WiFi Extender Security

WiFi Extender Security

Version:
All Units:
OpenWRT 21.02.2

Network Topology:
MAIN Unit:
Connected to WAN;
Network -> Wireless -> Edit -> Interface Configuration -> MAC Filter - Allow listed only Configured;
Network -> Firewall -> Traffic Rules Configured.
EXTENDER Unit:
No (default) security configuration set.

Above system configured as per:
openwrt.org/docs/guide-user/network/wifi/relay_configuration

Observed security performance:
MAIN Unit:
MAC Filtering: as expected;
Traffic Rules: as expected.
EXTENDER Unit:
MAC Filtering: None;
Traffic Rules: None.

Required Security Performance:
MAIN Unit:
Contains Security Configuration and periodically updates EXTENDER Unit(s) to confirm Security Configuration is current in EXTENDER Unit(s).
EXTENDER Unit(s):
Reflect Security Configuration as contained in MAIN Unit periodically requests of MAIN Unit to confirm Security Configuration.

Please advise as how to effect the above Required Security Performance.

There will likely be need for clarification, do not hesitate to request such.

Openwrt 21.02.2 celebrates 2nd anniversary of EOL :champagne:
https://openwrt.org/releases/21.02/notes-21.02.3

You are probably looking into something like OpenWISP
Extender unit is kind of transparent to the network and does not filter the traffic, so you just need to transfer MAC whitelist which can be done by hand like uploading uci dump and applying on extender. Should work to like 10 devices and 2 configurations.

Correct application of WDS achieved the Required Security Performance, with no distribution of Security Configuration among the EXTENDER Unit(s):
https://openwrt.org/docs/guide-user/network/wifi/wifiextenders/wds

Please have the relayd documentation emphasize the GROSS security compromise inherent within. Had such been readily apparent, this option would NOT have been pursued.

Thank you,
Ronald

Anything less generic? Is there a certain vulnerability?

relayd incorrectly connects ( CLEARLY NOT DESIGNED respecting the OSI model ) an EXTENDER to MAIN unit, bypassing the Security enforced by the MAIN unit.

Is there a design document for relayd?

Tha mac filter is hostapd property https://w1.fi/cgit/hostap/tree/hostapd/hostapd.conf#n326 i.e applies only to mac establishing connection to AP, if you want to limit clients you need to distribute ACL everywhere.

There is no communication between relayd and master AP.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.