Simple way to deny internet access to clients


In the past I just used one line in the custom firewall file (via gui) to deny/cut internet access to some devices of mine (like cameras). With a recent update/change (DSA?) this simple way seems to be gone.

Is their any other "easy" way to do this without starting the deep dive into VLAN's?

Thank you!

Can you show the firewall rule that stopped working for you?


You'll likely need to reduce your command to OpenWrt's UCI syntax.

1 Like

I searched it (entered via LuCi) but it seems it didn't survive the update (other config luckily did).

Just remember it was one line and it contained the MAC of the device - so no fiddling with IP's etc.

Would you mind to elaborate such a "easy" way?

I was going to suggest making such a rule. This is possible with OpenWrt.

Make a rule that blocks the MAC.

1 Like

I'm not familiar with such (any openwrt) rules, any docs were to start or even a snippet maybe?

Kind of if this MAC asks the ROUTER just discard it if the destination is WWW kind of rule would that be I guess?

In LuCI:


Can you give me one more hint how to configure this that the device (added via MAC) is allowed all LAN traffic but DENIED all WAN traffic?

Maybe just like that:

Any one can confirm/deny that this would/should make sense/work? I rather don't want to lock me out (brick) my main router. :grimacing:

You can/should leave Match device as unspecified. Otherwise it looks fine.


OK. thx for the check I wil go save the rule then.... I fail it will be silent here - otherwise I announce my success :crossed_fingers:

So I have the rule saved:

# /etc/config/firewall
uci add firewall rule # =cfg0e92bd
uci add firewall rule # =cfg0f92bd
uci add firewall rule # =cfg1092bd
uci set firewall.@rule[-1].name='Block Internet based on MAC'
uci set firewall.@rule[-1].src='lan'
uci add_list firewall.@rule[-1].src_mac='00:11:22:33:44:55'
uci set firewall.@rule[-1].dest='wan'
uci set firewall.@rule[-1].target='REJECT'

But looking at the active connections https://openwrt.lan/cgi-bin/luci/admin/status/realtime/connections

it still shows active TCP/UDP connections for that particular device - is it an artifact? The transfer counter (packages) is still increasing:

IPV4	TCP	iliketheclouds.lan:35968	220.78 KiB (789 Pkts.)
IPV4	TCP	iliketheclouds.lan:47717	193.46 KiB (781 Pkts.)
IPV4	UDP	iliketheclouds.lan:57072	107.05 KiB (2080 Pkts.)

Be sure to restart the firewall service or reboot the router to reset connection tracking.


Just did that but the connections are still there...

Will do that now :+1:

1 Like

No luck, the device still connects happily to the cloud regarding the real time connections :sob:

Verify that the specified MAC address matches the client you want to restrict.

1 Like

On the Advanced tab, you only need to edit "Source MAC Address".

tripple checked and it's correct (it shows the hostname with the MAC)

Indeed, that's were I choose the device I want to restrict.

And now I see that the connections are actually LAN only! :clap:

IPV4 UDP iliketheclouds.lan:58189 openwrt.lan:53 162 B (2 Pkts.)
IPV4 UDP iliketheclouds.lan:47018 openwrt.lan:53 162 B (2 Pkts.)

Thank's everyone for your quick help :+1:

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.