Julian Patdu

MAC Address Blocking on GL.iNet/OpenWRT Routers

MAC Address Blocking on GL.iNet/OpenWRT Routers

How to allow only certain devices to access the internet on GL.iNET Routers

Julian Patdu's photo
Julian Patdu
·

3 min read

Table of contents

These are the steps I took in order to get my GL.iNET X300B "Collie" to only allow certain devices to access the internet, using MAC address filtering:

1. Install Luci

If you haven't already, install Luci on your GL.iNET device. This can be done by going to More Settings > Advanced

Once Luci is installed, it can be accessed either by going to More Settings > Advanced, or directly typing in the URL: http://[YOUR_ROUTER_IP]/cgi-bin/luci

2. Allow internet access for specific devices

In Luci, from the navbar, go to Network > Firewall: image.png

Select the tab "Traffic Rules", where you'll be greeted with this: image.png

We are going to add a new rule that will enable internet access for all devices. I recommend we start with the allow list before locking down access, to avoid accidentally locking yourself out during the config.

To add the new rule, scroll to the bottom and click "Add."

In the "General Settings" tab, input the settings, as follows: image.png

  • Name: Choose any name you want. Use a name that clearly describes what this rule does. In my example, it's "Allow net traffic."
  • Protocol: Any
  • Source zone: LAN
  • Destination zone: WAN
  • Action: Accept

Then, go to the "Advanced Settings" tab. Here, we can specify which devices can be granted internet access, based on their MAC address: image.png Simply select "Add MAC." You can either select from the list, or enter a custom MAC address.

Click "Save" to save the rule and close the window. You should see the new rule listed: image.png

3. Disable internet access for everyone else

Next, we are going to add a new rule that will disable access to the WAN (internet) for all other devices.

Just like before, click "Add", then input the settings as follows: image.png

  • Name: Any descriptive name of your choosing
  • Protocol: Any
  • Source zone: LAN
  • Destination zone: WAN
  • Action: reject

We will not change any of the advanced settings.

Press "Save" to create the new rule. You should now have two rules, one to whitelist MAC addresses for internet access, and another to block internet access for everyone else.

4. Save the configuration

For the settings to take effect, click "Save and Apply": image.png

Effects

On blocked devices, this is what happens if they attempt to visit a website: Screenshot_20220803-145931_Chrome.jpg

Caveats

  • This does not prevent blocked devices from connecting to the network. In the screenshot above, you can see that the device is connected to wifi, albeit without internet access. The setting simply disables the device's access to the internet. With the firewall rules above, the blocked device can still access other devices in the LAN, which includes the router itself. More firewall rules are needed to mitigate access to other LAN devices.
  • Be wary of MAC Address spoofing and randomization. MAC address randomization in particular could mess up allow lists; Since the device made a new MAC address, the router would "mistakenly" block internet access to the device. Remember to disable MAC randomization on devices you wish to whitelist.
networkingOpenWRTfirewall