My openwrt router (a loved TP-Link WDR4300) has this WPS button. Let's make this a little more useful than just being there doing nothing.

I have a guest network on my router. It is password protected (WPA2), bandwidth-limited, internal network isolated, all the yada-yadas. When I give my passphrase to the neighbour, I can't trust it to NOT give it to others. Let's make this sharing more difficult.

root@wrt:~# cat /etc/iptables-macs.db
aa:bb:cc:dd:ee:ff this is my own mac address so I still connect on this interface!
de:ad:be:ef:f0:0d this is another one

ca:fe:ca:fe:ca:fe Fri Nov 24 11:37:13 -02 2017 added by wps button
root@wrt:~# cat /etc/iptables-macs.cfg

root@wrt:~# cat /etc/firewall.user
source /etc/iptables-macs.cfg
iptables -F $FW_CHAIN
while read mac etc; do
iptables -A $FW_CHAIN -i $GUEST_IFACE -m mac --mac-source $mac -j RETURN
done < $MAC_DB
iptables -A $FW_CHAIN -i $GUEST_IFACE -j DROP
root@wrt:~# cat /etc/hotplug.d/button/buttons
source /etc/iptables-macs.cfg
if [ "$BUTTON" = "wps" ]; then
if [ "$ACTION" = "pressed" ]; then
    macs=$(logread|grep "DHCPACK($GUEST_IFACE)"|grep -o "[a-f0-9:]\{17\}"|sed '1!G;h;$!d')
    if [ -n "$macs" ]; then
        echo "$macs"|while read mac; do
        grep -q "$mac" $MAC_DB && continue
          logger iptables-macs: ADD MAC $mac
          iptables -I $FW_CHAIN -i $GUEST_IFACE -m mac --mac-source $mac -j ACCEPT
         echo "$mac $(date) added by wps button" >> $MAC_DB
     logger iptables-macs: no recent unknown MAC found.
logger the button was $BUTTON and the action was $ACTION # this is just so if you have other buttons you can make actions here

Now, if you can read a little of shell script, this is very simple. I add a rule to DROP all forward connections coming from the guest interface and then just allow the MACs that are on my database. This only works here because the DHCP server logs the MAC address after it successfully gives an IP address, so this happens after when they are already connected and the IP address is given to them. Static IPs need to be put manually on the iptables-macs file.

Hope it can save you some time writing your own scripts.

Previous Post Next Post