FOR TIPS, gUIDES & TUTORIALS

subscribe to our Youtube

GO TO YOUTUBE

14455 questions

17168 answers

28195 comments

0 members

We are migrating to our new platform at https://community.teltonika.lt. Moving forward, you can continue discussions on this new platform. This current platform will be temporarily maintained for reference purposes.
+1 vote
769 views 1 comments
by
I aim to exclude a set of devices from having access to the mobile WAN connection in case there is a failover. I thought easiest was to create a VLAN for these devices and prevent that VLAN from access to mobile WAN. Unfortunately, the WAN zone includes all wan connections and I don't know if I can create a zone for a specific connection - or how to achieve this otherwise. Any thoughts?

1 Answer

+1 vote
by anonymous

Hi,

The best and simplest solution for you would be to use iptables.

Entering custom iptables rules at Network-> Firewall-> Custom Rules

iptables -A INPUT -i interface -m mac --mac-source XX:XX:XX:XX:XX:XX -j DROP
iptables -A OUTPUT -i interface -m mac --mac-source XX:XX:XX:XX:XX:XX -j DROP


*interface - the failover interface you keen on using.
*--mac-source - the MAC address of device you want not to be connecting in the event of failover.

by

Hi, thanks for the response. This does not seem to work. The second rule is not allowed: OUTPUT does not work with -i and not with MAC addresses  ("Remember that MAC addresses do not cross router borders (or network segments). Also remember that only source addresses can be specified. The mac extension can be used only on an in-interface, such as the INPUT, PREROUTING, and FORWARD chains."), and the first rule has the issue that input interface I want to specify is the wwan0 side and not the lan side that's required for MAC.

Anyways, it seems that using ip-adresses it works. Since I am not protecting against a rogue agent and only limit data usage, I am not too worried about one of my devices changing its assigned fixed DHCP address.

thanks for pointing me in the right direction, I think it works.

current iptables custom rules:

iptables -A FORWARD -i wwan0 -o br-lan -d 10.0.100.2 -j DROP
iptables -A FORWARD -i br-lan -o wwan0 -s 10.0.100.2 -j DROP

the latter one may be replace with a MAC-based forward rule I guess