Asuswrt-Merlin 3.0.0.4.372.30_2

[ratudio]

Mac Filter Enabled on Guest Network??

I recently upgraded from 270.26b to 372.30_3. I didn't notice any issue until my cousin try to access the wifi guest network and got denied. He has no problem access guest network wifi before the upgrade. After doing further troubleshooting, it seems the guest network using the wireless mac filter that I setup for my main wifi. Is there way to disable the mac filter being use by the guest network?

Other than that great work RMerlin!!!

 

[bill1228]

@ratudio, I know this will get some folks all excited but I never understood feeling that mac filtering should be used. It is too easy to find out what a connected mac is and then spoof it if someone wants into your network. I put mac filter up there with hiding the ssid as a waste from a wireless security standpoint. I know there are some who do not feel this way but I think the majority of folks who study wireless security feel as I do.

 

[infamy]

@ratudio, I know this will get some folks all excited but I never understood feeling that mac filtering should be used. It is too easy to find out what a connected mac is and then spoof it if someone wants into your network. I put mac filter up there with hiding the ssid as a waste from a wireless security standpoint. I know there are some who do not feel this way but I think the majority of folks who study wireless security feel as I do.

Hi, I got some questions regarding that subject since i use both hidden ssid and mac filter.

Lets say that my client dosen't keep brodcasting what ssid it tries to connect
well then the one who tries to connect can't since he don't know which ssid to use. Next, if you don't know which ssid someone uses then you don't know which machines who tries to connect to it (more than one hidden ssid AP) well then macfilter is good aswell. Please clarify if i'm all wrong so that i can skip macfiltering and hidden ssid. Better solutions is welcome.

 

[bill1228]

@infamy, SSID is very easy to find. Just install, as an example, Inssider on a windows machine. It will tell you the SSID of any hidden network within range. Problem is, hiding just stops the beacon from being broadcast. There are 4 other packets that contain the SSID that must be used for the wireless connection and these are all un-encrypted. So finding your SSID is a piece of cake so to speak. Also Windows machines do not take kindly to hiding the SSID and can cause connection problems, not as sever with windows 7 and 8 though.
As for MAC filtering. Again there are a number of tools, such as Kismet that will grab the wireless traffic and can be used to breakout the MAC, as the MAC is not encrypted. Once the MAC is known you just have to configure the machine to spoof the found MAC and again folks can connect.

The real way to keep your wireless network secure is to use WPA2 with a good security key (not something easily guessed and not words). This makes it hard to connect even if I know your SSID,etc.
As you know MAC filtering can cause issues as well. Best for guest access is to insure that the guest wireless does not have access to anything on your local network and can access Internet only. That is the normal default for guest.
Hope this helps.
--bill

 

[Tartarus]

Hi, I got some questions regarding that subject since i use both hidden ssid and mac filter.

Lets say that my client dosen't keep brodcasting what ssid it tries to connect
well then the one who tries to connect can't since he don't know which ssid to use. Next, if you don't know which ssid someone uses then you don't know which machines who tries to connect to it (more than one hidden ssid AP) well then macfilter is good aswell. Please clarify if i'm all wrong so that i can skip macfiltering and hidden ssid. Better solutions is welcome.

Hidden SSID and MAC filtering are useless security mechanisms. With hidden SSID, the SSID is hidden in beacons, but still disclosed in probes and association requests and responses, so it is easy for anyone watching the traffic to get it.

As for MAC filtering it's easy to just watch all traffic in the air, get the MAC address of a client and use the same for your machine.

We have a fairly secure mechanism in WPA2, why not use it instead of relying on other broken mechanisms?

 

[infamy]

@infamy, SSID is very easy to find. Just install, as an example, Inssider on a windows machine. It will tell you the SSID of any hidden network within range. Problem is, hiding just stops the beacon from being broadcast. There are 4 other packets that contain the SSID that must be used for the wireless connection and these are all un-encrypted. So finding your SSID is a piece of cake so to speak. Also Windows machines do not take kindly to hiding the SSID and can cause connection problems, not as sever with windows 7 and 8 though.
As for MAC filtering. Again there are a number of tools, such as Kismet that will grab the wireless traffic and can be used to breakout the MAC, as the MAC is not encrypted. Once the MAC is known you just have to configure the machine to spoof the found MAC and again folks can connect.

The real way to keep your wireless network secure is to use WPA2 with a good security key (not something easily guessed and not words). This makes it hard to connect even if I know your SSID,etc.
As you know MAC filtering can cause issues as well. Best for guest access is to insure that the guest wireless does not have access to anything on your local network and can access Internet only. That is the normal default for guest.
Hope this helps.
--bill

hi, thanks jepp that helps. Does mac filtering consume any power from the router same with hiding the ssid? If not then wpa2 an the aditional will improve security i suppose. Yes i have hade some issues with hidden ssid but no biggies so i have kept it. macfiltering though suprises me. this should inprove security i my World but then that is only an opinion. regular users does not have NIC's that can switch mac so even if they would somhow crack my wpa key they won't access my network.
This is a very interesting subject though. the routers could be so much safer if mac filtering and the hidden ssid feature would be enhanced i think.
Big thanks for the answer though.

 

[Tartarus]

regular users does not have NIC's that can switch mac

Almost every NIC in use over the last probably 5-10 years are able to do this (temporarily) through the driver. I haven't encountered a single NIC that couldn't do this.

On Linux it's simply (as root):

ifconfig <nic> hw ether <new mac>

On Windows there are various utilities.

 

[ratudio]

@ratudio, I know this will get some folks all excited but I never understood feeling that mac filtering should be used. It is too easy to find out what a connected mac is and then spoof it if someone wants into your network. I put mac filter up there with hiding the ssid as a waste from a wireless security standpoint. I know there are some who do not feel this way but I think the majority of folks who study wireless security feel as I do.

So in other word, I should just downgrade back before where the guest network does not use your primary wifi mac filter? My understand of guest network safe you hassle from entering mac address to the white list everything a new guest want to use your wifi. I just provide them ssid and long password.

 

[BMWDude49120]

Merlin, I have an RT-AC66U and have loaded your latest build 3.0.0.4.372.30_2. I've noticed that HW Acceleration is enabled even when I also have IPV6 enabled, which is new in this version. However, this causes my system log to constantly log the following:

Jul 7 19:56:34 kernel: printk: 145 messages suppressed.
Jul 7 19:56:34 kernel: protocol 0000 is buggy, dev eth0
Jul 7 19:56:41 kernel: printk: 5 messages suppressed.
Jul 7 19:56:41 kernel: protocol 0000 is buggy, dev eth0
Jul 7 19:56:45 kernel: printk: 24 messages suppressed.
Jul 7 19:56:45 kernel: protocol 0000 is buggy, dev eth0
Jul 7 19:56:50 kernel: printk: 19 messages suppressed.
Jul 7 19:56:50 kernel: protocol 0000 is buggy, dev eth0
Jul 7 19:56:54 kernel: printk: 38 messages suppressed.
Jul 7 19:56:54 kernel: protocol 0000 is buggy, dev eth0
Jul 7 19:57:00 kernel: printk: 629 messages suppressed.
Jul 7 19:57:00 kernel: protocol 0000 is buggy, dev eth0
Jul 7 19:57:04 kernel: printk: 7 messages suppressed.
Jul 7 19:57:04 kernel: protocol 0000 is buggy, dev eth0
Jul 7 19:57:10 kernel: printk: 332 messages suppressed.
Jul 7 19:57:10 kernel: protocol 0000 is buggy, dev eth0
Jul 7 19:57:14 kernel: printk: 178 messages suppressed.
Jul 7 19:57:14 kernel: protocol 0000 is buggy, dev eth0

If I manually disable HW Acceleration, these entries stop completely. For now, I have just left HW Acceleration disabled, since I want to leave IPV6 enabled. I just wanted to let you know about this in case anyone else runs into the same issue.

In case anyone else runs into this issue, clearing NVRAM and rebuilding all my settings fixed the issue and I can now have both IPV6 and CTS enabled with no errors flooding my log.

I knew I should have tried clearing NVRAM as a first step, but I have a large number of static DHCP assignments and didn't want to rebuild that list. I finally relented and it solved my problems.

 

[RogerSC]

hi, thanks jepp that helps. Does mac filtering consume any power from the router same with hiding the ssid? If not then wpa2 an the aditional will improve security i suppose. Yes i have hade some issues with hidden ssid but no biggies so i have kept it. macfiltering though suprises me. this should inprove security i my World but then that is only an opinion. regular users does not have NIC's that can switch mac so even if they would somhow crack my wpa key they won't access my network.
This is a very interesting subject though. the routers could be so much safer if mac filtering and the hidden ssid feature would be enhanced i think.
Big thanks for the answer though.

I'd like to repeat that WPA2/AES is much more secure than a "hidden" SSID and MAC address filtering could ever be. There's no point in doing either for security, let alone enhancing them. Use WPA2/AES with a good passphrase, and you're as secure as you can be, and forget the rest.

 

[Bagman]

@ratudio, I know this will get some folks all excited but I never understood feeling that mac filtering should be used. It is too easy to find out what a connected mac is and then spoof it if someone wants into your network. I put mac filter up there with hiding the ssid as a waste from a wireless security standpoint. I know there are some who do not feel this way but I think the majority of folks who study wireless security feel as I do.

Every little thing helps. Security isn't all on or all off, it's lots of little layers on top of one another. Access lists stop the casual neighbor or person in the street from just hopping onto your LAN or using your WAN - someone who doesn't have the knowledge or inclination to start probing your network and will go and steal someone else's bandwidth.

For those that do, there are more security features such as WPA2, encryption, long pass phrases, etc. Access restrictions are just a first pass to weed out the most basic form of intruder.

 

[Skripka]

Every little thing helps. Security isn't all on or all off, it's lots of little layers on top of one another. Access lists stop the casual neighbor or person in the street from just hopping onto your LAN or using your WAN - someone who doesn't have the knowledge or inclination to start probing your network and will go and steal someone else's bandwidth.

For those that do, there are more security features such as WPA2, encryption, long pass phrases, etc. Access restrictions are just a first pass to weed out the most basic form of intruder.

MAC white lists only stop the tragically undereducated who cannot spend 5 seconds googling on their smartphones...i.e. the people who cannot put 5 seconds into scanning the airwaves for your computer's data packets flying around finding your system MAC inside them, copying and cloning onto their system...and using your LAN. If a neighbor is in a position to need to bandwidth theive, a MAC list will inconvenience them for about the amount of time it takes to cook a 1 minute egg.

It is insanely easy on any unix system to clone MAC numbers...AAMOF one of my old coworkers refused to pay $5/month for a second device to be authorized at the workplace LAN, I shot hime 2 b@sh commands to clone MACs and he was up and running.

 

[silentflow]

Would just like to thank Merlin for all his work and describe my experiences so far.

I recently bought the N66u (upgraded from an E3200) and I started with the 372.30_2 build. I started experiencing problems I hadn't had before after flashing. The wifi would be flaky, the internet connection would drop, and my phone would have trouble maintaining its wifi connection (something I've never experienced with it). I gave it some time and tweaked settings, cleared NVRAM, rebooted modem and router, but it was overall unstable. I decided to move back to the 270.26b today and have had none of the issues from before. I am very happy with this build currently and will stick with it until I feel that urge to tweak some more!

Thanks again!

 

[RMerlin]

Would just like to thank Merlin for all his work and describe my experiences so far.

I recently bought the N66u (upgraded from an E3200) and I started with the 372.30_2 build. I started experiencing problems I hadn't had before after flashing. The wifi would be flaky, the internet connection would drop, and my phone would have trouble maintaining its wifi connection (something I've never experienced with it). I gave it some time and tweaked settings, cleared NVRAM, rebooted modem and router, but it was overall unstable. I decided to move back to the 270.26b today and have had none of the issues from before. I am very happy with this build currently and will stick with it until I feel that urge to tweak some more!

Thanks again!

372.30_2 uses the exact same wireless driver as 270.26b.

 

[cmoskowitz]

I tried the upgrade over the weekend and had to back-level back to the latest beta. I couldn't get my keys to re-apply in openvpn.

 

[Ritzie]

Web filtering

Hey Merlin Any chance you will add web filtering for a specific pc to the firmware? I love what you have done with it but I'm in desperate need of web filtering. Maybe this can be done now and Im missing it. Just wondering.

 

[RMerlin]

I tried the upgrade over the weekend and had to back-level back to the latest beta. I couldn't get my keys to re-apply in openvpn.

Make sure you went with 372.30_2. Also, TAP mode is already known to be broken, and I'm too busy with work to look into it these days (I just worked 20+ hours this past weekend).

Also note that keys must be smaller than 4096 bits now. I had to limit the size of the fields to 3000 characters in a fix to prevent buffer overruns at the nvram level.

 

[RMerlin]

Hey Merlin Any chance you will add web filtering for a specific pc to the firmware? I love what you have done with it but I'm in desperate need of web filtering. Maybe this can be done now and Im missing it. Just wondering.

No plan to do per PC filtering at this time. Would involve a LOT of work to implement.

 

[cmoskowitz]

Merlin, you are awesome, I'm not picking on the fact that things don't work and I'm upset. I totally realize what it is like to have a hobby (with responsibilities) and a real job. I'll tell you one thing, I will be donating some funds to you real soon.

 

[adolchristin]

First of all thanks Rmerlin for all your great work. I have a quick question. Did you change any of the Wins or Master browser options? In the past if i checked these boxes under the USB server miscellaneous configuration area I could resolve devices on my workgroup by hostname. Since I have upgraded I no longer seem to be able to do this.

Thanks again for your hard work.

Edit: I do see the following in the log:

Jul 15 12:40:28 nmbd[854]: [2013/07/15 12:40:28, 0] nmbd/nmbd_become_lmb.c:become_local_master_stage2(392)
Jul 15 12:40:28 nmbd[854]: Samba name server FEENAH is now a local master browser for workgroup YS on subnet 192.168.1.1