MAC Filtering not denying access

Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware
Author Message
puterboy2
DD-WRT User


Joined: 24 Feb 2019
Posts: 139

PostPosted: Fri Oct 04, 2019 19:51    Post subject: MAC Filtering not denying access Reply with quote
I have 3 Netgear R6700v3 routers running Kong r40270M software.

All 3 are in 'Gateway' mode though only one is acting to the WAN (with DHCP) withthe other 2 are connected to the WAN-facing Gateway, acting as Wifi extenders.

I have a list of 40+ MAC addresses entered with the "Permit only clients listed to access..." mode on both wl0 and wl1.

All 3 routers have the same list of allowed MAC addresses.
All 3 use WPA2-PSK/AES security and that is being enforced properly of course.

Lately, I have noticed that wireless devices are able to access my network even if they are not on the permitted list.

Note that each of the routers has a pair of guest networks created using virtual interfaces (wl0.1 and wl1.1 for 2.4GHz and 5GHz respectively) -- and there is no MAC filtering set up (or seemingly even possible on such virtual interfaces). Note though that the wireless devices are connecting to the primary wl0 and wl1 networks where MAC filtering is enabled. So, I assume that the virtual interfaces are not at issue here.

Stumped at why this is happening.

Any suggestions?
Sponsor
tli
DD-WRT User


Joined: 06 Mar 2019
Posts: 65

PostPosted: Fri Oct 04, 2019 21:08    Post subject: MAC Filtering Reply with quote
Just an FYI: https://www.zdnet.com/article/the-six-dumbest-ways-to-secure-a-wireless-lan/
puterboy2
DD-WRT User


Joined: 24 Feb 2019
Posts: 139

PostPosted: Sun Oct 06, 2019 6:16    Post subject: Re: MAC Filtering Reply with quote
tli wrote:
Just an FYI: https://www.zdnet.com/article/the-six-dumbest-ways-to-secure-a-wireless-lan/


I am aware... but I use it to track hardware...

Would be helpful if you could answer my question...
Wildlion
DD-WRT Guru


Joined: 24 May 2016
Posts: 1407

PostPosted: Tue Oct 08, 2019 2:01    Post subject: Reply with quote
At one point in time there was a bug where the first MAC listed was ignored.

But if you want you are asking a similar question to:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321606

I answered there with some iptables rules.

Does this help at all?
puterboy2
DD-WRT User


Joined: 24 Feb 2019
Posts: 139

PostPosted: Thu Oct 10, 2019 3:38    Post subject: Reply with quote
Wildlion wrote:
At one point in time there was a bug where the first MAC listed was ignored.

But if you want you are asking a similar question to:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321606

I answered there with some iptables rules.

Does this help at all?


I know you can always replicate MAC filtering using iptables rules but I would prefer to use the built-in mac filtering capabilities.

What I don't understand is why MAC filtering is no longer working for me... which I am trying to troubleshoot.

Perhaps someone can help me understand how dd-wrt implements MAC filtering. It doesn't seem to be iptables since when I do 'iptables -L' I don't see any relevant MAC-address rules.

Is there some 'wl' or other similar command that implements the MAC filter?
puterboy2
DD-WRT User


Joined: 24 Feb 2019
Posts: 139

PostPosted: Thu Oct 10, 2019 3:41    Post subject: Reply with quote
puterboy2 wrote:
Wildlion wrote:
At one point in time there was a bug where the first MAC listed was ignored.

But if you want you are asking a similar question to:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321606

I answered there with some iptables rules.

Does this help at all?


I know you can always replicate MAC filtering using iptables rules but I would prefer to use the built-in mac filtering capabilities.

What I don't understand is why MAC filtering is no longer working for me... which I am trying to troubleshoot.

Perhaps someone can help me understand how dd-wrt implements MAC filtering. It doesn't seem to be iptables since when I do 'iptables -L' I don't see any relevant MAC-address rules.

Is there some 'wl' or other similar command that implements the MAC filter?


Also, iptables blocks IP traffic while presumably the Wifi MAC filtering prevents connections. I just don't know what commands are used to implement the blocking.
puterboy2
DD-WRT User


Joined: 24 Feb 2019
Posts: 139

PostPosted: Thu Oct 10, 2019 4:33    Post subject: Reply with quote
I think I may have found the source of the problem:

$nvram get wl0_macmode
allow

$nvram get wl0_macmode1
other

$nvram get wl0_maclist
<list of MACaddresses>

BUT:
$wl -i eth1 macmode
0
(which corresponds to disable MAC address matching - the value should be '2' corresponding to 'allow')
$wl -i eth1 mac
<nothing - the value should be the list of mac addresses>

I can get it working manually (until a reboot), by manually correcting the above from the command line:

wl -i eth1 down
wl -i eth1 macmode 2
wl -i eth1 mac $(nvram get wl0_maclist)
wl -i eth1 up

BUT the question remains, why doesn't this work automatically... i.e. when the router reboots, why aren't the macmode and maclist states stored in nvram executed by the 'wl' command to make the mac filtering active...
slice1900
DD-WRT User


Joined: 18 Feb 2013
Posts: 99

PostPosted: Thu Oct 10, 2019 16:08    Post subject: Reply with quote
I never got MAC blocking to work, but there's a simple alternative. I put the entries in the GUI, then added this to my startup script:

# Make MAC blocking actually work (test: ebtables -L --Lc)
for i in `nvram get wl0_maclist`
do
ebtables -L | grep $i >/dev/null || ebtables -I INPUT -s $i -j DROP
done

You only need to add it to the WL0 list, ebtables takes effect at the bridging level. I think it is supposed to work at the wireless driver level but probably doesn't get much testing and may be hardware dependent. ebtables will work on everything, and no DD-WRT update will break it.

Those who are saying this isn't useful for security are correct, but I have an open wireless network for my business and every once in a while someone at a nearby business will be using it (it is easy to tell - if you have people using it when you are closed and there is no one there!) I add their MAC to the list to block them, they'll find it doesn't work and connect to whatever they are supposed to connect to. If they were clever they could change their MAC but almost certainly these are people connected by accident or who are too lazy to get the proper wifi login info from their people.
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum