[Solved] Firewalling: Block ALL, allow individual hosts by MAC

Simple, eh? Done before, right? Can't get it to work... (stupid?)

GL.iNet GL-AR300M16; OpenWrt 23.05.3 r23809-234f1a2efa / LuCI openwrt-23.05 branch git-24.073.29889-cd7e519

Clients on Wifi; connected to upstream main router via "WAN" port. All working normal (very basic "out of the box" setup, only flashed with above latest pure owrt, and of course not kept any settings (actually, no setup done after taking the thing out of the box)).

Now, I want the firewall to block ALL clients on LAN (Wifi or LAN Port, though that's not important as it'll be safely inaccessible physically where it goes) from going ANYWHERE. And then I want to add a rule for a particular MAC allowing that thing ANYTHING.

General setup in /etc/config/firewall:

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option synflood_protect '1'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option log '1'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option log '1'

and then these rules:

config rule
        option name 'ALLOW_Client1'
        option src 'lan'
        list src_mac '11:22:33:44:55:66'
        option dest '*'
        option target 'ACCEPT'
        list proto 'all'
        option enabled '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'BLOCK_ALL'
        option src '*'
        option dest 'wan'
        option target 'REJECT'
        option enabled '1'

Me thinks:

  1. the "Client1" rule should allow that box (MAC anonymized above) anything.
  2. the "BLOCK_ALL" rule would block (reject) anything coming from anywhere going to WAN, and would apply to any other source MAC except for the one in rule #1

Me thinks to understand: the rules are digested top to bottom, so rule #1 would match any traffic from client1 and allow it through, and no further rules lower in the list will be applied at all. I.e. the "BLOCK_ALL" will never get tested for that packet, and hence will have no effect for Client1.

#2 works, and I get everything blocked (and logged in syslog).... but even with #1 enabled. Only if I turn off #2, client can access web pages.

Probably dead simple... but me again... :wink:

You're basically right, but src '*' takes precedence over src 'lan', so you have two options:

config rule
        option name 'ALLOW_Client1'
        option src '*'
        list src_mac '11:22:33:44:55:66'
        option dest '*'
        option target 'ACCEPT'
        list proto 'all'
        option enabled '1'

config rule
        option name 'BLOCK_ALL'
        option src '*'
        option dest '*'
        option target 'REJECT'
	    list proto 'all'
        option enabled '1'

or

config rule
        option name 'ALLOW_Client1'
        option src 'lan'
        list src_mac '11:22:33:44:55:66'
        option dest 'wan'
        option target 'ACCEPT'
        list proto 'all'
        option enabled '1'

config rule
        option name 'BLOCK_ALL'
        option src 'lan'
        option dest 'wan'
        option target 'REJECT'
	    list proto 'all'
        option enabled '1'
1 Like

You are a > * < !
Such a small character, such a big effect :slight_smile:
Thanks so much, would likely never have found that.
Went for the explicit 'lan' in both rules now, but with '*' it also worked as you say.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.