Linksys WRT1200ACv2 can't secure Wifi

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Marvell MVEBU based Hardware (WRT1900AC etc.)
Goto page Previous  1, 2, 3, 4, 5, 6  Next
Author Message
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 6424
Location: Romerike, Norway

PostPosted: Thu Jun 23, 2022 7:58    Post subject: Reply with quote
To get a secure network:

1) Isolate the wifi from your Main network.

2) Use a VPN to connect from the wifi to the Main network.

If someone is able to connect to your wifi, they will only get the Guest network with no resources and no Internet.
Sponsor
blkt
DD-WRT Guru


Joined: 20 Jan 2019
Posts: 4026

PostPosted: Thu Jun 23, 2022 8:02    Post subject: Reply with quote
JediMaster666 wrote:
I did the "research". It is obviously written from the point of view of people trying to prevent an expert attack. Not a scripted attack. I know you don't think it's worth anything. I also know what I need to protect myself from is not covered in the "research" you listed. I don't need my network to be unhackable. Just less mechanically hackable than my neighbors. The only real downside is that it's harder to maintain. I can accept that.

Sorry no, this is all wrong. Modern automated tools have zero concern for SSID broadcast. Welcome to 2022.
JediMaster666
DD-WRT User


Joined: 04 Apr 2017
Posts: 55

PostPosted: Thu Jun 23, 2022 8:39    Post subject: Reply with quote
egc wrote:
You mean the ones with cars parking for your door and equipped with special equipment to crack your WPA2-PSK AES-128 password?

If that is your worry do not use wireless at all


Nope. That's not what I'm talking about at all. Anyone with sophisticated resources is getting in no matter what.
JediMaster666
DD-WRT User


Joined: 04 Apr 2017
Posts: 55

PostPosted: Thu Jun 23, 2022 8:43    Post subject: Reply with quote
blkt wrote:
Sorry no, this is all wrong. Modern automated tools have zero concern for SSID broadcast. Welcome to 2022.


Then getting a router to work in that mode should be no problem. But here we are. Like I've said even though you refuse to listen, I don't care about informed or modern tools/attacks.
JediMaster666
DD-WRT User


Joined: 04 Apr 2017
Posts: 55

PostPosted: Thu Jun 23, 2022 8:47    Post subject: Reply with quote
Per Yngve Berg wrote:
To get a secure network:

1) Isolate the wifi from your Main network.

2) Use a VPN to connect from the wifi to the Main network.

If someone is able to connect to your wifi, they will only get the Guest network with no resources and no Internet.


This is a clever layer but ultimately it's just another layer. It might be harder to crack but it's still vulnerable. Even if I set this up, I would never use it by itself. I would still use it with all the other safeguards. For right now, those are all I need.
ho1Aetoo
DD-WRT Guru


Joined: 19 Feb 2019
Posts: 1375
Location: Germany

PostPosted: Thu Jun 23, 2022 12:12    Post subject: Reply with quote
I hardly like to say it again because the others have already said it.

"WPA2 Personal with SHA256" causes problems on many clients or is not supported at all.
On many of my clients the network is grayed out ("unsupported WLAN setting").

The security gain is marginal WPA2 is still WPA2

A hidden SSID is also not a security gain because with a packet sniffer and a WLAN card in monitor mode you can record probe requests in which the SSID is visible.

For a good compatibility it is best to use "WPA2 Personal with CCMP-128 (AES)".

If it should be more secure then choose directly "WPA3 Personal / SAE with CCMP-128 (AES)".
Which again is not supported by many common clients.

As egc already mentioned you can use WPA3 for the main WLAN and for devices that don't support it you can create an isolated VAP with "WPA2 Personal with CCMP-128 (AES)".

Problem solved ... or you fix your clients with your Jedi powers
Monza
DD-WRT User


Joined: 01 Jul 2018
Posts: 371

PostPosted: Thu Jun 23, 2022 13:24    Post subject: Reply with quote
Besides the above suggestions, the only suggestion I have (assuming you are running v49326 or an older version with this option) is to go to Wireless, MAC Filter, open Edit MAC Filter (both radios individually rather than at the same time), click the Wireless Client MAC List button on the top right of the Edit MAC Filter page and confirm that all MAC's are enabled on the resulting Wireless Client MAC List page. See attachment.

This page may not have existed on the old build you upgraded from?? Possibly causing the new firmware to require manual enable of each client? My last best guess =)
the-joker
DD-WRT Developer/Maintainer


Joined: 31 Jul 2021
Posts: 1231
Location: All over YOUR webs

PostPosted: Thu Jun 23, 2022 13:43    Post subject: Reply with quote
[quote="JediMaster666"]
blkt wrote:
I don't care about informed or modern tools/attacks.

Its kinda pointless to try to secure anything minimally and then ignore the larger attack surface for whatever reason, sure you can do it and tbh its your choice.

SSID isn't any kind of security, never was, never will be or any kind of hurdle, in fact a hidden SSID is more likely to be a target just because anyone will think, but why is this guy trying to hide his network, lets investigate). How you handle your network or clients attached is your own business and you are welcome to believe in Unicorns too.

MAC filters are very very little in the way of prevention any wifi analyzer can tell anyone using it with no permissions (just as an observer) which devices and respective MACs are connected to which AP and spoofing a MAC address is a two click job, no matter if that MAC address is from your AP or the clients, you dont even need any special tools for any of it, bog standards wifi analyzers, pick any semi decent one available for free.

Now, AP/NET Isolation for a given VAP or Wireless network is something else, even after being breached there is no access to any resources or other subnets, but unless you are running an OS/Firmware that is patched against all current know exploits (unlikely), lateral movement trough the network by a resourceful/determined maleficent actor is not out of the question, unlikely as it may be its a possibility, there are easier/faster ways around this with minimal time and less skills and no tools of any kind.

In the end, there is no way to actually secure anything properly, everything is a Swiss cheese, hardware/software is all a mine field from day zero, some holes are known some are patched but mostly its not known or rather even public knowledge.

The most vulnerable target on any network are the users behind it. No special tools needed .

So good luck to you. Enjoy building your house of cards with puny consumer grade equipment.

Like I said, its all your choice what you do or dont do, its all the same to me as it is for anyone who has graciously replied to you, we dont have any obligation one way or another.

I just stumbled on this thread and I always love to see how unicorns are making a come back to la la userland.

_________________
Saving your retinas from the burn!🔥
DD-WRT Inspired themes for routers
DD-WRT Inspired themes for the phpBB Forum
DD-WRT Inspired themes for the SVN Trac & FTP site
Join in for a chat @ #style_it_themes_public:matrix.org or #style_it_themes:discord

DD-WRT UI Themes Bug Reporting and Discussion thread

Router: ANus RT-AC68U E1 (recognized as C1)
JediMaster666
DD-WRT User


Joined: 04 Apr 2017
Posts: 55

PostPosted: Thu Jun 23, 2022 18:02    Post subject: Reply with quote
ho1Aetoo wrote:
I hardly like to say it again because the others have already said it.

"WPA2 Personal with SHA256" causes problems on many clients or is not supported at all.
On many of my clients the network is grayed out ("unsupported WLAN setting").

The security gain is marginal WPA2 is still WPA2

A hidden SSID is also not a security gain because with a packet sniffer and a WLAN card in monitor mode you can record probe requests in which the SSID is visible.

For a good compatibility it is best to use "WPA2 Personal with CCMP-128 (AES)".

If it should be more secure then choose directly "WPA3 Personal / SAE with CCMP-128 (AES)".
Which again is not supported by many common clients.

As egc already mentioned you can use WPA3 for the main WLAN and for devices that don't support it you can create an isolated VAP with "WPA2 Personal with CCMP-128 (AES)".

Problem solved ... or you fix your clients with your Jedi powers


I've already accepted the loss in algorithm functionality by using new firmware. I want to use mac filtering and I don't want to broadcast my SSID. I know you guys don't understand. You refuse to listen when I explain so I have to say it again. If this were so trivial, this wouldn't have been a problem in the firmware for over a year.
JediMaster666
DD-WRT User


Joined: 04 Apr 2017
Posts: 55

PostPosted: Thu Jun 23, 2022 18:09    Post subject: Reply with quote
the-joker wrote:
Its kinda pointless to try to secure anything minimally and then ignore the larger attack surface for whatever reason, sure you can do it and tbh its your choice.


I know you don't think so. But everything you've ever said to me has also never given me any indication that you know anything worthwhile.

the-joker wrote:
SSID isn't any kind of security, never was, never will be or any kind of hurdle, in fact a hidden SSID is more likely to be a target just because anyone will think, but why is this guy trying to hide his network, lets investigate). How you handle your network or clients attached is your own business and you are welcome to believe in Unicorns too.

MAC filters are very very little in the way of prevention any wifi analyzer can tell anyone using it with no permissions (just as an observer) which devices and respective MACs are connected to which AP and spoofing a MAC address is a two click job, no matter if that MAC address is from your AP or the clients, you dont even need any special tools for any of it, bog standards wifi analyzers, pick any semi decent one available for free.


If it were so easy, it would not exist as a continuing problem in the firmware that has been there for over a year.


Last edited by JediMaster666 on Thu Jun 23, 2022 18:20; edited 1 time in total
JediMaster666
DD-WRT User


Joined: 04 Apr 2017
Posts: 55

PostPosted: Thu Jun 23, 2022 18:12    Post subject: Reply with quote
Monza wrote:
Besides the above suggestions, the only suggestion I have (assuming you are running v49326 or an older version with this option) is to go to Wireless, MAC Filter, open Edit MAC Filter (both radios individually rather than at the same time), click the Wireless Client MAC List button on the top right of the Edit MAC Filter page and confirm that all MAC's are enabled on the resulting Wireless Client MAC List page. See attachment.

This page may not have existed on the old build you upgraded from?? Possibly causing the new firmware to require manual enable of each client? My last best guess =)


Welcome back to the thread. Please catch up before posting. Turning on Mac filtering still causes nothing to be able to connect.
ho1Aetoo
DD-WRT Guru


Joined: 19 Feb 2019
Posts: 1375
Location: Germany

PostPosted: Thu Jun 23, 2022 18:57    Post subject: Reply with quote
JediMaster666 wrote:
I've already accepted the loss in algorithm functionality by using new firmware. I want to use mac filtering and I don't want to broadcast my SSID. I know you guys don't understand. You refuse to listen when I explain so I have to say it again. If this were so trivial, this wouldn't have been a problem in the firmware for over a year.


Sure, we are listening to you.
It is true that you can prevent the router from broadcasting the SSID but your clients are still broadcasting the SSID. Smile
They don't see the router with hidden SSID itself, so they send a probe request with your entered SSID "Hello SSID are you there somewhere" - in plain text.
Everyone can read this.

Also you can see which clients are connected to which AP, so you can also associate the hidden SSID.

You just have to wait until said client wants to connect and it blares out your "secret" SSID.

Based on the connected stations you can see which MAC addresses are allowed etc...

Is for my part but only a hint that the supposed security has no effect anyway.

The MAC filtering should of course not cause any problems - but I can not judge because I do not own said router.
Monza
DD-WRT User


Joined: 01 Jul 2018
Posts: 371

PostPosted: Thu Jun 23, 2022 19:02    Post subject: Reply with quote
JediMaster666 wrote:
Welcome back to the thread. Please catch up before posting. Turning on Mac filtering still causes nothing to be able to connect.


Understood. What I was suggesting was, due to the old version upgrade to a new version, the individual MAC inputs may not be enabled.

If you enable the MAC filter but the individual inputs are disabled the system would see it as no MAC inputs available and allow none to connect when MAC filer is enabled. I've probably misunderstood what the enable/disable function for individual MAC inputs are for, sorry.

All I was suggesting was that you confirm the inputs were each enabled so I now assume you had already done so. My bad to suggest otherwise. Good luck with your issue.
JediMaster666
DD-WRT User


Joined: 04 Apr 2017
Posts: 55

PostPosted: Thu Jun 23, 2022 19:37    Post subject: Reply with quote
Monza wrote:
What I was suggesting was, due to the old version upgrade to a new version, the individual MAC inputs may not be enabled.


As part of my testing, I discovered mac filtering and SSID broadcast work mutually exclusively.

But since you were so nice, I went ahead and checked the tab. I have filtering off but that table can clearly still recognize my devices.
the-joker
DD-WRT Developer/Maintainer


Joined: 31 Jul 2021
Posts: 1231
Location: All over YOUR webs

PostPosted: Thu Jun 23, 2022 19:57    Post subject: Reply with quote
Of course SSID and MAC filtering are exclusive and operate separately.

Im not entirely sure what you expect to achieve here by checking those boxes, you will need to goto the MAC filter page and decide if the macs you just added to the list should be whitelisted or blacklisted entries, that dialog you showed does not allow you todo anything else but add said macs to the filtering list for later management.

See screenshot. You then need to enable the filtering and decide if you want to blacklist or whitelist those entries -> Wireless tab -> Mac Filter subtab

Each radio 2.4/5GHz has separate filters.

The Filter Mode labels are named different on your build and have since this screenshot been further shrunken labels to 3 words, as we dont need a whole sentence to define what these really do.

_________________
Saving your retinas from the burn!🔥
DD-WRT Inspired themes for routers
DD-WRT Inspired themes for the phpBB Forum
DD-WRT Inspired themes for the SVN Trac & FTP site
Join in for a chat @ #style_it_themes_public:matrix.org or #style_it_themes:discord

DD-WRT UI Themes Bug Reporting and Discussion thread

Router: ANus RT-AC68U E1 (recognized as C1)
Goto page Previous  1, 2, 3, 4, 5, 6  Next Display posts from previous:    Page 4 of 6
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Marvell MVEBU based Hardware (WRT1900AC etc.) All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum