OpenWRT - Unblocking guest MAC with WPS button

My openwrt router (a loved TP-Link WDR4300) has this WPS button. Let's make this a little more useful than just being there doing nothing.

I have a guest network on my router. It is password protected (WPA2), bandwidth-limited, internal network isolated, all the yada-yadas. When I give my passphrase to the neighbour, I can't trust it to NOT give it to others. Let's make this sharing more difficult.

root@wrt:~# cat /etc/iptables-macs.db
aa:bb:cc:dd:ee:ff this is my own mac address so I still connect on this interface!
de:ad:be:ef:f0:0d this is another one
ca:fe:ca:fe:ca:fe Fri Nov 24 11:37:13 -02 2017 added by wps button
root@wrt:~# cat /etc/iptables-macs.cfg
GUEST_IFACE=wlan0-1
FW_CHAIN=forwarding_rule
MAC_DB=/etc/iptables-macs.db
root@wrt:~# cat /etc/firewall.user
source /etc/iptables-macs.cfg
iptables -F $FW_CHAIN
while read mac etc; do
    iptables -A $FW_CHAIN -i $GUEST_IFACE -m mac --mac-source $mac -j RETURN
done < $MAC_DB
iptables -A $FW_CHAIN -i $GUEST_IFACE -j DROP
root@wrt:~# cat /etc/hotplug.d/button/buttons
#!/bin/sh
source /etc/iptables-macs.cfg
if [ "$BUTTON" = "wps" ]; then
    if [ "$ACTION" = "pressed" ]; then
        macs=$(logread|grep "DHCPACK($GUEST_IFACE)"|grep -o "[a-f0-9:]\{17\}"|sed '1!G;h;$!d')
        if [ -n "$macs" ]; then
            echo "$macs"|while read mac; do
                grep -q "$mac" $MAC_DB && continue
                logger iptables-macs: ADD MAC $mac
                iptables -I $FW_CHAIN -i $GUEST_IFACE -m mac --mac-source $mac -j ACCEPT
                echo "$mac $(date) added by wps button" >> $MAC_DB
            done
        else
            logger iptables-macs: no recent unknown MAC found.
        fi
    fi
else
    logger the button was $BUTTON and the action was $ACTION # this is just so if you have other buttons you can make actions here
fi
root@wrt:~#

Now, if you can read a little of shell script, this is very simple. I add a rule to DROP all forward connections coming from the guest interface and then just allow the MACs that are on my database. This only works here because the DHCP server logs the MAC address after it successfully gives an IP address, so this happens after when they are already connected and the IP address is given to them. Static IPs need to be put manually on the iptables-macs file.

Hope it can save you some time writing your own scripts.

Previous Post Next Post