Posted: Wed Feb 03, 2021 19:47 Post subject: Feature request: Whitelist for MAC addresses
You can block individual MAC addresses under Access Restrictions, but many newer cell phones can also generate a random MAC address so blocking a single MAC address no longer works. Here it would be desirable to be able to create a whitelist that contains all MAC addresses except the saved ones.
THis feature is already present. There are 2 options, allow only these MAC addresses and deny only these MAC addresses.
That is wireless,
Otherwise use iptables rules to
Code:
insmod ipt_mac
iptables -N CMACFILTER
#drop link local
iptables -A CMACFILTER -s 169.254.0.0/16 -j DROP
iptables -A CMACFILTER -m mac --mac-source (MAC_ADDRESS) -j RETURN
iptables -A CMACFILTER -j DROP
iptables -I FORWARD 1 -i `nvram get lan_ifname` -j CMACFILTER
iptables -I INPUT 1 -i `nvram get lan_ifname` -j CMACFILTER
Joined: 14 Oct 2006 Posts: 296 Location: Sector 001
Posted: Tue Feb 23, 2021 2:27 Post subject:
Is Access Restrictions working now?
I'm presently on build 08/02/2020 and it's very hit or miss working. I have 2 mac addresses set to stop connecting to the internet after a specific time and sometimes it works but most of the time it does not.
I have also added the Firewall rule stated in the thread.
Joined: 14 Oct 2006 Posts: 296 Location: Sector 001
Posted: Tue Feb 23, 2021 5:02 Post subject:
Ha, didn't know that bagel was so popular.
Yeah, I already have rule split up to deny internet access from 20:05 - 23:59
Then another rule with the same deny MAC list from 00:01 - 05:00
Just a quick look around as you suggested looks like the culprit is the Shortcut Forwarding Engine. Disabling should clear it up but at a price of worse throughput from the looks of it.
Just a quick look around as you suggested looks like the culprit is the Shortcut Forwarding Engine. Disabling should clear it up but at a price of worse throughput from the looks of it.
Joined: 14 Oct 2006 Posts: 296 Location: Sector 001
Posted: Tue Feb 23, 2021 14:34 Post subject:
kernel-panic69 wrote:
This would mean that 44772 or higher should be used for access restrictions to work properly.
Oh sweet! Now I finally have a motivation to update the router!
Thanks!
Update: Now it's all coming back to me. I'm on the stable 44048 build and I see that the Apple device disconnects still has not been resolved yet. <sigh> Guess I'll have to just live with non-working AR for now.