Hello!
In the past I just used one line in the custom firewall file (via gui) to deny/cut internet access to some devices of mine (like cameras). With a recent update/change (DSA?) this simple way seems to be gone.
Is their any other "easy" way to do this without starting the deep dive into VLAN's?
Thank you!
Can you show the firewall rule that stopped working for you?
Yes.
You'll likely need to reduce your command to OpenWrt's UCI syntax.
I searched it (entered via LuCi) but it seems it didn't survive the update (other config luckily did).
Just remember it was one line and it contained the MAC of the device - so no fiddling with IP's etc.
Would you mind to elaborate such a "easy" way?
I was going to suggest making such a rule. This is possible with OpenWrt.
Make a rule that blocks the MAC.
I'm not familiar with such (any openwrt) rules, any docs were to start or even a snippet maybe?
Kind of if this MAC asks the ROUTER just discard it if the destination is WWW kind of rule would that be I guess?
Can you give me one more hint how to configure this that the device (added via MAC) is allowed all LAN traffic but DENIED all WAN traffic?
Maybe just like that:
Any one can confirm/deny that this would/should make sense/work? I rather don't want to lock me out (brick) my main router. 
You can/should leave Match device as unspecified. Otherwise it looks fine.
OK. thx for the check I wil go save the rule then.... I fail it will be silent here - otherwise I announce my success 
So I have the rule saved:
# /etc/config/firewall
uci add firewall rule # =cfg0e92bd
uci add firewall rule # =cfg0f92bd
uci add firewall rule # =cfg1092bd
uci set firewall.@rule[-1].name='Block Internet based on MAC'
uci set firewall.@rule[-1].src='lan'
uci add_list firewall.@rule[-1].src_mac='00:11:22:33:44:55'
uci set firewall.@rule[-1].dest='wan'
uci set firewall.@rule[-1].target='REJECT'
But looking at the active connections https://openwrt.lan/cgi-bin/luci/admin/status/realtime/connections
it still shows active TCP/UDP connections for that particular device - is it an artifact? The transfer counter (packages) is still increasing:
IPV4 TCP iliketheclouds.lan:35968 ec4-3-136-81-31.eu-central-1.compute.amazonaws.com:6601 220.78 KiB (789 Pkts.)
IPV4 TCP iliketheclouds.lan:47717 ec6-42-53-6-30.eu-central-1.compute.amazonaws.com:6610 193.46 KiB (781 Pkts.)
IPV4 UDP iliketheclouds.lan:57072 ec8-22-26-226-211.eu-central-1.compute.amazonaws.com:8765 107.05 KiB (2080 Pkts.)
Be sure to restart the firewall service or reboot the router to reset connection tracking.
Just did that but the connections are still there...
Will do that now 
No luck, the device still connects happily to the cloud regarding the real time connections 
Verify that the specified MAC address matches the client you want to restrict.
On the Advanced tab, you only need to edit "Source MAC Address".
tripple checked and it's correct (it shows the hostname with the MAC)
Indeed, that's were I choose the device I want to restrict.
And now I see that the connections are actually LAN only! 
| IPV4 | UDP | iliketheclouds.lan:58189 | openwrt.lan:53 | 162 B (2 Pkts.) |
|---|---|---|---|---|
| IPV4 | UDP | iliketheclouds.lan:47018 | openwrt.lan:53 | 162 B (2 Pkts.) |
Thank's everyone for your quick help
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.