Brume 2 - how to make the admin page accessible only for certain devices?

Is there some way to allow only certain devices (by mac address?) to see/open the admin page of the router at (the devices are accessing it through the local lan)

All devices should be still able to access internet/vpn through the router.

Thanks in advance

That’s a touch dangerous, isn’t it? What if your whitelisted device dies/gets stolen? You’d be locked out & would have to hard reset the Burme 2.

It can be done via iptables … but again why? Just put a 256-bit hashed password on it & save it in something like Keepass.


If you don’t use AdGuardHome you could try to disable nginx
In that case, the GUI (and all services relaying on it) won’t be reachable.

Not a perfect solution, but good enough if you want to hide the interface and are familiar with SSH.

/etc/init.d/nginx stop
# Please test now if everything works still as expected
# If yes, continue:
/etc/init.d/nginx disable

To revert it:

/etc/init.d/nginx enable
/etc/init.d/nginx start

Not sure if it will break something important - but as long as SSH still works, it should be not a big deal.

Thank you for this suggestion, but if necessary I can physically reset the router and assign other mac address for management.
I really do not want each user on the lan to be able to see what exactly brand and model is the router (visible on the admin login page).
How can I put such restriction using iptables?

I still want to be able to access the admin GUI from certain device/s

They will be able to figure it out anyway. There are so many possibilities without even trying to connect to the GUI. Security by obscurity isn’t real security.

Using iptables could be something like this:

Hint: This might break something, not sure tho. So testing is recommend.

1 Like

Yeah, @admon is right; a quick nmap scan fr within the LAN will tell me it’s a GL device… & MAC’s are near trivial to spoof.

Here’s another/expanded iptables HOW-TO:


How the lan scan will reveal the type/brand/model of the device? Will it be based on its mac address?
What if the router sets for itself a fake mac address?

Based on MAC and based on hashes of services - called banner grabbing

MAC-based detection would fail then, but it would produce more problems than it solves.


Well, I can think of a hack that gets OP damn close to what he wants but it requires bash. Commands can be automatically executed in ~/.bashrc… so if OP disables nginx & gl-ngx-session he can still /etc/init.d/$serviceNameHere start it up after logging in over SSH.

This would require manually switching fr the ash shell to bash (just execute bash). Permanently changing root’s shell in /etc/passwd is not recommended as major firmware/OpenWrt version upgrades may fail… and brick… if the shell is not the default ash.

In fact I am not worried that someone in the lan will hack the router. I wonder what is the best way to obscure from the single computer connected to the router that it is using internet connection through a vpn/travel router?
(the router is the VPN client)


If somebody else (like your company) has full admin access to this computer you can’t hide it.