Mac Address Based VPN Policy Ignores Guest Networks

I have configured 3 networks in my GL-AXT1800 (4.0.3) and also have an OVPN config. For the VPN, I have selected the “VPN Policy Base On The Client Device” options and have added various devices. I was running into an issue on a PC (Cloudflare was blocking my IP) and found that even though I added my PC’s MAC address to the exclusion list, it is completely ignored when I’m connected to the Guest Wi-Fi. The MAC exclusion list doesn’t work at all unless I’m connected to the LAN wifi. How can I get this MAC address exclusion to apply to all of my networks?

Isolate all clients in “Guest” firewall zones might be causing that. Accessed from LuCi.

Disabled it, but I still get the same issue.

How does this feature work by the way? Like in the config files? I’ve been poking around and cannot figure out how this exclusion list works on the LAN.

Clients that join the guest network can not see or communicate with each other.
It uses iptables and I think now uses nftables

In the GL.iNet Admin UI under vpn dashboard global option check to see if Block Non-VPN traffic is on.

First generate a backup file.

In LuCi under Network Firewall zones click edit on the guest zone. Go to the bottom and find “Allow forward to destination zones:” WAN and OVPN should be there.
:gl_emoji_dizzy:I do not work for and I am not directly associated with GL.iNet :gl_emoji_shacking:

Yes, those are there already. I went over the config for the LAN zone and the Guest zones, there’s no difference between them that would indicate Mac address or VPN policies effects. This seems to be some kind of config file issue that doesn’t appear in the UI. The only thing the LAN has that the Guest doesn’t is the br-lan bridge. But I can’t just add that to the Guest network or it will have access to whatever is hooked up to the LAN.

This looks like a bug. If I add a MAC address to the VPN exclusion list, it should exclude it from VPN, regardless of which network its in. In the Asus Merlin software, there was an option to add an IP address or range to exclude those IPs from the VPN. It was very easy. Not sure why it’s so difficult to achieve this on this device.

I’ve run grep on the entire config folder (AND the root folder) and the Mac addresses to exclude appear in a couple of locations, vpnpolicy file being one of them. However, they don’t take effect and it’s not clear why or how this list is used. I’m not an expert in openwrt, this is is my first time using this software.

config policy 'mac'
	option default_policy '1'
	list mac 'xx:xx:xx:xx:x:x1'
	list mac 'xx:xx:xx:xx:x:x2'
	list mac 'xx:xx:xx:xx:x:x3'

Kernel 4.4.6? not 5.4?
There is problem with MAC address cloning, don’t know if it is related. Config files that are setup using IPTables then migrate to NFTables(openWRT 22.02.03) do not transfer correctly.

I just did a fresh install and setup on Flint because the config I created was giving me issues with distfeeds only using IPv6. This was blocked because My VPN only allows IPv4.

If you are using a old config file(doing a fresh install, not saving settings and packages, then uploading the config could be the issue)

Beta GL-AXT1800 v4.1.0 release5 is out and I think a stable release is coming out soon this month

Mac or IP based VPN Policy only works in Private WiFi, not guest wifi.

If you check vlan based policy, you will see if you want to apply vpn policy based on vlan (private, guest).

Thanks for getting back to me @alzhao. First time glinet buyer and it’s good to see Tech Support on these products as I definitely have questions.

Below are my current use cases:

Network #1
LAN - Devices that can access each other and the internet. Personal computers, laptops, and the home server. I have a media server and only that device should have VPN. The rest of the devices should not use VPN.

There is half a solution here, I can set the Policy Mode to device and exclude the media server, but then all other networks are forced through VPN and I do anything to modify this.

Network #2
Guest 1 - Devices that can’t access each other OR LAN, but can access the internet. Work devices and actual guests and their devices fall into this category.

VPN devices should not apply to work devices.

The half solution here is to set VPN mode for VLAN and turn off the VPN, but then, it’s an all or nothing VPN option. I can’t selectively route the media server on LAN through VPN.




I’m just taking a guess here, but it seems like being able to combine VLAN mode AND Policy Mode would solve this issue.

Can you confirm whether any this is possible? If it’s it not possible, is this functionality that can be reasonably added in the next few months?

I really like the Slate AXT-1800 (I bought 2), it’s small, powerful, and very promising. I would love to replace my existing home router with the Slate and would love to see more more flexibility in how VPN policies are implemented.

Can you confirm this is your requrement:

  1. Media server on private wifi goes via VPN, while others don’t use VPN.
  2. Guest wifi does not use vpn.

For 1, actually you can just use mac-based vpn policy and that is fine. What is the issue now?
For 2, it is the default configuration. Nothing need to be done.

Yes. Those are the requirements, but if I select the Mac address address policy, the guest wifi is forced through VPN, which breaks requirement #2. I can only do 1 or 2, I cannot figure out how to do both at the same time.

Yes you are right. This is a problem. We are checking how to solve.

1 Like

A work around is creating a new interface (should not be named guest) Just for your media server to use for the vpn

1 Like