Variable in Block MAC Address

  1. To block Specific OUI
  2. use wildcard character for Mac Address allow list ?
    Example - Allow all except - F8:10:93:::**
  3. for example A3:2X:BC where X can be anything
  4. A3:Y4:E2 where Y can be e,2,A,c


  • On wireless?
  • On firewall?
  • Etc.?

Neither iptables or nftables (firewall), nor hostapd (wireless mac lists) support wildcard matching, which makes this feature request unimplementable.

1 Like

Did you try with arptables? Or the idea is to have it in the web interface?

This is from the man page:

-z, --source-hw [!] hwaddr[mask]
Specify the source hardware (MAC) address of the packet. hwaddr (and mask, if specified) must consist of one or more 8-bit hexidecimal numbers, separated by ':' characters. If the mask is not specified, it defaults to a number of 0xff octets equal to the length of the hwaddr specified, then 0s. The flags --source-mac , --src-hw , and --src-mac are aliases for this option.

The same is applicable to arptables-nft as well.

nvladimirov's reply above looks very promising.

Since you specifically mentioned blocking by OUI though, are you are looking for a NAC type solution such as what Cisco / ISE offers? ( ability to profile based on OUI and categorize as "Nortel Device, etc. ). If you are looking actually looking for a NAC-type solution PacketFence is a free / open source option you could integrate on a separate system.

If all you want do is block a a few OUI ranges though, maybe another option would be to request this as an enhancement to the existing BanIP package. BanIP (maintained by dibdot) is already designed to block ranges of IPs and has ability to block a manual list of specific MAC addresses. Perhaps it could be modified to use MAC ranges also.
For more info:

1 Like