How-to setup a Whitelisting LAN

Mannshoch · June 7, 2020, 10:35am

I Wish to setup a Guest, Untrusted and Private Network.
I have a Wireguard, LAN, W-Lan and Guest W-Lan.
If possible I would like to have the Possibility to only have acces to my Private Network If you are In a Whitelist with your MAC-Address. If you are not in It you have to be located in the Untrusted Network. I should be able to connect from Private Network to the device in the Untrusted Network.Untrusted Network device should have acces to each other. Guest User get their own W-Lan but If a guest plug-in Lan they should also only have Internet without any other access.

How could I setup such a Network?

fantomas · June 7, 2020, 3:39pm

I’d like to note that it’s possible to fake the MAC address on many systems and HW cards.

but I thought about this already:
I would set up default pool of IP addressess in guest network, and only trusted MAC addresses would get static IP in the main network.
Haven’t tried this yet.

Mannshoch · June 7, 2020, 8:09pm

I don’t try to avoid people that are able to fake a MAC. I try to handle devices like TVs or guest devices.

Mannshoch · July 14, 2020, 4:30pm

Any updates or Idas ?

fantomas · July 14, 2020, 4:41pm

have you triedwhat I proposed above?
set up untrusted network
configure DHCP for defaults clients in untrusted network
configure static IPs in private network for trusted hosts

Mannshoch · July 16, 2020, 5:31am

That’s my current configuration. But I wish to change that to a Whitelist.

anon82920800 · July 16, 2020, 7:30am

Prerequisites:

instil the if (MAC) then (subnet) logic with a hotplug script
assign (be it manually or scripted) multiple subnets to any potential interface such logic should apply to

For the latter netifd does not seem to support a multiple subnets on the same interface configuration, thus would require some more scripting for such configuration to survive a power cycle.

Next you would need to reorganise the firewall since its rule-sets are mostly based on interfaces (instead of subnets).

Mannshoch · July 28, 2020, 7:09am

I had the hope that I get a luci webpage where I could see all devices and could set them as allowed by click.

My Problem at moment it seems I need a training in Network configuration. I know some basics about networking but I’m not able to understand it good enough to totally reconfigure my router.
e.g. To be able to work my router as I wished with a working wireguard VPN I played around a week and reseted my router two times. At moment, I do not have the time to play around again.

Thanks for your help.