Simple way to disable all wifi devices without 2 exact mac adresses

Hello. Exist siple way, who to disable all wifi devices without 2 exact mac adresses?
I can disable all wifi trafic (childrens) without two parents devices.
Because of possible floating mac adresses (one device can have more mac adresses per day) i can’t filtering trafic by mac address.

Exists any simple way, how to disable all wifi devices?
And exists any simple way how to enalbe the two excludes from list?

I’am loking into the luci, but there is no easy way… And above all deny all devices rule is very dangerous (if I make error - this rule can cut my own access :frowning: )

thx for help

Normal + guest WiFi? Filtering by a different password seems much better to me than by MAC address. AFAIK devices can choose MAC arbitrarily, e.g. I suspect that a bit more capable children will learn to clone their parent’s MAC.

1 Like

Why not setting up a dedicated Wi-Fi SSID for your children? Thus you won’t have to use the ineffective MAC-filtering, but simply turn it on or off.

1 Like

Thank you for your replies, but both solutions have problem.

a) clone parent mac address are possible, if children known, that tahat’s a way… and get parent mac is a litle problem . And detectable problem. I’am not online, but is something else… with my mac.

b) I need sometimes enable acces for one, but not for others. (when enabling hosts wifi, it’s enabling for all)

c) extended firewall rules have time settings… it’s possible set enabling only between 18 and 20 hours (for example). I can’t always think about enabling and disabling.

Changing the password

1 Like

Good joke :slight_smile:
Any easy way to setting firewall?

I thing that not exists, and i must start laboratoring about it?

What are the options?

1 - Change wifi password.
2 - Fixed IP

Before this step, you must first log your phone to wifi SSID and then set your phone (tablet) so that the phone does not use a random MAC, but a MAC device.

(If the phone logs on to another wifi network it will still use a random MAC address, the default MAC will be used in your home wifi)

In the next step … reduce the range of DHCP max leases so that the router does not assign any IP without a defined MAC:
** DHCP start 192.168.2.101
** DHCP max leases = 3

Number static leases is equall max leases:

Pixel4a-Jarda 58: 24: 29: 68: xx: xx - 192.168.2.101
Kaon-102 90: F8: 91: 9F: xx: xx - 192.168.2.102
Pixel4a-Jirina 58: 24: 29: 68: xx: xx - 192.168.2.103

MAC cloning is possible, but it is not so trivial

3 - modify the firewall rules in Luci (iptables) but I have no idea how else to identify children’s devices … I’m not an expert on firewalls.

Thx… But that’s no solution. As I wroted previously. I need sometime enable, and sometime disable accesses. Than it’s so hard still increasing/decreasing dhcp range, changing wifi passwords etc…

I thinked abou best practices in Luci rules, how to make this reqest.
Something like this.

  1. in luci go to Network → Firewall
  2. Go to traffic rule
  3. Add new rule
  • source interface - any
  • destination interface - wlan0 (wifi SID)


25. Add new rule

  • disable all other trafic…

:slight_smile:

I know, that these steps need to be done, but I’m not sure exactly how. Have you someone similar rules?

In “stupid” routers this is done by two mouse clicks. In luci it’s a problem. One bad step and access to the router is in the hell.

Don’t waste time, inventing a wheel if someone has already invented it.

I think you can do that by appending iptables rules + ipset. Then add needed MACs to the ipset hash set, why ipset because you can easily add/remove without altering iptables rules

https://ipset.netfilter.org/ipset.man.html

Checking if module:
From my TO2020, TO5.3.9

root@turris:~# modinfo ip_set_hash_mac
module:		/lib/modules/4.14.277/ip_set_hash_mac.ko
alias:		ip_set_hash:mac
license:	GPL
depends:	ip_set

Sample:

Create mac hash set and add some mac to the set

ipset create -exist customAllowedMacs hash:mac maxelem 4294967295
ipset add customAllowedMacs XX:XX:XX:XX:XX:XX
ipset add customAllowedMacs YY:YY:YY:YY:YY:YY

The above lines can be added to user rules script(manually or from Luci) to bring up during boot.
MACs can be added/removed(cmd-line) from set at any time without requiring firewall restart/reboot, or can be appended in the user rules script.


Firewall rules can be something like below(if block is for checking if rules added before).
So it can be added to custom user rules script(manually or from Luci), and can survive firewall restart and reboot, additionally I appended with logging option:

if ! iptables -S|grep -q "\-N\ input_log_and_drop"; then
    iptables -N input_log_and_drop
    iptables -A input_log_and_drop -m limit --limit 5/m --limit-burst 10 -j LOG
    iptables -A input_log_and_drop -j DROP
fi

if ! iptables -S|grep -q "\-A\ input_lan_rule\ \-m\ set\ \-\-match\-set\ customAllowedMacs\ src\ \-j\ RETURN"; then
    iptables -A input_lan_rule -m set --match-set customAllowedMacs src -j RETURN
    iptables -A input_lan_rule -j input_log_and_drop
fi

You may also need to add same rules for the guest network as well, just copy the 2nd one(logging chain is generic) and replace “input_lan_rule” with the guest one.


Regarding disabling/enabling you need to create 2 scripts and add to the cron.

For disabling, which will basically remove the rules:

#!/bin/sh

    if iptables -S|grep -q "\-A\ input_lan_rule\ \-m\ set\ \-\-match\-set\ customAllowedMacs\ src\ \-j\ RETURN"; then
        iptables -D input_lan_rule -m set --match-set customAllowedMacs src -j RETURN
        iptables -D input_lan_rule -j input_log_and_drop
    fi

For enabling back:

#!/bin/sh

if ! iptables -S|grep -q "\-A\ input_lan_rule\ \-m\ set\ \-\-match\-set\ customAllowedMacs\ src\ \-j\ RETURN"; then
    iptables -A input_lan_rule -m set --match-set customAllowedMacs src -j RETURN
    iptables -A input_lan_rule -j input_log_and_drop
fi

Edit: Updated

2 Likes