MAC Filter Options

[Tech9]

on the FRITZ!Box

I can't give you personalized instructions for an unknown device. FRITZ!Box is a product brand, not a model. AVM manufactures many different FRITZ!Box branded home gateways. In case you prefer DMZ way - quick search shows AVM uses "Exposed Host" term instead of more common DMZ. Instructions online how to use it. In case you prefer Port Forwarding way - check the User Manual for your specific model FRITZ!Box gateway. Instructions online perhaps available as well.

 

[TheLyppardMan]

every randomized MAC will need to be added for access.

Or just tell the one trying to use randomised MAC to provide the real MAC or else no access.

 

[TheLyppardMan]

Or just tell the one trying to use randomised MAC to provide the real MAC or else no access.

This has been my standard practice up until now.

I've actually found another use for MAC filtering as well. I've decided to give the Dual Band Smart Connect feature ago to see if it solves the problem I've had with devices on the 2.4 GHz band being unable to communicate with those on the 5 GHz band. But to use that, there are some devices I either need or want to keep on the 5 GHz band (static devices like my printer, the Windows tablet monitoring the live stream from my outdoor camera and my Amazon Fire TV Sticks), so I've set the MAC filters to deny mode and added all the devices I want to stay on 5 GHz to the 2.4 GHz Mac filter. That still allows mobile devices like laptops, mobile phones, etc, to use the Smart Connect feature. So far it's working well.

 

[Paliv]

This has been my standard practice up until now.

I've actually found another use for MAC filtering as well. I've decided to give the Dual Band Smart Connect feature ago to see if it solves the problem I've had with devices on the 2.4 GHz band being unable to communicate with those on the 5 GHz band. But to use that, there are some devices I either need or want to keep on the 5 GHz band (static devices like my printer, the Windows tablet monitoring the live stream from my outdoor camera and my Amazon Fire TV Sticks), so I've set the MAC filters to deny mode and added all the devices I want to stay on 5 GHz to the 2.4 GHz Mac filter. That still allows mobile devices like laptops, mobile phones, etc, to use the Smart Connect feature. So far it's working well.

I tried to use the wireless Mac filter to prevent a couple devices to not connect to the 2.4 GHz but they still did anyway. Hopefully you have better luck.

 

[TheLyppardMan]

I tried to use the wireless Mac filter to prevent a couple devices to not connect to the 2.4 GHz but they still did anyway. Hopefully you have better luck.

If you could provide a bit more information then someone might be able to offer an explanation. For example, were you using the accept or reject option for the MAC Filters and had you ensured that the devices were not using randomised MAC? Using the MAC filters for this purpose has so far worked for me for my one device that I have to lock to a set band or else it interrupts the live feed from my security camera.

 

[Paliv]

I was using reject on the 2.4 band because I had two devices that kept switching even though the 5 GHz band had better performance even with a weaker signal. So I put those two devices on the MAC reject list for 2.4 GHz band,. Neither device has MAC randomization. One is an XBOX One my kids use in their toy room sometimes and one was a Fire TV Stick 4K Max. The XBOX somehow eventually ended up on the 2.4 GHz band anyway. I've since just separated the bands again.

 

[Weblee2407]

On the asus you add the known mac addresses to the "Accept" list. Unknown devices can't connect.
Same thing - a slightly different way.
But, like I said, if you're doing this for security it's pointless.

Is it possible to load the MACs from the dhcp static list so you don't have to add the MACs one by one?

 

[Ripshod]

Is it possible to load the MACs from the dhcp static list so you don't have to add the MACs one by one?

When the devices are connected they'll appear in a drop down list on the MAC filter pages. Connect first, then filter.

 

[Paul1942]

Mac Address filtering is too much friction. I like to allow any between 8am and 9pm. Then add allow exceptions for devices that are allowed outside the default. If you want exception you have to use static mac.
If only the GUI would allow adding a default ....

My solution is to add drop rule to the end of the parental chain. Unfortunately this requires me ssh in and add the rules whenever they get updated.
iptables -A PControls -i br0 -m time --timestart 08:00:00 --timestop 21:00:00 --kerneltz -j ACCEPT
iptables -A PControls -i br0 -j DROP

Anyone know how to make this permanent?

ZenWiFi_XT8:/tmp/home/root# iptables -nvL PControls --line-numbers
Chain PControls (6 references)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT all -- br0 * 0.0.0.0/0 0.0.0.0/0 MAC 04:F7:78:10:C0:A4
...
15 0 0 ACCEPT all -- br0 * 0.0.0.0/0 0.0.0.0/0 TIME from 08:00:00 to 21:00:00
16 0 0 DROP all -- br0 * 0.0.0.0/0 0.0.0.0/0

 

[ColinTaylor]

Anyone know how to make this permanent?

Assuming you're using Merlin's firmware you would use a firewall-start user script.

User scripts

Third party firmware for Asus routers (newer codebase) - RMerl/asuswrt-merlin.ng

github.com