Posted: Fri Oct 04, 2019 19:51 Post subject: MAC Filtering not denying access
I have 3 Netgear R6700v3 routers running Kong r40270M software.
All 3 are in 'Gateway' mode though only one is acting to the WAN (with DHCP) withthe other 2 are connected to the WAN-facing Gateway, acting as Wifi extenders.
I have a list of 40+ MAC addresses entered with the "Permit only clients listed to access..." mode on both wl0 and wl1.
All 3 routers have the same list of allowed MAC addresses.
All 3 use WPA2-PSK/AES security and that is being enforced properly of course.
Lately, I have noticed that wireless devices are able to access my network even if they are not on the permitted list.
Note that each of the routers has a pair of guest networks created using virtual interfaces (wl0.1 and wl1.1 for 2.4GHz and 5GHz respectively) -- and there is no MAC filtering set up (or seemingly even possible on such virtual interfaces). Note though that the wireless devices are connecting to the primary wl0 and wl1 networks where MAC filtering is enabled. So, I assume that the virtual interfaces are not at issue here.
I think I may have found the source of the problem:
$nvram get wl0_macmode
$nvram get wl0_macmode1
$nvram get wl0_maclist
<list of MACaddresses>
$wl -i eth1 macmode
(which corresponds to disable MAC address matching - the value should be '2' corresponding to 'allow')
$wl -i eth1 mac
<nothing - the value should be the list of mac addresses>
I can get it working manually (until a reboot), by manually correcting the above from the command line:
wl -i eth1 down
wl -i eth1 macmode 2
wl -i eth1 mac $(nvram get wl0_maclist)
wl -i eth1 up
BUT the question remains, why doesn't this work automatically... i.e. when the router reboots, why aren't the macmode and maclist states stored in nvram executed by the 'wl' command to make the mac filtering active...
I never got MAC blocking to work, but there's a simple alternative. I put the entries in the GUI, then added this to my startup script:
# Make MAC blocking actually work (test: ebtables -L --Lc)
for i in `nvram get wl0_maclist`
ebtables -L | grep $i >/dev/null || ebtables -I INPUT -s $i -j DROP
You only need to add it to the WL0 list, ebtables takes effect at the bridging level. I think it is supposed to work at the wireless driver level but probably doesn't get much testing and may be hardware dependent. ebtables will work on everything, and no DD-WRT update will break it.
Those who are saying this isn't useful for security are correct, but I have an open wireless network for my business and every once in a while someone at a nearby business will be using it (it is easy to tell - if you have people using it when you are closed and there is no one there!) I add their MAC to the list to block them, they'll find it doesn't work and connect to whatever they are supposed to connect to. If they were clever they could change their MAC but almost certainly these are people connected by accident or who are too lazy to get the proper wifi login info from their people.