mangle rule to add client to list when mac address is seen

davidl75 · July 11, 2024, 12:40am

Hi all,
My first mangle rule… I think… if I’ve understood mangle rules correctly.

I have a samsung tablet device that has been out of support (and hence security patches) for years. I want to use it as a local head unit to present a UI for my local home network - it shouldn’t talk to anything other than the local Home Assistant server and nothing should talk to it.
I’m happy with the firewall rules for the above but then the device hopped network because of a VLAN error which I’ve now corrected but I want to really lock that device down so that if it does appear on the network and try to go anywhere other than Home Assistant its IP address gets dropped into the InternalIsolated list which the firewall forward rules will drop.

Does this work:

 3    ;;; Intention - if insecure (galaxy tab) gets onto network add whatever the address is into Isolated list so that firewall rule catches it
      chain=prerouting action=add-src-to-address-list dst-address-list=!HomeAssistant address-list=InternalIsolated address-list-timeout=none-dynamic 
      src-mac-address=00:00:00:00:00:00 log=no log-prefix=""

(with the correct MAC address of the tablet of course)

thanks

Sob · July 11, 2024, 1:40am

Or you can drop it right away:

/ip firewall raw
add action=drop chain=prerouting dst-address-list=!HomeAssistant src-mac-address=00:00:00:00:00:00

But this only affects routing, so it won’t be able to reach internet or other vlans, but will be able to communicate with devices in same network segment, if there are any.

Edit: Although this could maybe block dhcp too, if the device uses it, I’m not sure and too lazy to test it now.

davidl75 · July 11, 2024, 10:37am

Oh now that’s an interesting thought… I’ll try it and see what it does.
Thanks.