I wrote a post on blocking clients of AP from Internet access on Mikrotik router a while ago at https://jim-think.blogspot.com/2023/04/block-internet-access-for-iot-devices.html
I have become dissatisfied with MikroTik's WiFi compatibility. So I switched to Openwrt.
Steps
0. opkg install kmod-nft-bridge
1. Add a WiFi interface for restricted devices.
config wifi-iface 'wifinet2'
option device 'radio1'
option mode 'ap'
option ssid '<redacted>'
option encryption 'psk2+ccmp'
option key '<redacted>'
option ocv '0'
option network 'lan' // bridged to lan
option ieee80211w '1'
option ifname 'no-internet' // remember this
2. Create a file at /etc/nftables.d/bridge.sh with following contents.
nft add table bridge filter
nft flush table bridge filter
nft add chain bridge filter prerouting { type filter hook prerouting priority dstnat\; }
nft add rule bridge filter prerouting iifname no-internet mark set 0x1984
3. Add firewall rules in /etc/config/firewall
config rule
option name 'block-no-internet'
list proto 'all'
option src 'lan'
option dest 'wan'
option target 'REJECT'
option mark '0x1984'
config include
option type 'script'
option path '/etc/nftables.d/bridge.sh'
4. Reboot or run service firewall restart.
5. Run nft list ruleset to verify.
References
https://wiki.nftables.org/wiki-nftables/index.php/Setting_packet_metainformation#packet_mark
https://openwrt.org/docs/guide-user/firewall/fw3_configurations/bridge
https://openwrt.org/docs/guide-user/firewall/firewall_configuration#includes_2203_and_later_with_fw4
No comments:
Post a Comment