Problem with OpenWrt 18.06.1 with wifi if ( Hide ESSID )

but original tp-link w8970 ver 1 firmware is work good !
honor 8x work with Hide ESSIS & MAC Address Control ( without any problems )

That's because the stock firmware is using older drivers. Hostapd has been recently changed to handle the MAC filter more strictly and not respond to probe requests from disallowed MACs.

In the legitimate use of hidden SSIDs and MAC filters-- private point to point links-- this is actually good. Probe responses should not be sent to stations that are not allowed to connect anyway, and point to point stations have no reason to anonymize themselves with random MACs.

2 Likes

but the honor 8x not used random MACs !
and i allowed MACs of honor 8x !

I've myself used Hide SSID feature in the past for some obvious reasons but I've never used it with mac filter. It doesn't make any sense to me that someone would use both of these at the same time. If I'm hiding SSID then no one can see it (which is wrong) but in any case why create trouble for yourself in the first place when all of this can be a simple thing with just a strong password. You can hide your SSID for any reason and add a strong password so no one can get through if that's what you want.

3 Likes

i make password same as
A05D8AF5D3CA7B8AFF4D6E93B04C5A87
this good ?
or need some symbols ? ( @$#%$% ) ?????

THAT IS HORRIBLE


https://my.norton.com/extspa/idsafe?path=pwd-gen

You can use up to 63 ASCII characters in a WPA2 passphrase.

2 Likes

thank you.

1 Like

May I add that these add security. Being it not much but in a sense they do. Most security is based on obscurity. For example the WPA password encryption can be ultra safe but if you leave it on your front door on a post it it has less meaningful security.

I did have SSID hidden and a ACL active. Just to keep those script kiddies out. Especially on places around schools. There are allot of children tying those online tutorials and these features may be a bridge to far for them.

And just as with locks. You should make your locks harder to pick than your neighbors. Just to keep the opportunists out.

I also encountered this OPs issue recently with my Galaxy A8 after a update. My network ran OpenWRT18 with both features enabled. And it all worked fine. But after the Galaxy A8's update it didn't work anymore. So it seems that even while connecting my phone uses a random mac.

1 Like

Either your password (the PSK) is good - then no amount of brute forcing will crack it within reasonable time, or it isn't. Hidden ESSIDs or MAC access lists don't add to its security in the slightest, those are circumvented trivially - while hacking a good PSK isn't.

3 Likes

As it seems this is not an issue/bug for OpenWrt, just a feature embedded in some devices. OP has listed it as a problem but it's clearly not related to the firmware though. Firmware is doing whatever it's being told by the configuration done by the user.

2 Likes

There are both pros and cons to MAC address randomization. Obviously it breaks mac filtering, This is not a big deal from a security perspective as it adds little security, but it is inconvenient if you have a wireless ISP that validates your access by MAC. My ISP has all kinds of hotspots in town, and remembering my MAC keeps me from having to sign into their captive portal every time I connect.

OTOH, your MAC address can be used to track you. Platforms like Cisco's MSE can give very granular data about your connections and movements, which can be used by retailers for instance to see how often you visit and which store aisles you frequent or linger in.

Ideally you can turn this feature on and off as required. I usually randomize unless I need to connect to a hotspot where I am fine with them remembering me (I'd have to sign in otherwise anyway so I'm not anonymized regardless). IMO it is good to have the choice.

1 Like

But does it really have to add any security? If we don't want to have our SSIDs listed in wireless scans then there is a reason right?

I see these kinds of topics often. Where people like to enable ACL and a hidden SSID. And there is always someone mentioning (unasked) the security aspect. If someone want to enable this feature its their right to do so right?

It may not be a bug. But hostapd did increase its strictness for ACL recently. So maybe its not a bug but more feature request to enable a more moderate level of validation.

Because it's a logical fallacy, your next best free (both as in beer and/ or freedom) smartphone wireless scanner (and so does every better networking dæmon) will list them and their MAC addresses nevertheless (yes, they usually won't display the hidden ESSID name, but that would be trivial to snoop).

The mere concept of MAC based access lists transports the meaning of shutting out non-whitelisted devices, read security. The problem here is that a five year old can spoof those, rendering the MAC addresses moot for authentification. On the contrary, hidden ESSIDs do reduce security, as those mean that clients need to actively scan for the hidden ESSIDs, everywhere, thereby leaking your private ESSID wherevery you and your smartphone go.

Edit: At the same time hidden ESSIDs do create real problems for many clients trying to connect to them - while you may consider those to be buggy, they are a reality nevertheless.

Isn't that leaked SSID problem with normal SSIDs as well? On early devices there was a option to connect to hidden networks. But now most devices assume that a SSID is hidden, so it works in both cases.

The basic Windows Linux and MacOS wireless tools do not show a hidden SSID. So the not so technical granted people can not accidentally choose the wrong network. Causing unnecessary connect attempts in my APs logs.

No, with non-hidden ESSIDs the STA scans (semi-) passively and only if it sees a matching one, it tries to establish a connection. With hidden ESSIDs, the STA has to try connecting continuously/ actively, thereby spamming the known (hidden-) ESSIDs wherever you go (regardless of your location/ if you're in range of your network).

Incorrect (Windows 10):

When I add a network with broadcasting SSID on my windows device it is still able to connect when I put it on hidden afterward's. So I think most new devices will probe the SSID even for normal networks.

Also if I scan for probe requests when I'm traveling. I see device's sometimes probing 30 or more SSID including starbucks WiFi and other public hotspots that are probably not hidden.

And your screenshot still shows a "hidden network" people still need to type the SSID before the device actually starts connecting to that AP.

This most basic wireless scanner in windows 10 won't show you the channel or MAC address of the remote AP either, rendering it pretty useless - but it does list hidden networks, making it very 'convenient' if there's more than one…

And as demonstrated, there's nothing hidden - it loudly displays the hidden networks, implicitly telling the user to install a better scanner to do anything useful. This isn't a hurdle deterring from trying to access it.

Yeah but most users will use the basic tools anyway. Only we tweakers probably install better tools.

I've installed APs in flats, and I was quicky amused how many devices started connecting to those APs after a while. Which was also a inconvenience while checking the logs for other errors.

But just as it is with everything. People have opinions, we both have our reasons and I respect that. I think it's best to stop this discussion about security.

I think it would be nice to have a option to let hostapd reply to probe requests of unknown mac addresses, if it isn't already a setting. That way people may choose what fits them best.

Yes, on early devices there was an option and it is still available. In Windows you have to add the network manually if you want it working as a hidden network. In my android phone while I am adding AP it shows an option asking whether it is hidden or not.

Even if your device randomizes mac address and tries to connect to the wifi, it will still be not possible to connect to AP because you have specifically set the AP to only allow a certain mac address.