FOR TIPS, gUIDES & TUTORIALS

subscribe to our Youtube

GO TO YOUTUBE

14455 questions

17168 answers

28195 comments

0 members

We are migrating to our new platform at https://community.teltonika.lt. Moving forward, you can continue discussions on this new platform. This current platform will be temporarily maintained for reference purposes.
0 votes
1,557 views 8 comments
by anonymous
I found out how to setup MAC address filtering for WiFi using the following path in Advanced Mode:
Network > Wireless > WifFi Interface Configuration > General Setup > Mode: Access Point
Network > Wireless > WifFi Interface Configuration > MAC-Filter

Is it possible to do the same for devices connnected to the RUTX50 over ethernet and if so what is the path to follow in the user interface?

David

1 Answer

0 votes
by anonymous

Hi,

If you want to restrict internet access to specific hosts in the LAN based on their MAC addresses, you can create a traffic rule in the Network -> Firewall -> Traffic rules:

  • In the ‘Add type’ field choose ‘Add new forward rule’.
  • Enter a name of your choice for this rule.
  • Choose LAN as the source zone.
  • Choose WAN as the destination zone.
  • Click ‘Add’.
  • In the source MAC address field, choose the MAC address of the host to restrict or you can enter a custom MAC address. Add a few hosts if you need to.
  • In the action field choose ‘Drop’.

You can change the destination zone from WAN to Device(input) if you want to restrict access to the device itself (WebUI, DHCP, and other services running on the router).

Kind Regards,

Andzej

by anonymous
Thanks Andzej,
I asked the question and then after some searching found that solution but not really work out how to get the setup I wanted. I use a powerline system (ethernet through electricity system) and from some reason (even thought the manufacturer of that powerline system says it's not possible) I have sometimes been connected to a neighbor's network through that system (so an unknown IP) or may have had unknown devices connected to our network in return.

So with the previous router I was using (Huawei from ISP) I enabled a MAC filtering allow list adding only known devices across all connection types. In the case of the RUTX50 I guess some kind of DHCP IP range restriction or something might suffice or how can it be setup to that only known devices can access the internet through LAN?

David
by anonymous
Hi,

If you want to allow only specific MAC addresses to be able to use your WAN, then you need to create two traffic rules.

First, create a traffic rule similar to the one I have previously described. But this time, select MAC addresses that should be allowed internet access and select the action to 'accept'.

Create another traffic rule to drop all packets from LAN to WAN. Make sure that the second rule is below the first rule in Network -> Firewall -> Traffic rules.

With these configurations, devices with your listed MAC addresses will match the first rule and will be allowed to access the internet. Packets from devices with MAC addresses that do not match the first rule will be compared against the next rule in the traffic rules, which is to deny all packets from LAN to WAN. The packets will match this rule and will be dropped.

When it comes to DHCP, you can limit the DHCP IP addresses and setup static leases in Network -> Interfaces -> Static leases. This will ensure that the devices with matching MAC addresses will receive their designated IP addresses. However, if all the DHCP IP addresses are leased, some of your other devices might not be able to get a lease.

Also, have you tried to change the IP address of your LAN network to see if it helps with your issue?

Kind Regards,

Andzej
by anonymous
Many thanks Andzej, the dual forward rules in the firewall appears to be working as suggested!

What's interesting is that the powerline devices have MAC addresses too of course but they don't expose them and they don't appear to require being added to the firewall rule. Whatever client connects to the network through them won't be connected until it is in the known MAC address range so no matter I guess.

And no I have not considered changing the IP address of the LAN network, did you mean changing the range away from 192.168.1.1-255?

Thanks again ;)

David
by anonymous

Hi, 

I was referring to changing the subnet IP, not the host IP address. For example, to 192.168.5.1/24. But since everything is working now, you can leave it as it is. It is good to know that the solution works for you. Thanks for letting me know.

Kind Regards,

Andzej

by anonymous

Hi Andzej,
Yes your solution works well.

I was also going to ask about port forwarding until I remembered that it requires the IP address from the ISP to be declared as public (which can be done by modifying the mobile APN, or at least with my ISP) and then the port forwarding worked seamlessly ;)

And in relation to the powerline device serving an IP from another network, and this is not really relevant for you, but I looked up what I had sent the manufacturer of the powerline adapters.

Basically my router at the time was a Huawei B715s with subbet 192.168.1.1-255 and I noticed that the ethernet connection through the powerline was serving 192.168.100.1-255 on a Huawei HG635 (pictured below), which belonged to a neighbor of ours. The manufacturer of the powerline system at the time told me this wasn't possible. 

So then I began using MAC address filtering to prevent this from occuring, and what the firewall traffic rules on the RUTX50 are now doing. 

by anonymous
Hi,

Since you're sharing media with your neighbor, you can change the subnet on your device so that they don't connect to your router. You don't need to change your firewall rules for this. To do so, go to Network, then Interfaces, and select Edit LAN interface. Change the IP address to something like 192.168.5.1. Also, on that same page, adjust the DHCP server start and end IP to reflect your changes (for example, starting at 192.168.5.100 and ending at 192.168.5.249). Save the settings, and now your router will be accessible via 192.168.5.1 and not 192.168.1.1.

Kind Regards,

Andzej
by anonymous

Yes point taken. I was wondering about it, and created a rough image below. If I change the IP address to 192.168.5.1 then my PC would get an IP address within that range, as long as it connects to my router (which is now RUTX50).

But if my PC (and I am not sure why) somehow connects to my neighborss router via a powerline connection over ethernet, then won't it just get an IP via DHCP from that network no matter what I set my own subnet to be?

by anonymous
Hi,

You might be right regarding the IP addresses. Never had these issues. You could disable DHCP on your router completely and set a static IP address on your PC. The default gateway on the PC would point to your router. Then, your router will not lease any IP addresses via DHCP.

I recommend learning more about your powerline adapter. Maybe there are some options/settings available to separate traffic. That would probably be the best option.

Also, I have sent you a private message.

Kind Regards,

Andzej