Hi, thanks for the response. This does not seem to work. The second rule is not allowed: OUTPUT does not work with -i and not with MAC addresses ("Remember that MAC addresses do not cross router borders (or network segments). Also remember that only source addresses can be specified. The mac extension can be used only on an in-interface, such as the INPUT, PREROUTING, and FORWARD chains."), and the first rule has the issue that input interface I want to specify is the wwan0 side and not the lan side that's required for MAC.
Anyways, it seems that using ip-adresses it works. Since I am not protecting against a rogue agent and only limit data usage, I am not too worried about one of my devices changing its assigned fixed DHCP address.
thanks for pointing me in the right direction, I think it works.
current iptables custom rules:
iptables -A FORWARD -i wwan0 -o br-lan -d 10.0.100.2 -j DROP
iptables -A FORWARD -i br-lan -o wwan0 -s 10.0.100.2 -j DROP
the latter one may be replace with a MAC-based forward rule I guess