Hi all,
I need to limit access to and via a 711 to just one piece of equipment with one MAC address.
I have two 711’s configured as a point to point link with a bridge from wlan to ether set up on them both.
One end (office) has a switch and 4 PC’s connected.
The other end has a video recorder connected that is viewed from one of the PC’s in the office.
The recorder has a static IP address.
The problem I have is that a “nice” person unplugs the DVR and connects a PC in it’s place. The person can now access anything on the other end of the radio link.
I think (occasionally, but today is not one of those times) that if I could use mac address filtering I could stop this happening by allowing traffic to and from one mac address only.
I have tried using a firewall in the bridge from wlan to ether but can’t get it to work ( I can get it to work using IP address filtering, but the person is clever enough to set his PC to the same IP address as the recorder)!
Smart enough to spoof the IP address may also be smart enough to spoof the MAC address. Some people are just annoyingly clever that way.
Your best bet is to approach it the other way around. Configure the firewall filtering on router at your end, to only allow connections originating from your location to the DVR, and only allow the expected ports to and from the expected hosts. If the link is isolated on a particular port of your router, that makes things easier. Something like this should do the trick.
add chain=forward action=jump in-interface=dvr-gateway jump-target=dvr \
comment="Anything from the DVR link goes to a special chain"
add action=accept chain=dvr connection-state=established comment="Allow established connections"
add action=accept chain=dvr connection-state=related comment="Allow related connections"
add action=drop chain=dvr comment="Anything else coming down the DVR link is rogue usage"
If you’re feeling especially clever you can make this much fancier. Have it do logging, or verify ports or IP addresses, or …