Hello, MAC-Filter does not work in accept only devices in the list mode, when I apply the setting I cannot see my network in the wifi list. (Although I added the hidden network) I don't know if it's because I enabled hiding the SSID, but I couldn't solve the problem. Can anyone help me? My device is Xiaomi Giga 4A OpenWRT version 23.05.5 latest.
Android, Windows and Macs generate random macs for every connection. Hiding and MAC list are not security measures. Hiding makes every client to broadcast "hidden" name forever, and MAC can be trivially duplicated.
Please post output of
ubus call system board
cat /etc/config/wireless
Editing away passwords, public IPs, MAC addresses and other secrets.
I am not at home right now. I can share the log file when I go. But why doesn't the mac filter work when the hidden ssid is on? I am sure that I added the mac address of my device to the mac filter. I only use the hidden Even though I added the ssid, my network does not appear in the wifi list of any device, only the television can connect.
Frankly no idea if maclist is applied when facing random mac in scan.
Maclist is applied, I just can't see my wifi in the list at all, even if it is active in the interface, it doesn't appear in any device's wifi scan (even if I add a hidden ssid manually)
My theory is that MAC list is applied to probe and probes from random MAC in scan are not replied. Just stop using antique pseudo-security measures and all will get well.
1 Like
If I don't use a Mac filter, can someone who knows the password connect to my network with a QR code, even if it is hidden? It creates a security vulnerability.
Anyone in vicinity can sniff SSID and MAC of your TV or any client.
@brada4 hi friend check this 
config wifi-device 'radio0'
option type 'mac80211'
option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0'
option channel 'auto'
option band '2g'
option htmode 'HT40'
option cell_density '0'
config wifi-iface 'default_radio0'
option device 'radio0'
option network 'lan'
option mode 'ap'
option ssid 'John2G'
option encryption 'sae-mixed'
option key 'john12345678'
option ifname '2.4GHz'
option macfilter 'allow'
list maclist '3B:DC:AB:8D:AA:27'
list maclist '3A:Z8:9C:B9:7F:30'
option hidden '1'
config wifi-device 'radio1'
option type 'mac80211'
option path '1e140000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0'
option channel '36'
option band '5g'
option htmode 'VHT80'
option cell_density '0'
config wifi-iface 'default_radio1'
option device 'radio1'
option network 'lan'
option mode 'ap'
option ssid 'John5G'
option encryption 'sae-mixed'
option hidden '1'
option key 'john1234578'
option ifname '5GHz'
list maclist '3B:DC:AB:8D:AA:27'
list maclist '3A:Z8:9C:B9:7F:30'
3B:: is broadcast addres and will not work.
The plan:
- set to WPA2 force CCMP, optional 11w (not forced)
- connect all devices and copy visible MAC addresses to wifi whitelist
- hide AP back - check connection
- change to WPA3 - check again
- it is a legal necessity to set wifi country code and helps a lot to have both bands have same AP names and cryptos
- if it was indeeed interop problem with mixed mode - dont give up yet, you can have super-interoperable double AP in each band with same name and password but differing in cryptography.
1 Like
MAC filters, as stated earlier, are a really simplistic and not very effective method to control access. You could compare it to closing the door to your home but not actually locking it... it's easy enough to get through that hoop that it will only deter the most casual attackers. See the link below.
I'm not sure if you're asking this question in the context of "I don't want anybody to connect," or if it is more like "I want to make sure my friends/family can connect."
Either way... make a strong password. If you need to share that password with family members and guests, there are a bunch of ways to do it. Or, for guests, you could always make an additional/untrusted network that has an easy password and that is isolated from your trusted network.
Here I'm assuming your intent is to make it easy for certain people to connect? If that's not the case, why would there be a QR code with the password?
This also has little benefit, and Apple even recommends that you disable the "hidden" feature (in other words, make it visible) because tis doesn't actually help with security, and may in fact make things worse. Again, link below.
What creates a security vulnerability? A weak password or one that is literally advertised with a QR code would obviously be a vulnerability if you expect to keep people off your network. A hidden network is also generally viewed as a vulnerability, too (I know, it's counterintuitive).
See the "Hidden Network" and "MAC address filtering..." section in the article linked below:
1 Like
Thank you for your answers, they were enlightening. So what do you think about the problem I am experiencing, the hidden SSID and the mac filter not working at the same time?
Speculation is hidden ap does not respond to beacons from random MAC. Deemed teue unless you prove me wrong with wifi sniffer.
Honestly, I think that in light of the evidence about these being mostly useless options, it’s really not worth the time or energy to try to figure out why it manifests as it does. It is not helping your network’s security stance, so the only rationale for spending any time debugging further is purely academic.
1 Like
Just a ssuggestion - set long password and non-dictionary access point name, and prime up guest AP changing password if needed.