If it is, only the first method can work, but the action=jump rules have to be placed to chain forward. Or you can assign a packet-mark using bridge filter rules, and then match on presence or absence of that packet-mark in the IP firewall rules:Ĭhain=input action=mark-packet new-packet-mark=prohibit-internet-access src-mac-address=x:x:x:x:x:x/ff:ff:ff:ff:ff:ffĬhain=input action=mark-packet new-packet-mark=prohibit-internet-access src-mac-address=y:y:y:y:y:y/ff:ff:ff:ff:ff:ffĬhain=forward packet-mark=prohibit-internet-access dst-address-list=!rfc1918 action=dropīoth ways work if the destination device with a public address is not accessible via L2. Should prevent devices with MAC addresses x:x:x:x:x:x and y:y:y:y:y:y:y from accessing any other IP addresses than private, multicast, and broadast ones.
MAC address is normally relevant only on L2 interfaces and in L2 (bridge) firewall rules to make 元 (IP) firewall rules match on MAC address, you have to activate use-ip-firewall under /interface bridge settings, which currently causes so many surprises in the IP firewall operation that it is better to avoid it.Ĭhain=input action=jump jump-target=prohibit-internet-access src-mac-address=x:x:x:x:x:x/ff:ff:ff:ff:ff:ffĬhain=input action=jump jump-target=prohibit-internet-access src-mac-address=y:y:y:y:y:y/ff:ff:ff:ff:ff:ffĬhain=filter-internet-access action=accept mac-protocol=ip dst-address=255.255.255.255Ĭhain=filter-internet-access action=accept mac-protocol=ip dst-address=224.0.0.0/4Ĭhain=filter-internet-access action=accept mac-protocol=ip dst-address=192.168.0.0/16Ĭhain=filter-internet-access action=accept mac-protocol=ip dst-address=172.16.0.0/12Ĭhain=filter-internet-access action=accept mac-protocol=ip dst-address=10.0.0.0/8 Router Setup How to perform MAC address filtering on an ExpressVPN router Asus routers Linksys routers Netgear routers Whats new in ExpressVPN for routers.
0 kommentar(er)
