Emerging Member
Posts: 71
Registered: ‎12-19-2016
Kudos: 5
Accepted Solution

EdgeRouter restrict remote access to a particular MAC address

I have created a rule on my firewall to allow port 80, 443 access so I can remotely connect to my ER. This works fine.

 

I would like to secure it now to only certain MAC addresses - Yes, I know MAC addresses can be spoofed - but every additional layer makes it a little more secure. I would like could lock it down to my CellPhone, Tablet and Work Computer, since the IP Addresses for these devices changes all the time, locking source to IP address doesnt seem viable.

 

The moment I put any MAC address in the Source MAC field, it blocks all access irrespective of whether the MAC is valid or not. Are there any other ways to restrict remote access to MAC Addresses?

 

 

 

 


Accepted Solutions
Member
Posts: 182
Registered: ‎01-25-2017
Kudos: 45
Solutions: 14

Re: EdgeRouter restrict remote access to a particular MAC address

  The Edge Router will not see your device MACs on its WAN port since everything is routed, just the MAC of your gateway.  That's why it won't work and blocks all access.  If you want better security than just IP filtering, then you might need to use a VPN.

 

KuoH


@HawkI wrote:

 

The moment I put any MAC address in the Source MAC field, it blocks all access irrespective of whether the MAC is valid or not. Are there any other ways to restrict remote access to MAC Addresses?


 

View solution in original post


All Replies
Emerging Member
Posts: 71
Registered: ‎12-19-2016
Kudos: 5

Re: EdgeRouter restrict remote access to a particular MAC address

Config
 
firewall {
all-ping enable
broadcast-ping disable
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
name WAN_IN {
default-action drop
description "WAN to internal"
rule 10 {
action accept
description "Allow established/related"
log disable
state {
established enable
related enable
}
}
rule 40 {
action drop
description "Drop invalid state"
log disable
state {
invalid enable
}
}
}
name WAN_LOCAL {
default-action drop
description "WAN to router"
rule 10 {
action accept
description "Allow established/related"
log disable
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
log disable
state {
invalid enable
}
}
rule 30 {
action accept
description "allow ping"
log disable
protocol icmp
}
rule 31 {
action accept
description "Allow Remote Management"
destination {
port 80,443
}
log enable
protocol tcp
source {
mac-address 68:db:XX:XX:XX:XX
}
 
log enable
protocol tcp
source {
}
}
}
options {
mss-clamp {
mss 1412
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}
interfaces {
ethernet eth0 {
description "Internet (PPPoE)"
duplex auto
pppoe 0 {
default-route auto
firewall {
in {
name WAN_IN
}
local {
name WAN_LOCAL
}
}
mtu 1492
name-server auto
password ****************
user-id xxxxxxxxx
}
speed auto
}
ethernet eth1 {
description Local
duplex auto
speed auto
}
ethernet eth2 {
description Local
duplex auto
speed auto
}
ethernet eth3 {
description Local
duplex auto
speed auto
}
ethernet eth4 {
description Local
duplex auto
speed auto
}
ethernet eth5 {
duplex auto
speed auto
}
loopback lo {
}
switch switch0 {
address 192.168.1.1/24
description Local
mtu 1500
switch-port {
interface eth1 {
}
interface eth2 {
}
interface eth3 {
}
interface eth4 {
}
vlan-aware disable
}
}
}
port-forward {
auto-firewall enable
hairpin-nat disable
lan-interface switch0
 
wan-interface pppoe0
}
service {
dhcp-server {
disabled false
hostfile-update disable
shared-network-name LAN {
authoritative enable
subnet 192.168.1.0/24 {
default-router 192.168.1.1
dns-server 192.168.1.1
dns-server 8.8.8.8
lease 86400
start 192.168.1.100 {
stop 192.168.1.244
 
}
use-dnsmasq disable
}
dns {
dynamic {
interface pppoe0 {
service custom-noip {
host-name x
login x
password ****************
protocol noip
server dynupdate.no-ip.com
}
}
}
forwarding {
cache-size 150
listen-on eth1
}
}
gui {
http-port 80
https-port 443
older-ciphers enable
}
nat {
rule 5010 {
description "masquerade for WAN"
outbound-interface pppoe0
type masquerade
}
}
ssh {
port 22
protocol-version v2
}
}
system {
host-name EdgeRouterX
login {
user xxxxxxx{
authentication {
encrypted-password ****************
plaintext-password ****************
}
full-name "Lawrence Viljoen"
level admin
}
}
ntp {
server 0.ubnt.pool.ntp.org {
}
server 1.ubnt.pool.ntp.org {
}
server 2.ubnt.pool.ntp.org {
}
server 3.ubnt.pool.ntp.org {
}
}
static-host-mapping {
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone UTC

Member
Posts: 182
Registered: ‎01-25-2017
Kudos: 45
Solutions: 14

Re: EdgeRouter restrict remote access to a particular MAC address

  The Edge Router will not see your device MACs on its WAN port since everything is routed, just the MAC of your gateway.  That's why it won't work and blocks all access.  If you want better security than just IP filtering, then you might need to use a VPN.

 

KuoH


@HawkI wrote:

 

The moment I put any MAC address in the Source MAC field, it blocks all access irrespective of whether the MAC is valid or not. Are there any other ways to restrict remote access to MAC Addresses?


 

Emerging Member
Posts: 71
Registered: ‎12-19-2016
Kudos: 5

Re: EdgeRouter restrict remote access to a particular MAC address


@kuoh wrote:

  The Edge Router will not see your device MACs on its WAN port since everything is routed, just the MAC of your gateway.  That's why it won't work and blocks all access.  If you want better security than just IP filtering, then you might need to use a VPN.

KuoH


Thanks - makes sense.

 

I have seen a few posts on OpenVPN - is that generally the most popular route?

 

Member
Posts: 182
Registered: ‎01-25-2017
Kudos: 45
Solutions: 14

Re: EdgeRouter restrict remote access to a particular MAC address

  I haven't tried Open VPN with Ubiquiti yet, but it depends on how serious you need the security to be.  We're not dealing with government or medical installations, so I just used the built-in PPTP server with local user authentication and good passwords.

 

KuoH


@HawkI wrote:

 

I have seen a few posts on OpenVPN - is that generally the most popular route?

 


 

Emerging Member
Posts: 71
Registered: ‎12-19-2016
Kudos: 5

Re: EdgeRouter restrict remote access to a particular MAC address


@kuoh wrote:

  I haven't tried Open VPN with Ubiquiti yet, but it depends on how serious you need the security to be.  We're not dealing with government or medical installations, so I just used the built-in PPTP server with local user authentication and good passwords.

 

KuoH


Not serious at all - I think the PPTP server option will be fine - thanks for pointing me in the correct direction.
New Member
Posts: 27
Registered: ‎03-29-2017
Kudos: 5

Re: EdgeRouter restrict remote access to a particular MAC address

Im having this issue myself now my question is if restricting to Mac address wont work why is there an option to put in the mac address

Regular Member
Posts: 656
Registered: ‎06-27-2016
Kudos: 230
Solutions: 30

Re: EdgeRouter restrict remote access to a particular MAC address


@avifinkel wrote:

Im having this issue myself now my question is if restricting to Mac address wont work why is there an option to put in the mac address


It works for local devices, not remote.  Has to be on the same LAN segment.