Option macfilter 'allow' doesn't do anything

I want to regulate who can access my wifi (there is a guest wifi for the rest) I want to do this with option macfilter 'allow'. So only the correct mac adresses can access wan through WiFi. (I know that ios devices spoof mac adresses, but you can turn this off, or use guest wifi :wink: )

But somehow the option doesn't work, offcourse I restarted the router / services.

Using 19.07.4 on a WRT3200ACM

root@MPM-ROUTER:/etc/config# cat wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option hwmode '11a'
        option path 'soc/soc:pcie/pci0000:00/0000:00:01.0/0000:01:00.0'
        option htmode 'VHT80'
        option channel '149'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option encryption 'psk2'
        option key 'xxxxxxxxxxxx'
        option ssid 'MPM'
        option macfilter 'allow'
        list maclist '.....'
        list maclist '.....'
      
config wifi-device 'radio1'
        option type 'mac80211'
        option hwmode '11g'
        option path 'soc/soc:pcie/pci0000:00/0000:00:02.0/0000:02:00.0'
        option htmode 'HT40'
        option channel '1'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option encryption 'psk2'
        option key 'xxxxxxxx'
        option ssid 'MPM'
        option macfilter 'allow'
         list maclist '.....'
        list maclist '.....'

And "the option doesn't work" means...

  • ... that the devices on the list cannot connect?
  • ... that the devices not on the list can connect?
2 Likes

@eduperez Sorry for the confusion.
The devices on the list can connect (that is how it should work I gues)
But when I spoof another mac or remove it from the list, it still can connect.

If I change it to deny, and test a device, it still can connect.

I found the problem, I use airport extreme's as a bridge, this is why it is not working, If I disconnect them, it works.

Can I regulate the traffic in LAN with mac allow/deny? That would do the trick too, because all others go trought Guest->WAN

Then I only need to add those who can access the LAN.

Devices connected through the Airport Extreme are already connected to LAN, there is nothing you can do on the router to kick them out. You can block them at the DHCP server, but that is "good enough" depending on your needs.

Perhaps you can block those devices on the Airport Extreme, too.

Anyway, those devices can connect to the main network because someone configured the wireless password... can't you just change the password?

2 Likes

@eduperez offcourse I can change the password, but with all the ios devices, you only have to lay them alongside and your password is shared with the other device.

The airports extreme's are on lan, that is indeed the problem, I have a guest wifi on those airports to, with an extra vlan on 1003. So the router thinks everything is on lan.

What I just did minutes ago and seems to works....

I made a firewall accept rule on al mac adresses that can have access and below that one I made a rule that deny access from lan to wan/vpn. (so all wifi and utp are setup this way)

(No one in the house on a videocall or game screamed the line was dead, so fingers crossed :wink: )

Nice thing that happend, is that I left all IoT out the list, so they are now confined to only lan automatically.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.