I'm installing a RUT955 at a remote location, where the LAN port is extended outside of the building
for operational reasons (up a 60 ft tower)
My Security guy doesn't like the idea as if the external device was removed, an attacker has ethernet access
to a LAN port.
I know I can do funky things with DHCP and IP tables e.g. if the network was a /24 i could make the router .1,
the external unit a static lease .254 with a dhcp pool of 1 IPs , then block .2 to .253 with IP tables so only one ip/mac gets a valid dhcp lease. But what I would like to do is have MAC address filtering on the LAN so only the specific external device, with its correctly assigned IP can go anywhere upstream beyond .1
I appreciate the captive portal has potential to do some blocking, but in the event of a router restart there's going to be no way for the external unit to submit login credentials.
if i cannot mac filter on LAN, whats the best way to lock the LAN ports down so only 1 external device gets upstream access please ?