Hidden SSID in combination with mac filter

Hi there,

First post, so please be gentle with me.

I have 2 TP-Link WDR4900. One with 18.06.1 and the other with 18.06.2. Both have the same issue with my Huawei P10 Lite.

Connecting with Wifi works on 2.4Ghz and 5Ghz as long as I do not use hidden SSID and mac filtering together. Off course I have added the mac of my phone to the mac filter. If I combine those two then the phone is not able to find my AP. The message I see on the phone says that he cannot find the wifi network with the given name.
Removing the mac filter or make the SSID visible and the phone can connect again.

Other devices do not seem to have this issue and connect to my Wifi network without an issue.

First conclusion is that it is my phone that causes this but with the original WDR4900 firmware from TP-Link there is no such issue. On an older WRT54G the same phone also doesn't have this issue.
The Phone is up-to-date, so far Android on a phone can be up-to-date.
So what is it? The phone or OpenWrt or WDR4900?

Does anyone have a clue or push me in the right direction!?

I have read other topics about hiding SSID and a mac filter not being secure but that is not the point. It is 2019 and why shouldn't this work? Both features exist a long time and are supported by OpenWrt so if they add no security whatsoever, remove them from OpenWrt. If features are put in, people are going to want to use them.

Many thank in advance.

CU
Al

Yes, disable MAC filtering. Both tools are contradictory to WiFi spec anyways - and provide no additional security. This is likely why they don't work in 2019.

Wow, you're the first person in this community that I've seen propose that - given your understanding of it.

  • Also, search the threads, I wouldn't call it "supported by OpenWrt" ...it likely was a feature that made its way from the original Linksys open source code.

In this thread, the filter caused an issue: How to deal with a printer DoSing my WiFi? [Solved]

Thanks for your reply.

I would not like to start another discussion about why these features should not be used. That part is clear. It was clear to me before I opened my topic. What I would like to know is why it doesn't work.

Saying, don't use these features because ..... and ..... is good to know but how many features are there in OpenWrt that shouldn't be used because of ......?
E.g. WEP "encryption"?
It is there so people want to use. If it doesn't work, they may or may not try to figure out why it isn't working before starting a topic about it. Hearing that they shouldn't use it is good but doesn't solve the issue. Keeping those features in will continue to raise questions when they are used and do not work as expected.

The features are there so people want to use them. If it doesn't make sense why are they there? Better is to remove them, that saves a few lines of code to maintain that don't work properly and less discussion about these features.

Some features like "Enable key reinstallation (KRACK) countermeasures" have a warning message that explains a bit what could happen when it is used.
There are no such messages for mac filter or hidden SSID so this implies that they should work together.

Let me be clear. I have nothing against OpenWrt, on the contrary I love it.

Al

Hi,

I have the same problem and I am wondering, because if I have a second WiFi active on the router without mac address filter and add them both to the mobile device, there is no problem anymore. The client can connect automatically only to the second hidden WiFi without mac filter, but then the device is able to see the first hidden WiFi with mac filter. I never had this problems on OpenWrt 15.05 and can't recognize why this feature should not work by default anymore. It is a security feature to use the mac filter additionaly!

Best regards

Four years later?

"Add them both to the mobile device"???

Add both of what?

Your description seems as if you don't have the same problem as the OP.

  • What does this mean???
  • Does the device see the SSID (it shouldn't because it shouldn't be broadcasted)?
  • Are you saying you manually added the SSID to the device?

If so, it's an extremely poor one.

???

The current version of OpenWrt is 22.03.3.

Yes, because I buy new devices and use now OpenWrt 22.03.

I add both WiFi networks to the mobile device and then the client is able to connect automatically to the hidden WiFi without mac address filter.

The device don't try to connect to the hidden WiFi with mac address filter, if this the only configured WiFi on the device.....therefore it didn't "see" the network, because I never see at the logs something for registering the device. If I add a second hidden WiFi without mac address filter to the mobile device, then the device is able to connect to it and then I see also on the WiFi list the first hidden WiFi, which is saved. This is normal behaviour that you can see all saved networks in the near, also if they hidden, because the mobile device can reach/"see" them. And yes, I add them manually.

That is right, but also an additional layer an prevent maybe the friends of our children to loginto our network by itself, because it is very easy to see the password on Windows devices and not so easy to spoof the mac address on their smartphones.

That is also right and the reason for the problem.

???

What version are you having the issue with?

Provide the output of:

ubus call system board

{
"kernel": "5.15.94",
"hostname": "AP",
"system": "ARMv7 Processor rev 1 (v7l)",
"model": "Turris Omnia",
"board_name": "cznic,turris-omnia",
"release": {
"distribution": "TurrisOS",
"version": "6.2.4",
"revision": "r16824+125-0d4a0250df",
"target": "mvebu/cortexa9",
"description": "TurrisOS 6.2.4 0d4a0250df17a9f7b0fff720fa3224b45d5b0841"
}
}

You need to ask Turris, this isn't official OpenWrt.

Of course, but it is the same problem on OpenWrt and TurrisOS is based on OpenWrt 22.03.

Hope this information helps.

Can you show this to us?

I'm not experiencing the issue on 22.03.3 - but perhaps I misunderstand how to configure in order for the issue to present itself.

You didn't have any problems with hidden WiFi networks and mac address filter?

The short answer why it used to work with old versions, is that there was a change to hostapd sometime around version 21. Also that phone OSs are increasing their use of random WiFi MAC addresses for user privacy.

The change to hostapd is that when a MAC filter is active, the AP will no longer answer Probe Requests from a not allowed client MAC. Older versions did not consult the MAC filter, they would answer any Probe Request. Though it isn't mandated by the standard, mobile clients tend to always send a Probe Request and do not further attempt to connect unless they receive a specific Probe Response. This is how they know that the AP is in radio range and also exactly which channel it is operating on.

In a modern OS these Probe Requests are sent from a random MAC, often a new different MAC for every probe-- that may even be the case when the user setting for MAC privacy is turned off, which is of course not recommended. So with the new hostapd, a hidden/filtered AP will never answer random MAC probes, and connection is impossible.

When an AP runs with a hidden SSID, the client must include the SSID in the Probe Request in order for it to be answered. The SSID is transmitted in clear text, and also the answer from the AP contains the SSID in clear text. Any low-level hacker within wifi range can discover your SSID almost instantly. But that's not the worst part. When away from home, with wifi still switched on, your phone will periodically probe for your home network or other known networks. If it is not configured as a hidden SSID, these probes do not contain a SSID, and are from a random MAC address, so they are a low privacy concern.

If you have configured your home network with a hidden SSID, your phone will broadcast that SSID in periodic probe requests if you have left the phone wifi on while away from home. Additionally if you have turned MAC privacy off, the probes may contain your constant factory MAC address (the phone has to work that way to be able to connect to a post-v21 hidden and filtered AP). This is the main reason why hidden SSID is not recommended.

3 Likes

Thanks for the answer and the interesting information.....thanks a lot :man_bowing: