Then (at least in my case) I don't understand what you're protecting yourself from. It takes a state-level resources to crack a good password. Instead, you were DDoSed by (what you believe to be) 1 printer.
You explained why it's not counter intuitive on load
You did explain why it's counter intuitive to setup MAC lists in the first place
Logging is a 3rd system resource used (this doesn't think I mean disabling logging changes that the software still performs the process without logging it)
Like I said:
Simple, it's a pre-shared key. You already provided (an authorized user) all the computation needed for the device to authenticate. The AP is creating messages with the correct key; it's a malicious actor would would be generating messages that are astronomically unlikely to have the correct key within the useful life of your router. It therefore costs more for the attacker to compute than the AP. This concept exists in locksmithing, as well as in cryptology.
Also add that you take CPU resources to program an alarm that someone puled the tape off...and resources to replace the tape each time, as well.
Update: whitelisting the bad device does not solve the problem of my own devices not being able to connect after a few days.
The problem returned after ~4.5 days. When it happened the router had fairly low average load (~0.4) and approx. 60% memory free.
The kernel log contains no information:
<Previous wireless restart to apply MAC address whitelist changes>
[199228.640588] device wlan1 left promiscuous mode
[199228.645285] br-lan: port 2(wlan1) entered disabled state
[199229.476189] IPv6: ADDRCONF(NETDEV_UP): wlan1: link is not ready
[199229.540557] br-lan: port 2(wlan1) entered blocking state
[199229.546037] br-lan: port 2(wlan1) entered disabled state
[199229.551876] device wlan1 entered promiscuous mode
[199229.556807] br-lan: port 2(wlan1) entered blocking state
[199229.562316] br-lan: port 2(wlan1) entered forwarding state
[199229.909446] br-lan: port 2(wlan1) entered disabled state
[199237.976278] IPv6: ADDRCONF(NETDEV_CHANGE): wlan1: link becomes ready
[199237.982994] br-lan: port 2(wlan1) entered blocking state
[199237.988492] br-lan: port 2(wlan1) entered forwarding state
<Wireless restart because devices cannot connect any more>
[608635.720072] device wlan1 left promiscuous mode
[608635.724763] br-lan: port 2(wlan1) entered disabled state
[608662.223198] IPv6: ADDRCONF(NETDEV_UP): wlan1: link is not ready
[608662.281303] br-lan: port 2(wlan1) entered blocking state
[608662.286857] br-lan: port 2(wlan1) entered disabled state
[608662.292740] device wlan1 entered promiscuous mode
[608671.025266] IPv6: ADDRCONF(NETDEV_CHANGE): wlan1: link becomes ready
[608671.032040] br-lan: port 2(wlan1) entered blocking state
[608671.037527] br-lan: port 2(wlan1) entered forwarding state
The system log caught the last moments:
Wed Feb 6 22:13:38 2019 daemon.notice netifd: wan (1222): udhcpc: sending renew to 192.168.0.1
Wed Feb 6 22:13:39 2019 daemon.notice netifd: wan (1222): udhcpc: lease of 192.168.0.11 obtained, lease time 3600
Wed Feb 6 22:13:41 2019 daemon.notice hostapd: Station da:a1:19:6f:d7:8b not allowed to authenticate
Wed Feb 6 22:13:42 2019 daemon.notice hostapd: Station b8:81:98:69:21:ed not allowed to authenticate
Wed Feb 6 22:19:06 2019 daemon.notice hostapd: wlan1: AP-STA-DISCONNECTED e8:3a:12:ee:18:4a
Wed Feb 6 22:19:06 2019 daemon.info hostapd: wlan1: STA e8:3a:12:ee:18:4a IEEE 802.11: disassociated due to inactivity
Wed Feb 6 22:19:07 2019 daemon.info hostapd: wlan1: STA e8:3a:12:ee:18:4a IEEE 802.11: deauthenticated due to inactivity (timer DEAUTH/REMOVE)
<Last mention of known good device, after this moment my device can no longer re-connect to WiFi>
Wed Feb 6 22:33:40 2019 daemon.info dnsmasq-dhcp[1598]: DHCPREQUEST(br-lan) 192.168.1.108 74:d4:35:e6:2b:65
Wed Feb 6 22:33:40 2019 daemon.info dnsmasq-dhcp[1598]: DHCPACK(br-lan) 192.168.1.108 74:d4:35:e6:2b:65 pc
Wed Feb 6 22:43:39 2019 daemon.notice netifd: wan (1222): udhcpc: sending renew to 192.168.0.1
Wed Feb 6 22:43:40 2019 daemon.notice netifd: wan (1222): udhcpc: lease of 192.168.0.11 obtained, lease time 3600
Wed Feb 6 23:02:57 2019 daemon.warn odhcpd[978]: DHCPV6 RENEW IA_NA from 00047dbf164cfeb746abe0d8b5bdf8828c85 on br-lan: ok fdc3:3b2f:6189::c88/128
Wed Feb 6 23:13:40 2019 daemon.notice netifd: wan (1222): udhcpc: sending renew to 192.168.0.1
Wed Feb 6 23:13:41 2019 daemon.notice netifd: wan (1222): udhcpc: lease of 192.168.0.11 obtained, lease time 3600
Wed Feb 6 23:43:41 2019 daemon.notice netifd: wan (1222): udhcpc: sending renew to 192.168.0.1
Wed Feb 6 23:43:42 2019 daemon.notice netifd: wan (1222): udhcpc: lease of 192.168.0.11 obtained, lease time 3600
Thu Feb 7 00:13:42 2019 daemon.notice netifd: wan (1222): udhcpc: sending renew to 192.168.0.1
Thu Feb 7 00:13:43 2019 daemon.notice netifd: wan (1222): udhcpc: lease of 192.168.0.11 obtained, lease time 3600
Thu Feb 7 00:35:16 2019 daemon.err uhttpd[1258]: luci: accepted login on / for root from 192.168.1.108
<Wireless restart because devices cannot connect any more>
Thu Feb 7 00:41:07 2019 kern.info kernel: [608635.720072] device wlan1 left promiscuous mode
Thu Feb 7 00:41:07 2019 kern.info kernel: [608635.724763] br-lan: port 2(wlan1) entered disabled state
Thu Feb 7 00:41:07 2019 daemon.notice hostapd: wlan1: interface state ENABLED->DISABLED
Thu Feb 7 00:41:07 2019 daemon.notice hostapd: wlan1: AP-DISABLED
Thu Feb 7 00:41:07 2019 daemon.notice hostapd: wlan1: CTRL-EVENT-TERMINATING
Thu Feb 7 00:41:07 2019 daemon.notice hostapd: nl80211: deinit ifname=wlan1 disabled_11b_rates=0
Thu Feb 7 00:41:07 2019 daemon.notice hostapd: nl80211: Failed to remove interface wlan1 from bridge br-lan: Invalid argument
Thu Feb 7 00:41:33 2019 daemon.err hostapd: Configuration file: /var/run/hostapd-phy1.conf
Thu Feb 7 00:41:33 2019 kern.info kernel: [608662.223198] IPv6: ADDRCONF(NETDEV_UP): wlan1: link is not ready
Thu Feb 7 00:41:33 2019 kern.info kernel: [608662.281303] br-lan: port 2(wlan1) entered blocking state
Thu Feb 7 00:41:33 2019 kern.info kernel: [608662.286857] br-lan: port 2(wlan1) entered disabled state
Thu Feb 7 00:41:33 2019 kern.info kernel: [608662.292740] device wlan1 entered promiscuous mode
Thu Feb 7 00:41:33 2019 daemon.notice hostapd: wlan1: interface state UNINITIALIZED->COUNTRY_UPDATE
Thu Feb 7 00:41:33 2019 daemon.notice hostapd: ACS: Automatic channel selection started, this may take a bit
Thu Feb 7 00:41:33 2019 daemon.notice hostapd: wlan1: interface state COUNTRY_UPDATE->ACS
Thu Feb 7 00:41:33 2019 daemon.notice hostapd: wlan1: ACS-STARTED
Thu Feb 7 00:41:34 2019 daemon.notice hostapd: Station b8:e9:37:65:93:6c not allowed to authenticate
Thu Feb 7 00:41:40 2019 daemon.notice hostapd: Station b8:08:d7:a2:1f:54 not allowed to authenticate
Thu Feb 7 00:41:40 2019 daemon.notice hostapd: Station b8:08:d7:a2:1f:54 not allowed to authenticate
Thu Feb 7 00:41:41 2019 daemon.notice hostapd: Station b8:e9:37:65:93:6c not allowed to authenticate
Thu Feb 7 00:41:41 2019 daemon.notice hostapd: ACS: Survey is missing noise floor
Thu Feb 7 00:41:41 2019 daemon.notice hostapd: ACS: Survey is missing noise floor
Thu Feb 7 00:41:41 2019 daemon.notice hostapd: ACS: Survey is missing noise floor
Thu Feb 7 00:41:41 2019 daemon.notice hostapd: ACS: Survey is missing noise floor
Thu Feb 7 00:41:41 2019 daemon.notice hostapd: ACS: Survey is missing noise floor
Thu Feb 7 00:41:41 2019 daemon.notice hostapd: ACS: Survey is missing noise floor
Thu Feb 7 00:41:41 2019 daemon.notice hostapd: ACS: Survey is missing noise floor
Thu Feb 7 00:41:41 2019 daemon.notice hostapd: ACS: Survey is missing noise floor
Thu Feb 7 00:41:41 2019 daemon.notice hostapd: ACS: Survey is missing noise floor
Thu Feb 7 00:41:41 2019 daemon.notice hostapd: ACS: Survey is missing noise floor
Thu Feb 7 00:41:41 2019 daemon.notice hostapd: ACS: Survey is missing noise floor
Thu Feb 7 00:41:41 2019 daemon.notice hostapd: ACS: Survey is missing noise floor
Thu Feb 7 00:41:41 2019 daemon.notice hostapd: wlan1: ACS-COMPLETED freq=2462 channel=11
Thu Feb 7 00:41:41 2019 daemon.err hostapd: Using interface wlan1 with hwaddr a4:2b:b0:d9:26:eb and ssid "<MY_SSID>"
Thu Feb 7 00:41:42 2019 kern.info kernel: [608671.025266] IPv6: ADDRCONF(NETDEV_CHANGE): wlan1: link becomes ready
Thu Feb 7 00:41:42 2019 kern.info kernel: [608671.032040] br-lan: port 2(wlan1) entered blocking state
Thu Feb 7 00:41:42 2019 kern.info kernel: [608671.037527] br-lan: port 2(wlan1) entered forwarding state
Thu Feb 7 00:41:42 2019 daemon.notice hostapd: wlan1: interface state ACS->ENABLED
Thu Feb 7 00:41:42 2019 daemon.notice hostapd: wlan1: AP-ENABLED
Thu Feb 7 00:41:42 2019 daemon.notice netifd: Network device 'wlan1' link is up
Thu Feb 7 00:43:22 2019 daemon.notice hostapd: Station da:a1:19:6e:f4:df not allowed to authenticate
Thu Feb 7 00:43:44 2019 daemon.notice netifd: wan (1222): udhcpc: sending renew to 192.168.0.1
Thu Feb 7 00:43:45 2019 daemon.notice netifd: wan (1222): udhcpc: lease of 192.168.0.11 obtained, lease time 3600
Thu Feb 7 00:44:25 2019 daemon.notice hostapd: Station c4:93:d9:85:a0:57 not allowed to authenticate
Thu Feb 7 00:44:25 2019 daemon.notice hostapd: Station c4:93:d9:85:a0:57 not allowed to authenticate
Thu Feb 7 00:45:46 2019 daemon.notice hostapd: Station c4:93:d9:85:a0:57 not allowed to authenticate
Thu Feb 7 00:45:46 2019 daemon.notice hostapd: Station c4:93:d9:85:a0:57 not allowed to authenticate
<My device connects again after the restart>
Thu Feb 7 00:45:50 2019 daemon.info hostapd: wlan1: STA e8:3a:12:ee:18:4a IEEE 802.11: authenticated
Thu Feb 7 00:45:50 2019 daemon.info hostapd: wlan1: STA e8:3a:12:ee:18:4a IEEE 802.11: associated (aid 1)
Thu Feb 7 00:45:50 2019 daemon.notice hostapd: wlan1: AP-STA-CONNECTED e8:3a:12:ee:18:4a
Thu Feb 7 00:45:50 2019 daemon.info hostapd: wlan1: STA e8:3a:12:ee:18:4a WPA: pairwise key handshake completed (RSN)
Thu Feb 7 00:45:50 2019 daemon.info dnsmasq-dhcp[1598]: DHCPDISCOVER(br-lan) e8:3a:12:ee:18:4a
Thu Feb 7 00:45:50 2019 daemon.info dnsmasq-dhcp[1598]: DHCPOFFER(br-lan) 192.168.1.180 e8:3a:12:ee:18:4a
Thu Feb 7 00:45:50 2019 daemon.info dnsmasq-dhcp[1598]: DHCPREQUEST(br-lan) 192.168.1.180 e8:3a:12:ee:18:4a
Thu Feb 7 00:45:50 2019 daemon.info dnsmasq-dhcp[1598]: DHCPACK(br-lan) 192.168.1.180 e8:3a:12:ee:18:4a galaxys2
Thu Feb 7 00:45:53 2019 daemon.notice hostapd: Station 18:67:b0:7a:83:91 not allowed to authenticate
After hostapd deauthenticated my device for inactivity (which sounds OK, since the device was not used at that time) it could no longer connect back. I tried connecting around midnight, but couldn't. Nothing in the system log mentions those failed attempts. The failing device did not display any errors, just "Connecting..." and then nothing. Restarting the WiFi on the device did not help, it still couldn't connect to the router until I restarted WiFi on the router. Sadly, the logs from the failing device are too noisy and I did not dump them in time (didn't think about dumping before fixing), so can't say how it looks from the other side.
I'll try updating to 18.06.2 over the weekend and see if that helps. Any ideas are welcome!
Hi. Another update. After upgrading to 18.06.2 (and having the printer MAC still whitelisted) the problem seems to have gone away - so far 7.5 days without issues.
One interesting observation is that even though my device is often inactive, over the last week the "disassociated due to inactivity" log has not appeared, suggesting it was related to the problem in some way.
Either way I am happy that the issues are gone. Thank you everyone for your suggestions and discussion!
