I did the "research". It is obviously written from the point of view of people trying to prevent an expert attack. Not a scripted attack. I know you don't think it's worth anything. I also know what I need to protect myself from is not covered in the "research" you listed. I don't need my network to be unhackable. Just less mechanically hackable than my neighbors. The only real downside is that it's harder to maintain. I can accept that.
Sorry no, this is all wrong. Modern automated tools have zero concern for SSID broadcast. Welcome to 2022.
Sorry no, this is all wrong. Modern automated tools have zero concern for SSID broadcast. Welcome to 2022.
Then getting a router to work in that mode should be no problem. But here we are. Like I've said even though you refuse to listen, I don't care about informed or modern tools/attacks.
2) Use a VPN to connect from the wifi to the Main network.
If someone is able to connect to your wifi, they will only get the Guest network with no resources and no Internet.
This is a clever layer but ultimately it's just another layer. It might be harder to crack but it's still vulnerable. Even if I set this up, I would never use it by itself. I would still use it with all the other safeguards. For right now, those are all I need.
I hardly like to say it again because the others have already said it.
"WPA2 Personal with SHA256" causes problems on many clients or is not supported at all.
On many of my clients the network is grayed out ("unsupported WLAN setting").
The security gain is marginal WPA2 is still WPA2
A hidden SSID is also not a security gain because with a packet sniffer and a WLAN card in monitor mode you can record probe requests in which the SSID is visible.
For a good compatibility it is best to use "WPA2 Personal with CCMP-128 (AES)".
If it should be more secure then choose directly "WPA3 Personal / SAE with CCMP-128 (AES)".
Which again is not supported by many common clients.
As egc already mentioned you can use WPA3 for the main WLAN and for devices that don't support it you can create an isolated VAP with "WPA2 Personal with CCMP-128 (AES)".
Problem solved ... or you fix your clients with your Jedi powers
Besides the above suggestions, the only suggestion I have (assuming you are running v49326 or an older version with this option) is to go to Wireless, MAC Filter, open Edit MAC Filter (both radios individually rather than at the same time), click the Wireless Client MAC List button on the top right of the Edit MAC Filter page and confirm that all MAC's are enabled on the resulting Wireless Client MAC List page. See attachment.
This page may not have existed on the old build you upgraded from?? Possibly causing the new firmware to require manual enable of each client? My last best guess =)
Joined: 31 Jul 2021 Posts: 2146 Location: All over YOUR webs
Posted: Thu Jun 23, 2022 13:43 Post subject:
[quote="JediMaster666"]
blkt wrote:
I don't care about informed or modern tools/attacks.
Its kinda pointless to try to secure anything minimally and then ignore the larger attack surface for whatever reason, sure you can do it and tbh its your choice.
SSID isn't any kind of security, never was, never will be or any kind of hurdle, in fact a hidden SSID is more likely to be a target just because anyone will think, but why is this guy trying to hide his network, lets investigate). How you handle your network or clients attached is your own business and you are welcome to believe in Unicorns too.
MAC filters are very very little in the way of prevention any wifi analyzer can tell anyone using it with no permissions (just as an observer) which devices and respective MACs are connected to which AP and spoofing a MAC address is a two click job, no matter if that MAC address is from your AP or the clients, you dont even need any special tools for any of it, bog standards wifi analyzers, pick any semi decent one available for free.
Now, AP/NET Isolation for a given VAP or Wireless network is something else, even after being breached there is no access to any resources or other subnets, but unless you are running an OS/Firmware that is patched against all current know exploits (unlikely), lateral movement trough the network by a resourceful/determined maleficent actor is not out of the question, unlikely as it may be its a possibility, there are easier/faster ways around this with minimal time and less skills and no tools of any kind.
In the end, there is no way to actually secure anything properly, everything is a Swiss cheese, hardware/software is all a mine field from day zero, some holes are known some are patched but mostly its not known or rather even public knowledge.
The most vulnerable target on any network are the users behind it. No special tools needed .
So good luck to you. Enjoy building your house of cards with puny consumer grade equipment.
Like I said, its all your choice what you do or dont do, its all the same to me as it is for anyone who has graciously replied to you, we dont have any obligation one way or another.
I hardly like to say it again because the others have already said it.
"WPA2 Personal with SHA256" causes problems on many clients or is not supported at all.
On many of my clients the network is grayed out ("unsupported WLAN setting").
The security gain is marginal WPA2 is still WPA2
A hidden SSID is also not a security gain because with a packet sniffer and a WLAN card in monitor mode you can record probe requests in which the SSID is visible.
For a good compatibility it is best to use "WPA2 Personal with CCMP-128 (AES)".
If it should be more secure then choose directly "WPA3 Personal / SAE with CCMP-128 (AES)".
Which again is not supported by many common clients.
As egc already mentioned you can use WPA3 for the main WLAN and for devices that don't support it you can create an isolated VAP with "WPA2 Personal with CCMP-128 (AES)".
Problem solved ... or you fix your clients with your Jedi powers
I've already accepted the loss in algorithm functionality by using new firmware. I want to use mac filtering and I don't want to broadcast my SSID. I know you guys don't understand. You refuse to listen when I explain so I have to say it again. If this were so trivial, this wouldn't have been a problem in the firmware for over a year.
Its kinda pointless to try to secure anything minimally and then ignore the larger attack surface for whatever reason, sure you can do it and tbh its your choice.
I know you don't think so. But everything you've ever said to me has also never given me any indication that you know anything worthwhile.
the-joker wrote:
SSID isn't any kind of security, never was, never will be or any kind of hurdle, in fact a hidden SSID is more likely to be a target just because anyone will think, but why is this guy trying to hide his network, lets investigate). How you handle your network or clients attached is your own business and you are welcome to believe in Unicorns too.
MAC filters are very very little in the way of prevention any wifi analyzer can tell anyone using it with no permissions (just as an observer) which devices and respective MACs are connected to which AP and spoofing a MAC address is a two click job, no matter if that MAC address is from your AP or the clients, you dont even need any special tools for any of it, bog standards wifi analyzers, pick any semi decent one available for free.
If it were so easy, it would not exist as a continuing problem in the firmware that has been there for over a year.
Last edited by JediMaster666 on Thu Jun 23, 2022 18:20; edited 1 time in total
Besides the above suggestions, the only suggestion I have (assuming you are running v49326 or an older version with this option) is to go to Wireless, MAC Filter, open Edit MAC Filter (both radios individually rather than at the same time), click the Wireless Client MAC List button on the top right of the Edit MAC Filter page and confirm that all MAC's are enabled on the resulting Wireless Client MAC List page. See attachment.
This page may not have existed on the old build you upgraded from?? Possibly causing the new firmware to require manual enable of each client? My last best guess =)
Welcome back to the thread. Please catch up before posting. Turning on Mac filtering still causes nothing to be able to connect.
I've already accepted the loss in algorithm functionality by using new firmware. I want to use mac filtering and I don't want to broadcast my SSID. I know you guys don't understand. You refuse to listen when I explain so I have to say it again. If this were so trivial, this wouldn't have been a problem in the firmware for over a year.
Sure, we are listening to you.
It is true that you can prevent the router from broadcasting the SSID but your clients are still broadcasting the SSID.
They don't see the router with hidden SSID itself, so they send a probe request with your entered SSID "Hello SSID are you there somewhere" - in plain text.
Everyone can read this.
Also you can see which clients are connected to which AP, so you can also associate the hidden SSID.
You just have to wait until said client wants to connect and it blares out your "secret" SSID.
Based on the connected stations you can see which MAC addresses are allowed etc...
Is for my part but only a hint that the supposed security has no effect anyway.
The MAC filtering should of course not cause any problems - but I can not judge because I do not own said router.
Welcome back to the thread. Please catch up before posting. Turning on Mac filtering still causes nothing to be able to connect.
Understood. What I was suggesting was, due to the old version upgrade to a new version, the individual MAC inputs may not be enabled.
If you enable the MAC filter but the individual inputs are disabled the system would see it as no MAC inputs available and allow none to connect when MAC filer is enabled. I've probably misunderstood what the enable/disable function for individual MAC inputs are for, sorry.
All I was suggesting was that you confirm the inputs were each enabled so I now assume you had already done so. My bad to suggest otherwise. Good luck with your issue.
Joined: 31 Jul 2021 Posts: 2146 Location: All over YOUR webs
Posted: Thu Jun 23, 2022 19:57 Post subject:
Of course SSID and MAC filtering are exclusive and operate separately.
Im not entirely sure what you expect to achieve here by checking those boxes, you will need to goto the MAC filter page and decide if the macs you just added to the list should be whitelisted or blacklisted entries, that dialog you showed does not allow you todo anything else but add said macs to the filtering list for later management.
See screenshot. You then need to enable the filtering and decide if you want to blacklist or whitelist those entries -> Wireless tab -> Mac Filter subtab