VLAN assignment based on client mac address possible?

My cable provider's IPTV box requests (via DHCP) an IP address with 2 separate mac addresses. When using the ISP's combo DOCSIS modem/router device, one of the mac addresses gets an external (WAN) address, and the other an internal (LAN) address.

I'm using their plain modem instead, with my own router, and am trying to find a way to emulate this behavior. Up until now I've simply attached the IPTV box to a LAN port bridged with the WAN port.

What I'm looking for is a way to have my router assign a VLAN based on the mac address of the client. That would enable me to also provision an internal address.

Thanks for any pointers.

Maybe it can be done with openvswitch. I'm new to openvswitch and have only used it a little, but it seems you can write advanced rules.


Unfortunately openvswitch cannot work. I'm not trying to work with virtual networks, but with a real one. I think then my only hope may lie in an experiment with EAPoL and FreeRadius with mac authentication bypass.

You don't want to use MAC address, as that requires that untrusted traffic is already within your LAN before you can make a decision/take action.

If the IPTV box was already using multiple VLANs over the same port that suggest it is using 802.1Q headers to identify which traffic belongs to which VLAN.

You should be able to configure that additional VLAN to accept tagged traffic on whichever port connects the IPTV to the router.
In LuCI that would be under Network->Switch.

You may need to sniff the network traffic from the IPTV to identify which VLAN ID/number it is using; this would need to match your WAN VLAN for the IPTV to have seamless WAN connectivity.
You may be able to update your WAN VLAN ID: YMMV

I didn't say the IPTV box was already using multiple VLANs. I don't think it is, but I'll have to sniff to confirm this. From information I've found online, it's simply using two MAC addresses on the same physical interface.

My original purposed was to to tag packets from the IPTV box with a VLAN id when they enter the router, based on which of those two MAC addresses the packets originate from. One VLAN for the WAN, and another one VLAN for the LAN.

I cannot find any way of using iptables or ebtables to inject a VLAN header.

If you could deliver the traffic from the IPTV box to two separate ethernet ports, they could be configured with different native VLANs, and you could use per-port ebtables rules to deny the wrong mac address's traffic for that vlan.

Think I'm going to try a 5-port Mikrotik managed switch, which can tag VLAN based on MAC, and put that before the LEDE router.

Openvswitch doesn't support only virtual networks, but also physical ports.