Problem with OpenWrt 18.06.1 with wifi if ( Hide ESSID )

There are both pros and cons to MAC address randomization. Obviously it breaks mac filtering, This is not a big deal from a security perspective as it adds little security, but it is inconvenient if you have a wireless ISP that validates your access by MAC. My ISP has all kinds of hotspots in town, and remembering my MAC keeps me from having to sign into their captive portal every time I connect.

OTOH, your MAC address can be used to track you. Platforms like Cisco's MSE can give very granular data about your connections and movements, which can be used by retailers for instance to see how often you visit and which store aisles you frequent or linger in.

Ideally you can turn this feature on and off as required. I usually randomize unless I need to connect to a hotspot where I am fine with them remembering me (I'd have to sign in otherwise anyway so I'm not anonymized regardless). IMO it is good to have the choice.

1 Like

But does it really have to add any security? If we don't want to have our SSIDs listed in wireless scans then there is a reason right?

I see these kinds of topics often. Where people like to enable ACL and a hidden SSID. And there is always someone mentioning (unasked) the security aspect. If someone want to enable this feature its their right to do so right?

It may not be a bug. But hostapd did increase its strictness for ACL recently. So maybe its not a bug but more feature request to enable a more moderate level of validation.

Because it's a logical fallacy, your next best free (both as in beer and/ or freedom) smartphone wireless scanner (and so does every better networking dæmon) will list them and their MAC addresses nevertheless (yes, they usually won't display the hidden ESSID name, but that would be trivial to snoop).

The mere concept of MAC based access lists transports the meaning of shutting out non-whitelisted devices, read security. The problem here is that a five year old can spoof those, rendering the MAC addresses moot for authentification. On the contrary, hidden ESSIDs do reduce security, as those mean that clients need to actively scan for the hidden ESSIDs, everywhere, thereby leaking your private ESSID wherevery you and your smartphone go.

Edit: At the same time hidden ESSIDs do create real problems for many clients trying to connect to them - while you may consider those to be buggy, they are a reality nevertheless.

Isn't that leaked SSID problem with normal SSIDs as well? On early devices there was a option to connect to hidden networks. But now most devices assume that a SSID is hidden, so it works in both cases.

The basic Windows Linux and MacOS wireless tools do not show a hidden SSID. So the not so technical granted people can not accidentally choose the wrong network. Causing unnecessary connect attempts in my APs logs.

No, with non-hidden ESSIDs the STA scans (semi-) passively and only if it sees a matching one, it tries to establish a connection. With hidden ESSIDs, the STA has to try connecting continuously/ actively, thereby spamming the known (hidden-) ESSIDs wherever you go (regardless of your location/ if you're in range of your network).

Incorrect (Windows 10):

When I add a network with broadcasting SSID on my windows device it is still able to connect when I put it on hidden afterward's. So I think most new devices will probe the SSID even for normal networks.

Also if I scan for probe requests when I'm traveling. I see device's sometimes probing 30 or more SSID including starbucks WiFi and other public hotspots that are probably not hidden.

And your screenshot still shows a "hidden network" people still need to type the SSID before the device actually starts connecting to that AP.

This most basic wireless scanner in windows 10 won't show you the channel or MAC address of the remote AP either, rendering it pretty useless - but it does list hidden networks, making it very 'convenient' if there's more than one…

And as demonstrated, there's nothing hidden - it loudly displays the hidden networks, implicitly telling the user to install a better scanner to do anything useful. This isn't a hurdle deterring from trying to access it.

Yeah but most users will use the basic tools anyway. Only we tweakers probably install better tools.

I've installed APs in flats, and I was quicky amused how many devices started connecting to those APs after a while. Which was also a inconvenience while checking the logs for other errors.

But just as it is with everything. People have opinions, we both have our reasons and I respect that. I think it's best to stop this discussion about security.

I think it would be nice to have a option to let hostapd reply to probe requests of unknown mac addresses, if it isn't already a setting. That way people may choose what fits them best.

Yes, on early devices there was an option and it is still available. In Windows you have to add the network manually if you want it working as a hidden network. In my android phone while I am adding AP it shows an option asking whether it is hidden or not.

Even if your device randomizes mac address and tries to connect to the wifi, it will still be not possible to connect to AP because you have specifically set the AP to only allow a certain mac address.

I see these kinds of topics often. Where people like to enable ACL and a hidden SSID. And there is always someone mentioning (unasked) the security aspect. If someone want to enable this feature its their right to do so right?

Fair enough. The settings are available and there is nothing stopping you from using them. I think people are just trying to provide objective information about the pros and cons. A surprising number of people do think security is one of those, often the same people who think the downsides are somehow "wrong". In fact everything is just working as designed.

1 Like

As a note on the original problem, I wanted to drop a quick post and say I was running into the same thing (at least, I think I was).

I was running LEDE 17.01 on a WRT1200AC. I had both a 5 GHz and 2.4 GHz radio set up, different SSIDs, both hidden, and everything worked fine. I upgraded to OpenWrt 18.06.1 (r7258-5eb055306f) today and started seeing this problem, but only on Android devices (a Windows laptop connected fine). If the SSID wasn't hidden, they worked fine. When hidden, they'd fail to connect. All I had to do was "forget" the connection on the Android device and re-add it. Afterwards, they work fine, even with the SSID hidden again.

1 Like

i am try only 18.06.1 ( and found this issue problem )
not try LEDE 17.01 or other but some people is stay used LEDE 17.01 Although it is new version 18.06.1 Was released.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.