WiFi repeater firewall/internet access

Hi,

I´ve a OpenWRT Router as my "Main-Router". I also have a WiFi-Extender (GL.iNet, with OpenWrt) which is operating in "Extender" mode and acts as a repeater for my Smarthome WiFi.

This Smarthome WiFi is in an extra VLAN, where Internet is blocked. But for some devices (within this network) I want to allow Internet access. When a device is connected to the Main-Router, it is no problem. I just create a firewall rule which allows the device (MAC address) access to the internet. But when a device is connected to the WiFi repeater/extender, the Main-Router don´t see the devices MAC adrress but the MAC and IP address from the repeater. So I need to give the whole repeater internet access. But I don´t want this.

Is is possible that I can grant internet access only to a specific device within the repeater ntwork? How can I do this?

I hope my explaination was understandable.

is there a DHCP running on the repeater ?

Apparently the repeater is not exactly repeater, which should be in bridge mode, but a wifi client in routed mode.
Either you will bridge it, or you'll apply the access controls on the wifi-extender and allow everything on the main. Otherwise you can disable nat on the repeater and apply access controls on the IP of the smartphone.

Ah, this was a wrong information. On the Main-Router I see the IP-Adress of the device. But I can´t grant access via a Firewall rule... hmmm..

I think your Idea granting access on the repeater may be a good idea. On the repeater DHCP is not enabled. Because the Main-Router gives the IP addresses to the clients.

Please run the following commands on main (copy-paste the whole block) and paste the output here, using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have

ubus call system board; \
uci export network; uci export dhcp; uci export firewall; \
head -n -0 /etc/firewall.user; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru

Which device has to have internet access?
Which rule did you apply and doesn't work?