1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Possible to lock a LAN MAC address to a single WAN IP?

Discussion in 'Tomato Firmware' started by jxf011, Dec 17, 2012.

  1. jxf011

    jxf011 Serious Server Member

  2. Bird333

    Bird333 Network Guru Member

    Something like iptables FORWARD -s lan compter ip address -d !specific wan address -j DROP
     
  3. mstombs

    mstombs Network Guru Member

  4. Monk E. Boy

    Monk E. Boy Network Guru Member

    If the DHCP lease "goes haywire" then the iptables is likely to "go haywire" at the same time, since both are part of the router's configuration. Just setup a static DHCP lease for the system, then base the rules around that lease. If you're particularly paranoid about that system getting another IP address, setup a static ARP binding of that MAC address to that IP address in the router so it can't work with any other IP address (its just a checkbox in Tomato).
     
  5. jxf011

    jxf011 Serious Server Member

  6. mstombs

    mstombs Network Guru Member

    If it works can't be wrong! But every packet that goes through your router gets all the checks, so there could be room for performance gains - if the router is the speed limiting device in your internet connection
    A possible improvement would be add your new rules to a new table and only check the mac address once in the forward chain.
    Also consider moving the check in forward chain down to position 3, or into "wanout" so that invalid packets, or parts of existing RELATED, ESTABLISHED connections don't get re-checked.
     
  7. Bird333

    Bird333 Network Guru Member

    Question, is the logdrop target available in your version of Tomato? I didn't have it on the one I was using.
     
  8. mstombs

    mstombs Network Guru Member

    Isn't LOGDROP just a chain name for you to create?

    Code:
    # Create a LOGDROP chain to log and drop packets
    iptables -N LOGDROP
    iptables -A LOGDROP -j LOG
    iptables -A LOGDROP -j DROP
    Then there are ways to change the log priority and and rate limits
     
  9. jxf011

    jxf011 Serious Server Member

Share This Page