how to -Ethernet- Mac address whitelist asus built in firmware

[neednetworking]

I have an rt-ac 3100. I need a deterrent to non-authorized devices using both wifi and ethernet. I know there is a wifi mac filter whitelist which would be perfect, except it only applies to wifi. I need something that also applies to ethernet. Basically, I'd like to be able to go in and say allow this mac address and it would allow the device to connect to the network/internet. all unknown mac addresses would not be allowed. Any ideas?

I have one, but would like a better one.
----------
here is my current best idea:
set dhcp range to = the exact same # of trusted mac addresses
assign static ip to each trusted mac ip in dhcp
make sure there are no extra un-assigned ip's in the range.

If a new client tries to join that doesn't already have a dhcp reservation it will not be able to join since the dhcp range is fully assigned.

limitations:
max 64 reservations (which is actually too small.. wish is was about 100)
I know someone could manually assign an ip, I am not too concerned, this is a deterrent not fort knox.
i haven't yet tested the above, i don't know if it would work.
----------

Does someone have a better or implementation idea for me??

 

[Sky]

I have an rt-ac 3100. I need a deterrent to non-authorized devices using both wifi and ethernet. I know there is a wifi mac filter whitelist which would be perfect, except it only applies to wifi. I need something that also applies to ethernet.

Curious… why ethernet? Are you trying to allow some ethernet-attached devices to access the router/internet but prevent others? Is the router providing DHCP or do you have another device on your LAN handling that? Or are you trying to allow-disallow incoming traffic?

AiProtection > Parental controls might give you some or all of what you need. It really depends on what you're trying to do.

If what you are concerned about is an outsider piggy-backing on your WiFi you could whitelist all of your known-good clients, then all others would be automatically rejected.

If you are concerned about unauthorized access to your physical hardwired network and plug-ins, that's a facilities issues, like "get better locks and better doors".

 

[neednetworking]

Curious… why ethernet? Are you trying to allow some ethernet-attached devices to access the router/internet but prevent others? Is the router providing DHCP or do you have another device on your LAN handling that? Or are you trying to allow-disallow incoming traffic?

AiProtection > Parental controls might give you some or all of what you need. It really depends on what you're trying to do.

If what you are concerned about is an outsider piggy-backing on your WiFi you could whitelist all of your known-good clients, then all others would be automatically rejected.

If you are concerned about unauthorized access to your physical hardwired network and plug-ins, that's a facilities issues, like "get better locks and better doors".

yes ethernet and wifi blocking is desired so the device whether wired or wireless can't do anything at all (on lan or wan)
yes router is providing dhcp
part of the issue is we have a wireless access point that is ethernet-ed (if i can i use that word) to the asus. So all wifi clients on that wap appear to be ethernet clients. So need a low security way to inconvenience/block those as well. the wap doesn't have mac address filtering built in.

a mac address filter whitelist would be perfect ... but it would need to work for both ethernet and wifi clients.

 

[ColinTaylor]

It is not possible to do what you want with your current devices. The AP is effectively behaving like a switch which is connected to a single LAN port on your router. The router has no ability to filter access to the LAN by MAC address on a single port. The only solution I can think of is for you to insert another switch in between the AP and the router that supports MAC based ACL's.

 

[Sky]

yes ethernet and wifi blocking is desired so the device whether wired or wireless can't do anything at all (on lan or wan)
yes router is providing dhcp
part of the issue is we have a wireless access point that is ethernet-ed (if i can i use that word) to the asus. So all wifi clients on that wap appear to be ethernet clients. So need a low security way to inconvenience/block those as well. the wap doesn't have mac address filtering built in.

It sounds like your entire network is behind a single port to the router, as are many. Mine is hybridized, some goes through a single port but some go through WiFi.

• If the WAP is the unit providing DHCP you might try whitelisting there; or
• If the final router is the unit providing DHCP you might try whitelisting there.

This will work for LAN/WAN on devices accessing the ASUS via WiFi.
This will only work for WAN on devices accessing the ASUS via Ethernet.

To try the idea I was putting forward go to: AiProtection > Parental controls > Time Scheduling. There you can select Disable/Time/Block by MAC address. Assuming the ASUS is the router handling DHCP that should work—but only for WAN access if the target device is (a) hardwired to the LAN, of (b) coming to the router via hardwire from a remote WAP.

A WiFi device going to the LAN/WAN via WiFi to the DHCP server can be utterly isolated using this method, no LAN / no WAN. I personally use this to cut some WiFi devices from any form of access to the LAN/WAN via the router, but the router is the WAP.

For the devices that come to the router via the single port through a dumb switch, they are denied WAN access but still have LAN access. Using this you can use [Block] to deny any hardwired device on your LAN access to the Internet (WAN). but not the LAN.

Can the WAP host a Guest Network? If so, does the WAP have any denial capabilities? If so you could deny your WiFi devices at the WAP.

If want to deny a device access to the WAN and LAN, why not just air gap it in the first place? I'm sure you have very good reasons for doing what you're doing, but at first blush it appears needlessly complicated. It's kind of like, why is there a separate WAP? Is it for range?

Sky

 

[neednetworking]

It sounds like your entire network is behind a single port to the router, as are many. Mine is hybridized, some goes through a single port but some go through WiFi.

• If the WAP is the unit providing DHCP you might try whitelisting there; or
• If the final router is the unit providing DHCP you might try whitelisting there.

This will work for LAN/WAN on devices accessing the ASUS via WiFi.
This will only work for WAN on devices accessing the ASUS via Ethernet.

To try the idea I was putting forward go to: AiProtection > Parental controls > Time Scheduling. There you can select Disable/Time/Block by MAC address. Assuming the ASUS is the router handling DHCP that should work—but only for WAN access if the target device is (a) hardwired to the LAN, of (b) coming to the router via hardwire from a remote WAP.

A WiFi device going to the LAN/WAN via WiFi to the DHCP server can be utterly isolated using this method, no LAN / no WAN. I personally use this to cut some WiFi devices from any form of access to the LAN/WAN via the router, but the router is the WAP.

For the devices that come to the router via the single port through a dumb switch, they are denied WAN access but still have LAN access. Using this you can use [Block] to deny any hardwired device on your LAN access to the Internet (WAN). but not the LAN.

Can the WAP host a Guest Network? If so, does the WAP have any denial capabilities? If so you could deny your WiFi devices at the WAP.

If want to deny a device access to the WAN and LAN, why not just air gap it in the first place? I'm sure you have very good reasons for doing what you're doing, but at first blush it appears needlessly complicated. It's kind of like, why is there a separate WAP? Is it for range?

Sky

Thanks much, Sky, for taking time to reply.

I will look into the aiprotection as a means of blocking. However, I seem to remember one unfortunate limitation of aiprotection is that it rely's on a blacklist only. Not a whitelist. In other words, I need to know the exact mac address of the device in order to block it. I was hoping for a solution whereby could say these x number of devices are whitelisted, and any UNKNOWN devices are blocked.

The dhcp is handled on the asus.
The wap unfortunately doesn't have any mac filtering.. its for range extending. Also in this scenario not possible to switch out for a different model.

you mentioned wan only blocking if ethernet/wifi traffic is coming in on a single port to the asus. That is the case. And wan only blocking would probably be good enough. LAN blocking is not much of a concern. This is all just to be a deterrent, so if no wan is available that would be enough to probably cause people to not use it.

 

[Sky]

Thanks much, Sky, for taking time to reply.

I seem to remember one unfortunate limitation of aiprotection is that it rely's on a blacklist only. Not a whitelist.

Correct, whitelisting is limited to Wireless > Wireless MAC Filter. You could consider setting up a (another?) Guest Network as an alternative. A realistic assessment of what you actually need to accomplish v want to accomplish may be in order, as-in:

• What am I protecting
• Why am I protecting it
• What sorts of threats are realistically likely

If you're running a how-to-hack school you may not be protecting much, but the threat level could be extreme if talent presents. If you're trying to keep the kids off the internet… different story. If you're trying to keep from being a pwnd for a bot net, keeping the FW updated should do that for all practical and realistic scenarios.

In the end, security is like speed. The old hot rodders Q&A applies:

"How fast can I go?"​

"How much money do you have?"​

or…

"How secure can I be?"​

"How much money do you have?"​

 

[neednetworking]

I had an idea I wanted to run by you.

What if set the dhcp range to be only say 10 addresses, and I create 10 dhcp reservations/assignments. This would be the dhcp server on the asus would not have any free addresses to hand out to connecting clients. Wouldn't that in affect be like a whitelist? Since the range is only those that have a reservation based on a mac address I typed in, there is no dhcp addresses free for unknown mac addresses..

 

[ColinTaylor]

I had an idea I wanted to run by you.

What if set the dhcp range to be only say 10 addresses, and I create 10 dhcp reservations/assignments. This would be the dhcp server on the asus would not have any free addresses to hand out to connecting clients. Wouldn't that in affect be like a whitelist? Since the range is only those that have a reservation based on a mac address I typed in, there is no dhcp addresses free for unknown mac addresses..

Isn't this exactly the same thing you proposed in post #1?

 

[neednetworking]

Isn't this exactly the same thing you proposed in post #1?

I guess it is. (it has been a while since the original)

still a valid question, however, since I haven't yet tested that. Curious if anyone has or if they know if it would work?

 

[cooloutac]

I had an idea I wanted to run by you.

What if set the dhcp range to be only say 10 addresses, and I create 10 dhcp reservations/assignments. This would be the dhcp server on the asus would not have any free addresses to hand out to connecting clients. Wouldn't that in affect be like a whitelist? Since the range is only those that have a reservation based on a mac address I typed in, there is no dhcp addresses free for unknown mac addresses..

what about manually assigning ip's then using traditional qos to limit a range to nothing. I'm sure that would deter people too lol.

 

[neednetworking]

what about manually assigning ip's then using traditional qos to limit a range to nothing. I'm sure that would deter people too lol.

hm, interesting.. is it possible to do qos based on mac address?

 

[cooloutac]

hm, interesting.. is it possible to do qos based on mac address?

yep. but you can't select a range that way. no real whitelist I don't believe, which is why I suggested by IP range, which is something asus added in later firmware. but you can indeed put the mac of the ethernet device and set the limit the 0. I think lol. let me know if it works. But remember people can change their mac. But you can bind an ip to mac's that you authorize and they will have to be saavy enough to clone it which will boot your authorized device offline. WIth an ip range that would be the only way to get connection then. And its probably easier and less problematic to set a range that way then a 10 device range with dhcp.

 

[555wolfman]

1.5 years later....

Just bought a Asus RT-AX86U Wifi 6 Router and installed Merlin to get more features and guess what - disappointed.

As written in this thread I was looking for a time based mac address whitelist.
This is possible on fresh tomato firmware for many routers like the RT-AC68 (which I don't have).
But I owned older routers and loved this function.

WHY ?

My 11 year son is addicted to internet and has a very high hacker potential.
Network: central Router - and 3 Access Points

Attempt 1: Amazon Kindle Fire with kids control software
Son found out: disable wifi, enable wifi, search, configuration, add new user, age 18
Then we sold the tabled and bought an iPad instead

Attempt 2: Separate Kids wifi which disappears at 20:00 / 8pm
Workaround 1: Son used an old notebook as Access point. Notebook connected via LAN, and opened a hotspot for him. Worked for month.

Attempt 3: Separate Kids wifi && Notebook was confiscated
Workaround 2: within an Apple family group you can share Wifi passwords. Every minute you on of our devices is longer than 2sec unlocked our son connected to our adult wifi and confirmed password sharing on our device.
THATS WHY GUEST / KIDS WIFI WILL NEVER WORK !!!!

Attempt 4: Blacklisting MAC addresses of kids devices
worked a while until - a nice feature of iOS and Android: private MAC addresses to avoid tracking
= MAC address spoofing. iPad generates a new MAC address every week and we were wondering why he wanted to go to bed so early - and all those new devices I found on my router and couldn't find a hint via MAC address vendor lists.

Attempt 5: Whitelisting MAC addresses of our innocent devices
Including Alexas, Sonos speakers, smart plugs, ... ~ 40-50 devices - a loooooooot of work !
Wife accidently deleted the whitelist when she wanted to disable the internet lock -> marriage crises
I had to research and re-enter all the 40-50 MAC addresses again. Now I backup the router configuration every single time I enter a new MAC address.
THIS SOLUTION STILL WORKS SO FAR !

Oh boy - all this costs so much energy!

Conclusio:
- A MAC address whitelist on the central router allows our innocent devices internet 24/7
- all other devices loose internet connection at 20:00 / 8pm (at best) no matter where he gets any new devices from
- unfriendly devices (son) are blocked from internet until 19:00 / 7pm - except he did his homework then we can manually change the time. And when he negotiates getting 45min internet and starts his homework then - then internet is disabled at that time automatically.
- only downside is that it is complicated in the router / fresh tomato GUI to login, change time every time - but muuuuch better than real router interfaces like Mikrotik hex S or Ubiquity Edgerouter X - I wish I could access this setting via API Call. Then I would write an app which is more accepted by wife.

I WISH ASUS OR MERLIN INCLUDE A TIME BASED MAC ADDRESS WHITELIST IN THEIR ROUTER FIRMWARE - FOR ALL NETWORK DEVICES, NOT JUST WIFI CONNECTED DEVICES.

 

[ColinTaylor]

I WISH ASUS OR MERLIN INCLUDE A TIME BASED MAC ADDRESS WHITELIST IN THEIR ROUTER FIRMWARE - FOR ALL NETWORK DEVICES, NOT JUST WIFI CONNECTED DEVICES.

It does.

The issue the OP had was that he wanted to block access to the LAN as well as the internet. From what I can make out you're only concerned with internet access. So in theory you should be able to use the white list and scheduling options under Parental Controls > Time Scheduling.

N.B. I've never actually tried to do this myself as I have no need.

 

[tgl]

[rotfl] Look on the bright side: your son has an assured future as a network security researcher. Keep challenging him, and don't feel that bad about it when you lose a round.

 

[Sky]

You could… try using an old CPU or a good pro-sumer NAS, or an R-PI to handle both DHCP and DNS. Or just DNS. Then lock down the DNS server—hard. Mess it up and you could have another martial crisis, but get it right and you could rock his world. OTH, onboarding DNS won't kill the hotspot-tethering thing.

Personally I'd probably try feigning defeat, getting closer to my son, spending time together observing weak spots and fencing there, remembering fences are only fancy guard rails. Problem is, he has 24/7/365 to work on this and you have to earn a living, please wife, provide, sleep(?), etc. @tgl is right, he's on path for a great career.

 

[L&LD]

Or, you can just put the networking equipment in a secure area and do the non-hackable thing below.

 

[Sky]

Or, you can just put the networking equipment in a secure area and do the non-hackable thing below.

Well, yes… you could do that.

 

[Maverick009]

I have an rt-ac 3100. I need a deterrent to non-authorized devices using both wifi and ethernet. I know there is a wifi mac filter whitelist which would be perfect, except it only applies to wifi. I need something that also applies to ethernet. Basically, I'd like to be able to go in and say allow this mac address and it would allow the device to connect to the network/internet. all unknown mac addresses would not be allowed. Any ideas?

I have one, but would like a better one.
----------
here is my current best idea:
set dhcp range to = the exact same # of trusted mac addresses
assign static ip to each trusted mac ip in dhcp
make sure there are no extra un-assigned ip's in the range.

If a new client tries to join that doesn't already have a dhcp reservation it will not be able to join since the dhcp range is fully assigned.

limitations:
max 64 reservations (which is actually too small.. wish is was about 100)
I know someone could manually assign an ip, I am not too concerned, this is a deterrent not fort knox.
i haven't yet tested the above, i don't know if it would work.
----------

Does someone have a better or implementation idea for me??

For something at the ethernet level, you may be better off building or purchasing a device and use Pfsense or Opnsense as they can do per device authorization and specific firewall rules can be setup. Most routers, do not really have that kind of functionality in the ethernet portion for consumers.