Firewall rule to block router input traffic on WIRELESS interfaces

bullshit · April 13, 2023, 7:08pm

I would like to block all input traffic to my router on all wireless interfaces except for 1 ip address with a specific mac address.

I made this rule but it is not working no matter where I place it on the firewall table

Flags: X - disabled, I - invalid, D - dynamic 
 0    ;;; Blocking unauthorized LAN Router access
      chain=input action=drop protocol=tcp src-address=!192.168.88.251 src-address-list="" 
      in-interface=all-wireless src-mac-address=!BE:19:AA:C2:FE:9E log=no log-prefix=""

The rule seems pretty straight forward but as I am a beginner I cant see where I am mistaking.

mkx · April 14, 2023, 4:10am

Unset / remove property src-address-list … setting it to empty string is not the same as not setting it at all.

Setting in-interface=all-wireless is problematic as well, for two reasons:

using automatic interface lists has a few quirks and it’s better to use interface names explicitly
it only works if wireless interfaces are not made bridge ports. If wireless interfaces are in fact bridge pirts, then firewall will see bridge interface as in-interface

Setting protocol=tcp means tgat this rule will not trigger on any other protocols, i.e. all remote hosts will be able to connect to router using e.g. UDP.