not really a standard method here as far as I know.

If WDS is unreliable, then you can set up "client" to be a wireless client of the "main" device, and then set up a separate subnet on "client" and have it advertise itself as the router. Then everyone on "client" subnet routes through "client" to get anywhere. You turn off masquerading on "client" so that all the individual ips behind "client" are routed rather than NATted

system looks like this:

on main: 2ghz and 5ghz regular APs set up with SSID "MyFavoriteSSID1", and second SSID on 5ghz called "backhaul"

on client: 2ghz and 5ghz regular APs set up with SSID "MyFavoriteSSID2", and also second interface on 5ghz that's a client to "backhaul"

Turn DHCP on for MyFavoriteSSID1 and MYFavoriteSSID2

on client: change the physical settings for "Wan" to use the client for backhaul as the physical WAN. Turn OFF masquerade on WAN...

that's the basics.

First, you never clearly described your setup and it's been made clear that you cannot number both networks with the same IP address range... Next, you have to understand this is incorrect:

MACs are physical, IPs are electronic. If your devices don't PHYSICALLY connect to each other, you cannot make firewall rules based on MAC. To explain, it's likely that you spoofed MACs and there was just a serious Layer 2 (physical layer) issue because of it.

There's not much more than what I just told you:

But I used the IP not the mac for the FW rule.

The routing idea is very appealing though. I'll try it tomorrow. Thank you both for all your help.

1 Like

Without a lot of details on how you tried that and what configuration was in place it's impossible to know why various things worked. One thing I suspect is perhaps masquerade/NAT was involved somehow.

1 Like

No problem...For testing, and if you want all devices to talk to each other, you may also wish to:

  • Enable forwarding from WAN to LAN on the second LEDE

And as @dlakelan said:

Which would then be by IP for the client you desire to block in your OP:

  • on the 1st device to block it from going to the Interent
  • on the 2nd device to block it from the 1st device and the Internet

You could, in fact, in the client router do filtering on MAC address, prevent that MAC from sending packets with dst ip outside the LAN ranges. This avoids having to deal with ensuring that this MAC always gets the same IP address.