Hey,
After configured guest wifi, I now have another work to do. The idea is to block all unknown mac addresses from using private wifi but allowed them in guest wifi. I found this post which can block all except the ones in the whitelist, however it will block them in guest wifi as well.
https://forum.openwrt.org/t/block-all-except-mac-address-list/124879
so, how to make the restriction only in private wifi and no restriction if it is connected by wire or guest wifi?
The only way to do this is to use WPA2 Enterprise and 802.1x authentication (along with a RADIUS server). This is seriously overkill for the vast majority of users.
Without the above...
If you want only certain wifi devices on a specific network, you must have them authenticate to said wifi SSID (and don't give them credentials for the other).
-> You can create allow or deny lists for your wifi network based on MAC addresses, but this won't cause it to connect to a different network (unless the client device has credentials for both networks, in which case it may switch when it fails to completely associate with the first). MAC address based allow/deny lists are easy to circumvent, though, simply by changing (spoofing) the MAC address of the client device's wifi interface.
If you want to have certain devices on a specific VLAN via wired networking, you must only physically allow it to connect to an access port of that specific VLAN.
-> if you have a relatively advanced managed switch, this may be possible to do, or at least you can provide ACLs with MAC addresses to prevent unauthorized devices from connecting via a specific physical port (or set of ports).
or two APs with same SSID and mutually exclusive MAC allow/deny lists…
not great, but should work if the AP ranges are sufficiently similar.
Otherwise agree with @psherman : MAC list is not good security practice. 802.1X would be much better, but more complicated to set up.
I think that this would lead to very unpredictable behavior from the client device perspective. The client will attempt to connect and will randomly select one or the other (random at human level, it will likely select based on the signal quality). If it cannot connect, it probably isn't going to try again and correctly select the other AP.
If the device is connected to physical port, it is allowed to access private lan.
I don't worry about mac address spoofing; it is just for my family and friends to use. Because there are many devices using random mac address now, so one device could have more than one ip address in different time. I want to limit one ip for each device. We have a little big family and each one has 3-4 devices; I don't want to check every of them. If they found one of their devices has no internet access, they can just come to me and I disabled random mac address on their device and add the device native mac address to the allow list.
Why not just do this proactively? You can create an allow list for the approved devices (again, not the most robust option here, but seems like it'll be sufficient for your needs).
But the devices that are not on the allow list will not be able to connect. You can't then cause them to connect to a different network from the OpenWrt side. So, for those, provide them with a different SSID and password such that they join the desired network.
Already have a list including most of them but there may be still missing ones. As I said, I don't want to spend time to search every device. Also, they may purchase a new device and I don't know.
that's why I created guest wifi for my friends. For devices owned by family members, I want them in my private network so I can DHCP a static ip based on the mac address, then I can easily see which device is online and how many data are used by each device.
I guess I don't really understand the problem, then...
If you have a mostly complete list of MAC addresses and you have turned off the random MAC feature on most of the devices, enable the allow list function and see what devices fail to connect. Then fix those individually.
But, given that you have a separate guest SSID for untrusted devices and all of your family's (trusted) devices are already using the main/trusted LAN, there really isn't a need to mess with MAC address filters and such.
If you're concerned that you have untrusted devices still hanging out on the main trusted network, here's another approach:
--> Change the SSID and/or password for the main wifi network.
This will force all devices to loose their connection to the network. Then, you go around and provide the new credentials to all of the trusted devices, and switch the untrusted ones to the guest network.
that is what I try to do. Kids may buy a new device in the future (or they have a device with random mac enabled) and try to connect it to private wifi using password given before. The device should not have internet access until the new mac address (the device mac address not the random mac) added to allow list.
The problem is if I deny all unknown mac addresses by using the method in another post (i posted the link in #1), that will also affect the device on guest network because the mac addresses on guest wifi are all unknown.
I have not used the MAC filtering methods, but are you sure? I thought this could be done on an SSID basis, not the radio in general. Am I mistaken here?
The method posted on #1 post is using firewall rules on main router, not mac filtering on APs. It will take a lot of time to use mac filtering on each AP and there is no mac filtering option on one of my AP i.e. Netgear EAX20 wifi extender
I see.
You may be able to use policy based routing to only apply the MAC filter rules to a specific network... but I've never tried this, and PBR may only really work on the L3 side of things (i.e. by IP addresses, not MAC addresses).
The other approach would be to setup DHCP reservations for all "approved" devices and then use those IP addresses in an allow rule on on the lan zone.
So you'd have a rule affecting source zone lan with IP addresses < list of approved IPs from the DHCP reservations > followed by a drop/reject all from all other LAN IP addresses (by source zone and/or by subnet (i.e. 192.168.1.0/24). Then you would only apply the rule on the lan.
But going back to the basics here... I think you're over-indexing on the method here... if you ensure that only allowed/trusted devices have the SSID and password for your trusted network, that's all you need to do. And you can theoretically control new devices being added to the network by only providing the credentials yourself (disable the password sharing option on the hosts to ensure this fact).
Yes yes MAC addr is no security feature yes yes I know that. Anyway, you can use "normal" WPA authentication and still use radius to put a client in a VLAN based on its MAC addr, see https://github.com/openwrt/openwrt/pull/9255
that sounds doable. Will try it.
I did not get this one. For example, I have private wifi SSID name "ABC" with password. Family members already know this password to connect their existing device to "ABC". If they have a new device, they can still use this password to connect to "ABC".
The main router does not have wifi, I have 3 APs, however, only one has openwrt.
Is this the desired situation? In other words, is the plan to allow your family members to connect devices to the network? or do you want to have more control over what gets connected?
If the former, than why bother limiting things by MAC addresses or any other filtering method when if you trust your family members' devices? If the latter, change the password and don't tell them what it is... then they have to ask you for 'approval' to add it to the network.
(another option -- create an additional pseudo-trusted network, and then give them that SSID and password and don't worry about it if they add new devices, etc.).
I don't prohibit them to connect their device to the network. I need do the restriction because:
I prefer my way to control the network devices rather than keeping password secret.
But I guess the point I'm making is that, if you trust the devices your family members add, you don't need to make a big thing about allow listing and filtering... seems like unnecessary efforts.
I get the idea of having a DHCP reservation on the devices being useful to organize the network, but how often does your family introduce new devices to the network? If someone gets a new phone/computer that has the MAC randomization feature, you'll probably know about it and can turn that off proactively. Other devices like small (trustworthy) IoT devices or game consoles and the like aren't going to use randomized MAC addresses, so you don't need to worry about those... just assign the DHCP reservation and you're good.
this appears to be the only specific reason that any of this is valuable... but again, for the devices that need to be scheduled, you can do this proactively. And I can't imagine that your family members are adding new phones/computers on a frequent basis.
So yet another way to deal with this...
Lower the lease time, then.
On a modern device, it seems kinda prohibitive.
Thanks for the suggestions but they are not appropriate to me. Famly members come and go, every time they come back, always many new mac addresses. By now I still have 5 mac address to figure out. It is not possible to keep password secret because my wife will tell them too....