10918 questions

13009 answers


27018 members

+1 vote
702 views 1 comments
I aim to exclude a set of devices from having access to the mobile WAN connection in case there is a failover. I thought easiest was to create a VLAN for these devices and prevent that VLAN from access to mobile WAN. Unfortunately, the WAN zone includes all wan connections and I don't know if I can create a zone for a specific connection - or how to achieve this otherwise. Any thoughts?

1 Answer

+1 vote


The best and simplest solution for you would be to use iptables.

Entering custom iptables rules at Network-> Firewall-> Custom Rules

iptables -A INPUT -i interface -m mac --mac-source XX:XX:XX:XX:XX:XX -j DROP
iptables -A OUTPUT -i interface -m mac --mac-source XX:XX:XX:XX:XX:XX -j DROP

*interface - the failover interface you keen on using.
*--mac-source - the MAC address of device you want not to be connecting in the event of failover.


Hi, thanks for the response. This does not seem to work. The second rule is not allowed: OUTPUT does not work with -i and not with MAC addresses  ("Remember that MAC addresses do not cross router borders (or network segments). Also remember that only source addresses can be specified. The mac extension can be used only on an in-interface, such as the INPUT, PREROUTING, and FORWARD chains."), and the first rule has the issue that input interface I want to specify is the wwan0 side and not the lan side that's required for MAC.

Anyways, it seems that using ip-adresses it works. Since I am not protecting against a rogue agent and only limit data usage, I am not too worried about one of my devices changing its assigned fixed DHCP address.

thanks for pointing me in the right direction, I think it works.

current iptables custom rules:

iptables -A FORWARD -i wwan0 -o br-lan -d -j DROP
iptables -A FORWARD -i br-lan -o wwan0 -s -j DROP

the latter one may be replace with a MAC-based forward rule I guess