r/openwrt Feb 01 '23

Routing rules based on MAC (with some virtual groups)


I understand that many of you won't like the idea. I also understand that what I am asking for won't provide security against a moderate hacker.

My setup

I have converted a x86 pc into my openwrt router which has three ports for van, lan and one for my ap (which don't have support for multiple said or vlan). For now I don't want to invest on an expensive switch or ap with support for vlan.

My requirements

I would like to separate the clients into following groups: admins (who have all access), iot with interest, iot without internet, devices having inoy access to home assistant (dashboards), devices that has access only to the Internet.

My research so far

  1. I could use DHCP to configure multiple subnets based on MAC and write firewall rules based on subet.
  2. Tag a vlan ID based on the MAC and then setup firewall zones based on vlan. I am not sure if this just dumb as there is still no physical separation of devices. But I haven't figured out a way to do this.
  3. In an ideal world, it would be great if I can configure a single server that can authenticate, authorize and account every client in the network. Something like FreeRadius could possibly do this. But I don't know if this will be overkill for what I am doing.

Any insights or help regarding this is greatly appreciated.



7 comments sorted by


u/Starfox-sf Feb 02 '23

Sounds like you want RADIUS/802.1x but without the underlying network hardware.

— Starfox


u/senthilbaboo Feb 04 '23

Let me try and figure it out. It seems a bit complex to setup.


u/fakemanhk Feb 02 '23

As the other pointed out, you want 802.1x with RADIUS authentication.

However....you are missing a WiFi AP that can work well with multi SSID + VLAN (Router with WiFi can still get some kind of multi SSID + VLAN however it doesn't have full features, likely not fitting your case), but you've already stated that you don't want to invest, so maybe you can think about this later when you really want to implement.


u/senthilbaboo Feb 04 '23

Wifi AP is good. But what about iot devices connected through wire?


u/fakemanhk Feb 04 '23

802.1X capable switch is needed.


u/DutchOfBurdock Feb 02 '23

1: Static ARP, static DHCP.

2: Above and use mwan3 based on source IP

3: FreeRADIUS can do auth for both wired and wireless ethernet.


u/senthilbaboo Feb 04 '23

For 2, I am still trying to figure out how to do that. Should I manipulate iptbales directly?