I've to put a GL-AR300M16 in a semi public location and I need its ethernet to be active as the device that will be connecting to it only has Ethernet access.
My fear is someone plugging out the Ethernet cable and connecting their own device, which would allow access to the network.
Is it possible to only allow one MAC address to connect through the Ethernet port? I'm imagining this is something I'll have to do through the OpenWRT backend, but unsure where to even start…
I actually checked this out the other day and didn't see an option to change the block list to an allow list and I don't see the option mentioned in the docs either, but I'll go back and check.
When you click on the text that says access control: blocklist then on the next page there's a drop-down menu that says "Mode” and you can change to allowlist that way.
Hmm. I'm afraid I don't have your model of router. Maybe the access list UI came in later firmware which never got ported to your device. You will have to wait for a response from the glinet devs or other users that might have a better insight.
Ah damn. Do they respond often. I have to have this done by tomorrow and not sure what to do. I did see the “Luci” option show up that I’m going to investigate, but obviously having it baked into the default UI would be much nicer.
Currently, the AR300M firmware (v4.3.x) does not yet support the native "Whitelist" feature in the simplified GL.iNet Admin Panel. We expect this to be supported when the firmware is upgraded to v4.5 in an upcoming release.
In the meantime, you can achieve the same result using Luci by following these steps:
Go to Luci > Network > Firewall and disable LAN to WAN forwarding.
Some interesting things have happened since I applied these settings.
Non-whitelisted MACs cannot connect via the LAN ports (great!).
Anyone who gets connected to the WiFi can connect, regardless of the MAC. Is this intentional? The WiFi is password blocked anyway, so I don’t really mind this.
Internet access is now blocked for users who connect. This was not actually something I was looking to do, but considering the application, this might actually be a benefit, so I’m OK with leaving this as is.
Any users who connect can see the devices on the LAN ( in respect to the AR300M), however they can also see devices on the remote LAN that wiregaurd is connected to.
Just wanted feedback to know if this is what was supposed to happen, as the internet blocking was not something I expected.
It would be great if the devices could only see the actual LAN (relevant to the AR300M, 192.168.97.XXX) and the WireGaurd VPN/LAN (10.66.66.XXX), but blocked from the remote LAN that wiregaurd is connected to (192.168.178.XXX). Is this possible?
Sorry if that paragraph is confusing, networking is getting messy!
In the previous configuration, devices connected to the Main Wi-Fi were also unable to access the internet.
However, devices connected to the Guest Wi-Fi could, because the Guest network was not being filtered.
So in practice, you intend to allow only certain devices to access the remote LAN devices (192.168.178.xxx) through the WireGuard tunnel.
At the same time, other devices should be able to access the local LAN (192.168.97.xxx), the internet and the WireGuard endpoint addresses (10.66.66.xxx)?
Then you can add below to firewall rules to do this:
Allow the specific devices to access the remote LAN devices (192.168.178.xxx)
