Is there a way to filter MACs on the wired network ?

Discussion in 'DD-WRT Firmware' started by 4EverGreen, Jan 17, 2006.

  1. 4EverGreen

    4EverGreen Network Guru Member

    WRT54G v4 with DD-WRT v23 (25-12-2005).

    In the Web GUI we can setup a list of authorized MACs that can access the Wireless network, but we can't do the same for the wired network ...
    In the Access Restrictions tab we can deny access to the WAN to a pre-defined set of MACs ... but we have to know them first ....

    In my network I don't have any control of who might connect a Laptop or PC to the 4 port switch of the router.

    As I would like to make sure that only authorized users can access WAN from the WRT's switch, I'm looking for help to achieve this.

    I've been doing some reading about IPTABLES, but quite honestly I think my skills are not up to the task ......

    Is there anyone that can help me to setup some kind of authorized MAC's list to access WAN or the 4 port switch.

    Any help or guidance would be very much apreciated.
  2. Couledouce

    Couledouce Network Guru Member

  3. techmanblues

    techmanblues Network Guru Member

    Looks like a feature request for v24. :thumb:
  4. Mr_X

    Mr_X Network Guru Member

    use ebtables
  5. 4EverGreen

    4EverGreen Network Guru Member

    I guess you're right ! :thumb:

    I took a good look at and it seems that ebtables is exactly what i'm looking for ! :)

    But like I told in my previous post, I'm afraid my skills are rather short for this task ... :(

    I believe that we can easily create 'strange' routing behaviors when we start to play around with iptables/ebtables commands without knowing much about it ...

    On the other hand, I have the feeling that the solution can be acomplished with a few ebtables commands, and that it would be a piece of cake for some of this forums experts ... :D

    Nevertheless, I'm going to persue this issue on the Networking forum as I think this is not much firmware related ...

    I will then post the link.

    Many thanks, Mr_ X
  6. 4EverGreen

    4EverGreen Network Guru Member

  7. u3gyxap

    u3gyxap Network Guru Member

    I have a no-brainer.
    In the Access Restrictions, setup rule #9 to block the internet for all IP addresses - - 254
    In rules 1-8 set which MAC addresses are authorised to use internet.
    That is what I am using for over 2 years now.
  8. 4EverGreen

    4EverGreen Network Guru Member

    Thanks for the tip u3gyxap, but I had already looked at it and it doesn't fit my purposes ...

    This because it has a limited number of MACs to allow, and most important I can only deny IP ranges from the router's own subnet ( ...

    As I have 3 WRTs in WDS mode with different subnets ( / and ) , I would like to deny WAN access in each router to the other routers wired clients and only allow the MACs from its own clients.

    Trying to be more detailed :
    1. WRT 1 (
    - Deny IP range from to
    - Deny IP range from to
    - Allow only my clients MACS to access my WAN port (Internet)

    2. WRT 2 (
    - Deny IP range from to
    - Deny IP range from to
    - Allow only my clients MACS to access my WAN port (Internet)

    3. WRT 3 (
    - Deny IP range from to
    - Deny IP range from to
    - Allow only my clients MACS to access my WAN port (Internet)

    I would use EBTABLES (like Mr_X suggested) but it seems that ebtables modules aren't available in this firmware as I read in a post somewhere ...

    I guess I'll have to wait and see if this feature will be available in the next DD-WRT releases ...

    Nevertheless, many thanks once again ! :thumb:
  9. __spc__

    __spc__ Network Guru Member

    If someone had access to the WRT box, then they could just factory reset and plug in their CAT5 cable - they'd then be good to go... MAC filtering wouldn't stop them...
  10. u3gyxap

    u3gyxap Network Guru Member

    That is even easier to accomplish. Just setup every router to be with a subnet mask and no router will route any IP that belongs to a different subnet. And that will still allow the WDS - LAN traffic to go trough.
    The only "thing" that will be necessary in order to be able to admin all the routers from 1 PC is to add IP addresses from every subnet to the interface of the Networking adapter of that PC. For an examle on the laptop I use for administrative purposes, I have IP's:
    For 3 different networks, 3 different routers.
    It is not the perfect solution, but it is a solution :rockon:
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice