I have 2 TP-Link WDR4900. One with 18.06.1 and the other with 18.06.2. Both have the same issue with my Huawei P10 Lite.
Connecting with Wifi works on 2.4Ghz and 5Ghz as long as I do not use hidden SSID and mac filtering together. Off course I have added the mac of my phone to the mac filter. If I combine those two then the phone is not able to find my AP. The message I see on the phone says that he cannot find the wifi network with the given name.
Removing the mac filter or make the SSID visible and the phone can connect again.
Other devices do not seem to have this issue and connect to my Wifi network without an issue.
First conclusion is that it is my phone that causes this but with the original WDR4900 firmware from TP-Link there is no such issue. On an older WRT54G the same phone also doesn't have this issue.
The Phone is up-to-date, so far Android on a phone can be up-to-date.
So what is it? The phone or OpenWrt or WDR4900?
Does anyone have a clue or push me in the right direction!?
I have read other topics about hiding SSID and a mac filter not being secure but that is not the point. It is 2019 and why shouldn't this work? Both features exist a long time and are supported by OpenWrt so if they add no security whatsoever, remove them from OpenWrt. If features are put in, people are going to want to use them.
I would not like to start another discussion about why these features should not be used. That part is clear. It was clear to me before I opened my topic. What I would like to know is why it doesn't work.
Saying, don't use these features because ..... and ..... is good to know but how many features are there in OpenWrt that shouldn't be used because of ......?
E.g. WEP "encryption"?
It is there so people want to use. If it doesn't work, they may or may not try to figure out why it isn't working before starting a topic about it. Hearing that they shouldn't use it is good but doesn't solve the issue. Keeping those features in will continue to raise questions when they are used and do not work as expected.
The features are there so people want to use them. If it doesn't make sense why are they there? Better is to remove them, that saves a few lines of code to maintain that don't work properly and less discussion about these features.
Some features like "Enable key reinstallation (KRACK) countermeasures" have a warning message that explains a bit what could happen when it is used.
There are no such messages for mac filter or hidden SSID so this implies that they should work together.
Let me be clear. I have nothing against OpenWrt, on the contrary I love it.
I have the same problem and I am wondering, because if I have a second WiFi active on the router without mac address filter and add them both to the mobile device, there is no problem anymore. The client can connect automatically only to the second hidden WiFi without mac filter, but then the device is able to see the first hidden WiFi with mac filter. I never had this problems on OpenWrt 15.05 and can't recognize why this feature should not work by default anymore. It is a security feature to use the mac filter additionaly!
Yes, because I buy new devices and use now OpenWrt 22.03.
I add both WiFi networks to the mobile device and then the client is able to connect automatically to the hidden WiFi without mac address filter.
The device don't try to connect to the hidden WiFi with mac address filter, if this the only configured WiFi on the device.....therefore it didn't "see" the network, because I never see at the logs something for registering the device. If I add a second hidden WiFi without mac address filter to the mobile device, then the device is able to connect to it and then I see also on the WiFi list the first hidden WiFi, which is saved. This is normal behaviour that you can see all saved networks in the near, also if they hidden, because the mobile device can reach/"see" them. And yes, I add them manually.
That is right, but also an additional layer an prevent maybe the friends of our children to loginto our network by itself, because it is very easy to see the password on Windows devices and not so easy to spoof the mac address on their smartphones.
That is also right and the reason for the problem.
The short answer why it used to work with old versions, is that there was a change to hostapd sometime around version 21. Also that phone OSs are increasing their use of random WiFi MAC addresses for user privacy.
The change to hostapd is that when a MAC filter is active, the AP will no longer answer Probe Requests from a not allowed client MAC. Older versions did not consult the MAC filter, they would answer any Probe Request. Though it isn't mandated by the standard, mobile clients tend to always send a Probe Request and do not further attempt to connect unless they receive a specific Probe Response. This is how they know that the AP is in radio range and also exactly which channel it is operating on.
In a modern OS these Probe Requests are sent from a random MAC, often a new different MAC for every probe-- that may even be the case when the user setting for MAC privacy is turned off, which is of course not recommended. So with the new hostapd, a hidden/filtered AP will never answer random MAC probes, and connection is impossible.
When an AP runs with a hidden SSID, the client must include the SSID in the Probe Request in order for it to be answered. The SSID is transmitted in clear text, and also the answer from the AP contains the SSID in clear text. Any low-level hacker within wifi range can discover your SSID almost instantly. But that's not the worst part. When away from home, with wifi still switched on, your phone will periodically probe for your home network or other known networks. If it is not configured as a hidden SSID, these probes do not contain a SSID, and are from a random MAC address, so they are a low privacy concern.
If you have configured your home network with a hidden SSID, your phone will broadcast that SSID in periodic probe requests if you have left the phone wifi on while away from home. Additionally if you have turned MAC privacy off, the probes may contain your constant factory MAC address (the phone has to work that way to be able to connect to a post-v21 hidden and filtered AP). This is the main reason why hidden SSID is not recommended.