If there is just one other router between the 3G modem and the machines administratively accessing the router behind the 3G modem, you CANNOT filter by MAC address. How TCP/IP works makes that absolutely impossible. Since you have the Internet between the two, that's more than one router.
So the next question is: what source IP address does the router behind the 3G modem see PC1 and PC2 as having? Are they both the same? In that case you cannot meaningfully differentiate between the two and cannot permit access to one and categorically deny a login prompt to the other. If they have different source IPs (PC1 and PC2 are either not NAT'd by the router, or get NAT'd to different IP addresses) you can filter administrative access by IP address. If you don't know the answer to that question, go to both PCs and load http://whatismyipaddress.com
in a browser and compare the results.
If they do have the same source IP, you can look up port-knocking on the wiki and use the concept to just allow a PC with that source IP address to connect to a particular secret sequence of ports in order to open up the firewall administrative access for a short timeframe (one or two minutes) - but still, during that timeframe any PC with that source IP address would get a login prompt. However, that's a somewhat advanced concept and can be a hassle to use, so you may be better off just living with the fact that all PCs behind the router on the left hand side of your graphic will get a login prompt. Use decent passwords and non-obvious usernames and that shouldn't be too much of a problem.