[SOLVED] Mac Address Filter Limit?

[alienx2]

Hi, Im using Asus AC66U and Is there way to increase mac address filter limit to 128 or more than 64? (both web ui or telnet).

 

[RMerlin]

No. I tried, and it didn't work, probably because of a hardcoded limit within the wireless driver.

 

[alienx2]

how about dnsmasq? like this:

config 'host'
    option 'name' 'mobilitymac'
    option 'mac' '99:88:77:66:55:44'
    option 'ip' '192.168.1.104'

 

[alienx2]

does it work with asuswrt-merlin firmware?

 

[ColinTaylor]

does it work with asuswrt-merlin firmware?

I doubt it as that isn't a valid dnsmasq configuration file. It looks like one from OpenWRT. Besides, Merlin already said the limit is within the driver.

 

[alienx2]

I doubt it as that isn't a valid dnsmasq configuration file. It looks like one from OpenWRT. Besides, Merlin already said the limit is within the driver.

i see.. any suggest which can handle hundred of device to access internet on allowed list ? instead of mac address? @RMerlin @ColinTaylor

 

[sfx2000]

No. I tried, and it didn't work, probably because of a hardcoded limit within the wireless driver.

I think it's 64 clients - and that's to protect the MAC layer on the WiFi chipsets from running out of internal memory on the wifi chip itself in worst case conditions.

The WiFi chipset needs to track all STA's associated with it - so it's reasonable that Broadcom and Asus limit the range to 64 at the core, as devices might jump from band to band.

There are vendors that do a hard limit - Apple says up to 50 on their AC1900 class devices as an example... the chipsets could obviously do more, esp, considering how generous Apple was with memory on their AP's...

 

[RMerlin]

i see.. any suggest which can handle hundred of device to access internet on allowed list ? instead of mac address? @RMerlin @ColinTaylor

For such needs, you'll want a more advanced product with Radius-based security.

Sent from my P027 using Tapatalk

 

[Juglar]

My "Juglar Parental Control", includes a:

Timed-Releasable IP-MAC client white list

(I don't know how to link my post here, but you can find it by searching for that exact phrase in this forum).

From its included code (in the firewall-start user script) , you can extract the idea to implement just the white list of IP-MAC pairs for the whole LAN (not just the WIFI LAN).

It requires that each client is assigned a unique pre-defined IP adrs. You can achieve it with "Manually Assigned IP around the DHCP list (Max Limit : 128)", in the webui / LAN page, and, the rest over 128, by manually configuring each assigned IP to them, if they allow it.

It uses ipsets (fast to process), within iptables, and it could hold thousands of IP-MAC address pairs (clients) .

For example, I extract a sample here with three clients:

  ### ipset initialization, valid for all the restrictions:
modprobe xt_set # load set if not already  # Necessary to provide match-set extension.

ipset create IpToMac_S bitmap:ip,mac range 192.168.1.0/24   #create the set, for 24-bit IP address common prefix
ipset add IpToMac_S 192.168.1.2,00:16:6F:5F:00:00 #AnaTosh
ipset add IpToMac_S 192.168.1.3,CC:73:14:06:00:00 #AnaX6
ipset add IpToMac_S 192.168.1.8,00:1F:3B:B0:00:00  #JjHp2
  # Insert in main FORWARD chain a rejecting rule for clients not matching previous IpToMac_S set:
iptables -I FORWARD -i br0 -m set ! --match-set IpToMac_S src,src -j REJECT # or jump to another chain, if you want to add a special treatment.

You should adjust the IP address common prefix (/24) to your needs.

It doesn't block them from accessing the WIFI but it does block them from accessing internet, which could be dissuassive enough.

Could it be useful to you?

 

[alienx2]

My "Juglar Parental Control", includes a:

Timed-Releasable IP-MAC client white list

(I don't know how to link my post here, but you can find it by searching for that exact phrase in this forum).

From its included code (in the firewall-start user script) , you can extract the idea to implement just the white list of IP-MAC pairs for the whole LAN (not just the WIFI LAN).

It requires that each client is assigned a unique pre-defined IP adrs. You can achieve it with "Manually Assigned IP around the DHCP list (Max Limit : 128)", in the webui / LAN page, and, the rest over 128, by manually configuring each assigned IP to them, if they allow it.

It uses ipsets (fast to process), within iptables, and it could hold thousands of IP-MAC address pairs (clients) .

For example, I extract a sample here with three clients:

  ### ipset initialization, valid for all the restrictions:
modprobe xt_set # load set if not already  # Necessary to provide match-set extension.

ipset create IpToMac_S bitmap:ip,mac range 192.168.1.0/24   #create the set, for 24-bit IP address common prefix
ipset add IpToMac_S 192.168.1.2,00:16:6F:5F:00:00 #AnaTosh
ipset add IpToMac_S 192.168.1.3,CC:73:14:06:00:00 #AnaX6
ipset add IpToMac_S 192.168.1.8,00:1F:3B:B0:00:00  #JjHp2
  # Insert in main FORWARD chain a rejecting rule for clients not matching previous IpToMac_S set:
iptables -I FORWARD -i br0 -m set ! --match-set IpToMac_S src,src -j REJECT # or jump to another chain, if you want to add a special treatment.

You should adjust the IP address common prefix (/24) to your needs.

It doesn't block them from accessing the WIFI but it does block them from accessing internet, which could be dissuassive enough.

Could it be useful to you?

@Juglar I need to test this method soon.. how many this method limited to 128 devices or more than 128 devices?

 

[Juglar]

@Juglar I need to test this method soon.. how many this method limited to 128 devices or more than 128 devices?

The ipset allows up to about 65 thousand. I suppose other aspects will limit before that, and at least your patience configuring the clients !

 

[sfx2000]

For such needs, you'll want a more advanced product with Radius-based security.

I would agree here - many of the limits are somewhat arbitrary, but in a good way.

 

[alienx2]

The ipset allows up to about 65 thousand. I suppose other aspects will limit before that, and at least your patience configuring the clients !

@Juglar what i type for list down of that? is it “ipset list”? and how to remove all list after i added to list?

if using VPN/Proxy? will not work?

 

[Juglar]

@Juglar what i type for list down of that? is it “ipset list”? and how to remove all list after i added to list?

if using VPN/Proxy? will not work?

Yes, ipset list.

ipset flush # deletes the entries of all sets
ipset destroy # deletes all the sets.

You can also flush or destroy just a specific set.

More and detailed info:

http://ipset.netfilter.org/ipset.man.html

I bet it will work with VPN/Proxy, but I'm not 100% sure. You could try and tell us.

 

[alienx2]

modprobe xt_set

@Juglar im running ac66u but giving error:

modprobe: module xt_set not found in modules.dep
ipset v4.5: Couldn't load settype `bitmap:ip,mac':File not found

 

[Juglar]

@Juglar im running ac66u but giving error:

modprobe: module xt_set not found in modules.dep
ipset v4.5: Couldn't load settype `bitmap:ip,mac':File not found

It looks like your firmware composition lacks some module. I'm sorry that I'm not expert enough to know how to correct it. I suppose many people in this forum could help you, as I believe that it is a very standard procedure that I have read in several scripts published in this forum and I think to remember there were some other alternative procedures. Apart from specifically asking for it, you can search for "xt_set" and you could find those alternative procedures.

Also, if your version is old, maybe newer versions include those missing modules or extensions: you could try updating.

Even, I think to remember that in recent versions the settype bitmap:mac had been added and you could filter directly from MAC instead of needing to assure the ip-mac fixed associations, which could make a large configuration much simpler.

You can share what you advance to help others.

Good luck!

 

[alienx2]

@Juglar i found the solution for ipset v4.5 & iptables 1.4 for old router like ac66u or n66u:

ipset --create IpToMac_S macipmap --network 192.168.1.0/24   #create the set, for 24-bit IP address common prefix
ipset --add IpToMac_S 192.168.1.2,00:16:6F:5F:00:00 #AnaTosh
ipset --add IpToMac_S 192.168.1.3,CC:73:14:06:00:00 #AnaX6
ipset --add IpToMac_S 192.168.1.8,00:1F:3B:B0:00:00  #JjHp2
  # Insert in main FORWARD chain a rejecting rule for clients not matching previous IpToMac_S set:
iptables -I FORWARD -i br0 -m set ! --match-set IpToMac_S src,src -j REJECT # or jump to another chain, if you want to add a special treatment.

dont need to add "modprobe xt_set".

 

[Juglar]

@Juglar i found the solution for ipset v4.5 & iptables 1.4 for old router like ac66u or n66u:

ipset --create IpToMac_S macipmap --network 192.168.1.0/24   #create the set, for 24-bit IP address common prefix
ipset --add IpToMac_S 192.168.1.2,00:16:6F:5F:00:00 #AnaTosh
ipset --add IpToMac_S 192.168.1.3,CC:73:14:06:00:00 #AnaX6
ipset --add IpToMac_S 192.168.1.8,00:1F:3B:B0:00:00  #JjHp2
  # Insert in main FORWARD chain a rejecting rule for clients not matching previous IpToMac_S set:
iptables -I FORWARD -i br0 -m set ! --match-set IpToMac_S src,src -j REJECT # or jump to another chain, if you want to add a special treatment.

dont need to add "modprobe xt_set".

@alienx2

Ok. I'm not sure of the syntax for first line, but glad that you have found the solution and thanks for sharing.

So, does it serve you for your purpose? How many MACs can you filter ?

 

[alienx2]

@alienx2

Ok. I'm not sure of the syntax for first line, but glad that you have found the solution and thanks for sharing.

So, does it serve you for your purpose? How many MACs can you filter ?

around 400+ devices.