How to block Webcam Internet Access by MAC Address

Cheap Webcam’s can have a lot of security issues, especially when they connect to the Internet and do phone home to some cloud services. But i still want to play around with them locally, so i do need them able to use the local LAN, but not the Internet.

Based on IP Addresses i could deny all traffic, but the local subnet one:
/ip firewall filter
add chain=forward src-address=192.168.2.20/32 dst-address=!192.168.2.0/24 action=drop

But my fresh Webcam currently has no IP and i don’t want to let a single packet out to the Internet during the Investigation of the current DHCP based IP Address and the setup of my firewall rules.

Based on the MAC Address i can block all traffic:
/ip firewall filter
add chain=input src-mac-address=aa:bb:cc:dd:ee:ff action=drop

How can i setup a MAC Address based rule which does the same thing as the IP based one? Block only Internet, but still allow local traffic.
Would the following work as i do expect it?
/ip firewall filter
add chain=forward src-mac-address=aa:bb:cc:dd:ee:ff dst-address=!192.168.2.0/24 action=drop

I would think using src mac address would work. But instead of specifying the dst-address as not 192.168.2.0/24 I would use out-interface=ether1
Or put the camera on it’s own interface and block that interface from the internet. in-interface=ether-x, out-interface=ether-1

You could also deny the web cam DNS lookups (which would be another way it could send it’s serial number back home.)

To block DNS, you’d need an input filter rule to block that Mac from sending UDP 53 to the Mikrotik.

Thanks, i do like the idea with the out interface:
/ip firewall filter
add chain=forward src-mac-address=aa:bb:cc:dd:ee:ff out-interface=ether-1 action=drop

But i do have my DHCP and DNS Server also behind ether-1.
So i will have to add some rules in front of that.

I will check this with a Laptop first.