What's new

MAC Filtering Implementation

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Thorgear

Regular Contributor
Does anyone know if I can control Wireless MAC Filtering from a shell? I don't see it in iptables or wl.
 
Last edited:
That's a good idea, but I need to stop a specific device from connecting to the router or getting a DHCP lease. Iptables will only block access to the WAN side (Internet). That's why I asked how wireless MAC filtering is handled by the router.

Any other ideas?

Strong WPA2 password will keep wireless devices from being able to attach... and either put a WPA2 password on the Guest network, or disable it all together.

Problem solved.
 
what kind of device is handling the DHCP? most DHCP servers allow you to add MAC addresses to a block list so they don't get DHCP at all. but like sfx2000 said you need a strong WPA2 password as the device could still manually enter the address if needed and have access, but most AP software has a way to deny a set of MAC addresses from accessing wifi as well.
 
what kind of device is handling the DHCP? most DHCP servers allow you to add MAC addresses to a block list so they don't get DHCP at all. but like sfx2000 said you need a strong WPA2 password as the device could still manually enter the address if needed and have access, but most AP software has a way to deny a set of MAC addresses from accessing wifi as well.

And a 10 second google search will give someone the tools to spoof another MAC address so they can connect.
 
And a 10 second google search will give someone the tools to spoof another MAC address so they can connect.

True, true - so it's even more important to have strong wireless credentials, so they don't even get to that point where they can - yes, I do have technical knowledge, but a robust WPA2 passphrase is good enough for most - we won't talk about broken WPS schemes (e.g. Reaver and others), Friends don't let friends use WPS in any event...
 
Strong WPA2 password will keep wireless devices from being able to attach... and either put a WPA2 password on the Guest network, or disable it all together.
I disble my guest network. I'd rather not give a long boring explanation, but a strong password won't cut it. It's too easy to give the password away, and there are too many low-end users who don't know how to change their password. It might work with individual passwords, but RADIUS seems like massive overkill.

What kind of device is handling the DHCP? most DHCP servers allow you to add MAC addresses to a block list so they don't get DHCP at all.
It's an N66 running Merlin. DHCP is fine, but it's too easy to get around it by defining a static IP. In any case, that's not what I'm trying to accomplish.

Most AP software has a way to deny a set of MAC addresses from accessing wifi as well.
Exactly, that's why I asked how wireless MAC filtering is implemented. To block/unblock an address, I have to make six changes - three routers with both 2.4 and 5GHz. It's a pain in the butt, so I want to do it with scripting via SSH.

And a 10 second google search will give someone the tools to spoof another MAC address so they can connect.
Agreed, but my users aren't sophisticated enough to do that. And if they are, then God bless them, let them use my Internet. I'll catch them eventually.

We won't talk about broken WPS schemes (e.g. Reaver and others), Friends don't let friends use WPS in any event...
My first two rules of IT: No repeaters and no WPS. ":)

I'm trying to accomplish one thing here: Stop users from having devices that hang off my APs sucking up DHCP addresses. I'm already using iptables to block Internet access. The easiest way to do it is with wireless MAC filtering.
 
The easiest way to do it is with wireless MAC filtering.

the easiest way is to put in a strong WPA2 passphrase, and not share it with devices/people you don't trust.

MAC filters are a waste of time/energy better spent on other things.
 
the easiest way is to put in a strong WPA2 passphrase, and not share it with devices/people you don't trust.
There are 33 users on the network, all of whom are trustworthy. And yet, the password has leaked out. It's inevitable. I can't keep changing the password because many of the users don't know how to change the password on their devices, and I don't want to have to change it for them.

MAC filters are a waste of time/energy better spent on other things.
The MAC filtering is working great, and it's the easiest way to handle my problem. I just need a better way to make the changes.

Do you know how to control wireless MAC filtering from the shell?
 
There are 33 users on the network, all of whom are trustworthy. And yet, the password has leaked out. It's inevitable. I can't keep changing the password because many of the users don't know how to change the password on their devices, and I don't want to have to change it for them.

Uhm, at least one isn't (trustworthy). :)
 
The solution is easy. I don't know why I didn't think of it sooner. For Merlin, wireless MAC filtering is controlled through the nvram.

For 2.4, the MACS are in wl0_maclist and wl0_maclist_x. For 5.0, the MACS are in wl1_maclist and wl1_maclist_x. wl_maclist and wl_maclist_x are involved too, but I'm not sure how yet.

Thanks all for your help.
 
Do you know how to control wireless MAC filtering from the shell?
The MAC filtering is controlled by some nvram variables that are read by the wireless drivers when they are started. Unfortunately, the format of these vars has changed between firmware levels, so you need to follow the format for the level you are running.

You can see the vars by

nvram show | grep maclist
only the ones starting with wl0, wl1 or wl2 matter (the wl ones are used internally by the gui). Vars like wl0.1, wl1.1 are the guest networks....depending on the firmware these may be able to be set separately or they may just take on the same values as the base radios, wl0 and wl1.

nvram show | grep macmode
as you might expect this sets the enable/disable, accept/reject mode.

You can manually change these following the same format using 'nvram set', then follow up with an 'nvram commit' and a 'service restart_wireless'
 
Similar threads
Thread starter Title Forum Replies Date
sfx2000 ESP32 - WiFI MAC design concepts (Open Source) General Wi-Fi Discussion 1

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top