Per Yngve Berg DD-WRT Guru Joined: 13 Aug 2013 Posts: 4429 Location: Akershus, Norway Posted: Mon Aug 18, 2014 20:29 Post subject: To have authentication on the wired ports, look into 802.1x garyd9 DD-WRT Novice Joined: 10 Aug 2014 Posts: 28 Posted: Mon Aug 18, 2014 23:13 Post subject: As mentioned by a previous reply, without knowing exactly what it is your trying to accomplish, it'll be really hard to help. 'limit' can mean a lot of things. Limit from the WAN access? Limit from talking to other ethernet clients?

Limit from watching porn? Scmcint2 DD-WRT Novice Joined: 21 Jan 2012 Posts: 19 Posted: Wed Aug 20, 2014 17:52 Post subject: Hi all, sorry for the delay. I think I should have been more specific.

I'm looking to block clients from accessing both the wired and private (excluding guest) wireless networks unless they are a pre-allowed MAC address in the WLAN MAC filter tables. Part of the script that i have posted does throttle the speed for a certain host, and other parts assign different DNS servers (Google vs OpenDNS) to host ranges and WLAN segments (private vs guest). What I'm looking to do is to force the router to compare clients on Eth0 and Ath0 to the table, and block them if they are not on the list. Eth0 - Wired Ath0 - Wireless (Private) Ath0.1 - Wireless (Guest) I'm not familar with 802.1x, how would I get DD-WRT to enforce that kind of policy? Garyd9 DD-WRT Novice Joined: 10 Aug 2014 Posts: 28 Posted: Wed Aug 20, 2014 18:41 Post subject: So, clients that are using the ath0.1 interface should have no access to clients that are using the ath0 and eth0 interfaces?

Are all those interfaces bridged together? Should the clients on ath0 and eth0 be able to access the clients on ath0.1? Code65536 DD-WRT User Joined: 28 Dec 2011 Posts: 97 Location:.us Posted: Wed Aug 20, 2014 18:48 Post subject: MAC filters work on WLAN because the base station is actively involved in the communications to and from the client.

There is a reason why there is no such thing as a MAC filter for wired. It's a non-sensical concept to begin with!

Iptables Equivalent For Macbook Pro

You're talking about someone having physical plug-in access to your network. What you can do, however, is segment your LAN. Either a physically separate LAN or a separate VLAN for guests. Just not on a MAC-level.

Buffalo WZR-1750DHP: 34311 TRENDnet TEW-673GRU: 34311 TRENDnet TEW-811DRU: 33986 scmcint2 DD-WRT Novice Joined: 21 Jan 2012 Posts: 19 Posted: Fri Aug 22, 2014 20:35 Post subject: I know that it sounds a bit nonsensical, but the point is that I want to be able to leave all the cable ports active so I can move devices around at will, but should someone bring a device that is unauthorized and decide to plug in, that the router would be able to filter/block those packets. In short, people do stupid things when they shouldn't, so I want this to be idiot proof It would be easier to use the WLAN table, because I have 30+ authorized devices, and it's simpler to maintain one table than several. So there is the script (previously mentioned) that accesses the table, but this was for previous versions of DD-WRT, and I don't know enough about the coding to modify it for the most current Brainslayer build, and someone also suggested something similar to below, but with a '9' in front of the chain: 'Insert them further down the chain, the 9 represents where in the chain to put it. Iptables -I FORWARD 9 -i br0 -m mac -mac-source XX:XX:XX:XX:XX:XX -j ACCEPT ' Does anyone know what chain he is referring to (priority)?