Menu
What's new
By:
Filters Better Search

MAC Filtering Implementation

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Thorgear

Thorgear

Regular Contributor
Does anyone know if I can control Wireless MAC Filtering from a shell? I don't see it in iptables or wl.
 
Last edited:
Thorgear said:
That's a good idea, but I need to stop a specific device from connecting to the router or getting a DHCP lease. Iptables will only block access to the WAN side (Internet). That's why I asked how wireless MAC filtering is handled by the router.

Any other ideas?
Click to expand...

Strong WPA2 password will keep wireless devices from being able to attach... and either put a WPA2 password on the Guest network, or disable it all together.

Problem solved.
 
what kind of device is handling the DHCP? most DHCP servers allow you to add MAC addresses to a block list so they don't get DHCP at all. but like sfx2000 said you need a strong WPA2 password as the device could still manually enter the address if needed and have access, but most AP software has a way to deny a set of MAC addresses from accessing wifi as well.
 
Mokers said:
what kind of device is handling the DHCP? most DHCP servers allow you to add MAC addresses to a block list so they don't get DHCP at all. but like sfx2000 said you need a strong WPA2 password as the device could still manually enter the address if needed and have access, but most AP software has a way to deny a set of MAC addresses from accessing wifi as well.
Click to expand...

And a 10 second google search will give someone the tools to spoof another MAC address so they can connect.
 
L&LD said:
And a 10 second google search will give someone the tools to spoof another MAC address so they can connect.
Click to expand...

True, true - so it's even more important to have strong wireless credentials, so they don't even get to that point where they can - yes, I do have technical knowledge, but a robust WPA2 passphrase is good enough for most - we won't talk about broken WPS schemes (e.g. Reaver and others), Friends don't let friends use WPS in any event...
 
sfx2000 said:
Strong WPA2 password will keep wireless devices from being able to attach... and either put a WPA2 password on the Guest network, or disable it all together.
Click to expand...
I disble my guest network. I'd rather not give a long boring explanation, but a strong password won't cut it. It's too easy to give the password away, and there are too many low-end users who don't know how to change their password. It might work with individual passwords, but RADIUS seems like massive overkill.

Mokers said:
What kind of device is handling the DHCP? most DHCP servers allow you to add MAC addresses to a block list so they don't get DHCP at all.
Click to expand...
It's an N66 running Merlin. DHCP is fine, but it's too easy to get around it by defining a static IP. In any case, that's not what I'm trying to accomplish.

Most AP software has a way to deny a set of MAC addresses from accessing wifi as well.
Click to expand...
Exactly, that's why I asked how wireless MAC filtering is implemented. To block/unblock an address, I have to make six changes - three routers with both 2.4 and 5GHz. It's a pain in the butt, so I want to do it with scripting via SSH.

L&LD said:
And a 10 second google search will give someone the tools to spoof another MAC address so they can connect.
Click to expand...
Agreed, but my users aren't sophisticated enough to do that. And if they are, then God bless them, let them use my Internet. I'll catch them eventually.

sfx2000 said:
We won't talk about broken WPS schemes (e.g. Reaver and others), Friends don't let friends use WPS in any event...
Click to expand...
My first two rules of IT: No repeaters and no WPS. ":)

I'm trying to accomplish one thing here: Stop users from having devices that hang off my APs sucking up DHCP addresses. I'm already using iptables to block Internet access. The easiest way to do it is with wireless MAC filtering.
 
Thorgear said:
The easiest way to do it is with wireless MAC filtering.
Click to expand...

the easiest way is to put in a strong WPA2 passphrase, and not share it with devices/people you don't trust.

MAC filters are a waste of time/energy better spent on other things.
 
sfx2000 said:
the easiest way is to put in a strong WPA2 passphrase, and not share it with devices/people you don't trust.
Click to expand...
There are 33 users on the network, all of whom are trustworthy. And yet, the password has leaked out. It's inevitable. I can't keep changing the password because many of the users don't know how to change the password on their devices, and I don't want to have to change it for them.

MAC filters are a waste of time/energy better spent on other things.
Click to expand...
The MAC filtering is working great, and it's the easiest way to handle my problem. I just need a better way to make the changes.

Do you know how to control wireless MAC filtering from the shell?
 
Thorgear said:
There are 33 users on the network, all of whom are trustworthy. And yet, the password has leaked out. It's inevitable. I can't keep changing the password because many of the users don't know how to change the password on their devices, and I don't want to have to change it for them.
Click to expand...

Uhm, at least one isn't (trustworthy). :)
 
The solution is easy. I don't know why I didn't think of it sooner. For Merlin, wireless MAC filtering is controlled through the nvram.

For 2.4, the MACS are in wl0_maclist and wl0_maclist_x. For 5.0, the MACS are in wl1_maclist and wl1_maclist_x. wl_maclist and wl_maclist_x are involved too, but I'm not sure how yet.

Thanks all for your help.
 
Thorgear said:
Do you know how to control wireless MAC filtering from the shell?
Click to expand...
The MAC filtering is controlled by some nvram variables that are read by the wireless drivers when they are started. Unfortunately, the format of these vars has changed between firmware levels, so you need to follow the format for the level you are running.

You can see the vars by

nvram show | grep maclist
only the ones starting with wl0, wl1 or wl2 matter (the wl ones are used internally by the gui). Vars like wl0.1, wl1.1 are the guest networks....depending on the firmware these may be able to be set separately or they may just take on the same values as the base radios, wl0 and wl1.

nvram show | grep macmode
as you might expect this sets the enable/disable, accept/reject mode.

You can manually change these following the same format using 'nvram set', then follow up with an 'nvram commit' and a 'service restart_wireless'
 
You must log in or register to reply here.

Similar threads

D
Kid's wi-fi network with Guest Network Pro - How do I enable content filtering?
Replies
1
Views
408
dissonance79
D
TheLyppardMan
MAC Filter Options
2
Replies
29
Views
2K
ColinTaylor
C
C
RT-AX86U 3004.388.8_2 . pet feeder app cannot connect to wifi why?
Replies
6
Views
482
Aiadi
A
S
Is there good VPN tunnel plain DNS filtering software for Windows?
Replies
2
Views
248
SDF07S
S
R
New device accessing network with various MAC addresses on used IP address
Replies
14
Views
3K
drinkingbird
drinkingbird
Similar threads
Thread starter Title Forum Replies Date
sfx2000 ESP32 - WiFI MAC design concepts (Open Source) General Wi-Fi Discussion 1

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 794 (members: 14, guests: 780)
Top