What's new

MAC filter limit

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

amadian

New Around Here
Hi!
I have an RT-N66U with merlin firmware and it's a great combo, but i need to add more than 32 devices to the mac filter list. It could be possible to implement in future versions of firmware?

Thank you very much!
 
Revisiting the current 32-entries limitation in various places in the firmware is something I want to look at at some point in the future. No ETA yet.
 
MAC filtering is not a very good way to secure your network plus it adds some overhead which slows your devices.

Very easy to find out what MAC are allowed on your network then clone a device to use that MAC.
 
Hi Merlin,

Is the limit of 32 MACs in the filtering list still in place? I've been trying without success to add 51 MACs to the filter and the router appears to go into a reboot loop that is only fixed by resetting the router.

We need support for ~150 MACs and I developed a little script to set the NVRAM paramts. On a side note what is the difference with the _x params - are they there just for the list on the web-page to associate the descriptions?

nvram set wl_maclist=AA:BB:CC:DD:EE:FF AB:AB:AB:AB:AB:AB
nvram set wl0_maclist=AA:BB:CC:DD:EE:FF AB:AB:AB:AB:AB:AB
nvram set wl1_maclist=AA:BB:CC:DD:EE:FF AB:AB:AB:AB:AB:AB
nvram set wl_maclist_x=MAC in greater than less than brackets then desc
nvram set wl0_maclist_x=MAC in greater than less than brackets then desc
nvram set wl1_maclist_x=MAC in greater than less than brackets then desc

Thanks,
 
Hi Merlin,

Is the limit of 32 MACs in the filtering list still in place? I've been trying without success to add 51 MACs to the filter and the router appears to go into a reboot loop that is only fixed by resetting the router.

We need support for ~150 MACs and I developed a little script to set the NVRAM paramts. On a side note what is the difference with the _x params - are they there just for the list on the web-page to associate the descriptions?

nvram set wl_maclist=AA:BB:CC:DD:EE:FF AB:AB:AB:AB:AB:AB
nvram set wl0_maclist=AA:BB:CC:DD:EE:FF AB:AB:AB:AB:AB:AB
nvram set wl1_maclist=AA:BB:CC:DD:EE:FF AB:AB:AB:AB:AB:AB
nvram set wl_maclist_x=MAC in greater than less than brackets then desc
nvram set wl0_maclist_x=MAC in greater than less than brackets then desc
nvram set wl1_maclist_x=MAC in greater than less than brackets then desc

Thanks,

While the current webui limit is set to 128, there's at least one buffer that gets overrun in the firmware when you enter more than around 35 MACs. I will try to track down other places where a larger buffer might be required to handle more than 32 MACs. There's a chance that some of these buffers might be in closed source components, over which I have no control (and no way to know how large these buffers are either).

For now, I will bring down that limit from 128 to 64, as allocating enough memory to handle up to 128 would be quite wasteful as the targeted audience of this firmware (home users) should never need that many entries. Remember that this device only has 256 MB of memory.

To be honest, if you need THAT many MACs, you should consider going with a business class product instead, as it's not guaranteed that the router can handle that.
 
Last edited:
Thanks Merlin. I really like your build and hope a solution with more MACs in the wifi filtering is possible as it is easy for our less technically minded staff to administer. But worst case I'll switch to Tomato as there are people reporting being able to use 500+.

The other idea I've seen is from the 5th post on here:
http://tomatousb.org/forum/t-308906/

Do you think that might work?

Thanks!
 
Thanks Merlin. I really like your build and hope a solution with more MACs in the wifi filtering is possible as it is easy for our less technically minded staff to administer. But worst case I'll switch to Tomato as there are people reporting being able to use 500+.

The other idea I've seen is from the 5th post on here:
http://tomatousb.org/forum/t-308906/

Do you think that might work?

Thanks!

Not without some changes. No idea what that rdev01 chain is supposed to be in Tomato.
 
Hi Merlin,

I noticed that newer version now support 128 MAC addresses for WAN filtering.

Today I tried to filter based on ~70 devices and I found that for the first ~20-30 devices the filter work as expected, but after that devices were not able to connect.

Tomorrow I will experiment further and find the exact cut-off.

RTN66U v374.41 (will update tomorrow too).

Any thoughts or ideas on how to debug this? I can sent a copy of how the nvram variables are set, or from iptables.

Thanks again,

Owen
 
Hi Merlin,

I noticed that newer version now support 128 MAC addresses for WAN filtering.

Today I tried to filter based on ~70 devices and I found that for the first ~20-30 devices the filter work as expected, but after that devices were not able to connect.

Tomorrow I will experiment further and find the exact cut-off.

RTN66U v374.41 (will update tomorrow too).

Any thoughts or ideas on how to debug this? I can sent a copy of how the nvram variables are set, or from iptables.

Thanks again,

Owen

What MAC list are you referring to? The MAC filter list was limited to 64 entries back with 374.34, and a buffer overrun with long lists was also fixed at that time.
 
Hi again,

I was confused/didn't remember correctly. I see from your post earlier in this thread that the UI now supports 128 but there may have been some issue above 64 and possibly when above 35.

Here are some more details.

We have 61 MAC addresses on 2.4Ghz radio and the same 61 MAC addresses on the 5.0Ghz one. So in my mind this is below the limit.

I've used a google docs script to set the following NVRAM params, and then I go into the UI and turn off then on the MAC filtering to push through whatever changes are needed under the hood. The reason I use the script to set the NVRAM params is so that I can manage the list of users in a google docs spreadsheet. I arrived at these params by adding and removing different MAC addresses and seeing what NVRAM params were getting set. I might be missing something, and I don't know what the purpose of them all are

nvram set wl_maclist="00:00:00:00:00:01 00:00:00:00:00:02"
nvram set wl0_maclist="00:00:00:00:00:01 00:00:00:00:00:02"
nvram set wl1_maclist="00:00:00:00:00:01 00:00:00:00:00:02"
nvram set wl_maclist_x="<00:00:00:00:00:01>usr-1<00:00:00:00:00:02>usr-2"
nvram set wl0_maclist_x="<00:00:00:00:00:01>usr-1<00:00:00:00:00:02>usr-2"
nvram set wl1_maclist_x="<00:00:00:00:00:01>usr-1<00:00:00:00:00:02>usr-2"
nvram commit

I suppose the alternative is to try and get FreeRadius running on the router. Are you aware of anyone who has achieved this?

Thanks,

Opie
 
Hi again,

I was confused/didn't remember correctly. I see from your post earlier in this thread that the UI now supports 128 but there may have been some issue above 64 and possibly when above 35.

Here are some more details.

We have 61 MAC addresses on 2.4Ghz radio and the same 61 MAC addresses on the 5.0Ghz one. So in my mind this is below the limit.

I've used a google docs script to set the following NVRAM params, and then I go into the UI and turn off then on the MAC filtering to push through whatever changes are needed under the hood. The reason I use the script to set the NVRAM params is so that I can manage the list of users in a google docs spreadsheet. I arrived at these params by adding and removing different MAC addresses and seeing what NVRAM params were getting set. I might be missing something, and I don't know what the purpose of them all are

nvram set wl_maclist="00:00:00:00:00:01 00:00:00:00:00:02"
nvram set wl0_maclist="00:00:00:00:00:01 00:00:00:00:00:02"
nvram set wl1_maclist="00:00:00:00:00:01 00:00:00:00:00:02"
nvram set wl_maclist_x="<00:00:00:00:00:01>usr-1<00:00:00:00:00:02>usr-2"
nvram set wl0_maclist_x="<00:00:00:00:00:01>usr-1<00:00:00:00:00:02>usr-2"
nvram set wl1_maclist_x="<00:00:00:00:00:01>usr-1<00:00:00:00:00:02>usr-2"
nvram commit

I suppose the alternative is to try and get FreeRadius running on the router. Are you aware of anyone who has achieved this?

Thanks,

Opie

wl_maclist (and wl_maclist_x) are unused by the router. It's just a temporary storage used by the webui when the user applies the settings it just entered. Then, the web server will determine if you were editing the 2.4 GHz or 5 GHz interface, and copy these to the appropriate wl0_* or wl1_* vars.

Can you tell me the length of the content of wl0_maclist/wl1_maclist and wl0_maclist_x/wl1_maclist_x?

I suspect that the issue lies in the fact that I've taken into account the length of all the MACs and the separators, but didn't factor the name length. I see at least one place in the code where that'd be the case.

Radius would indeed be far more manageable for such a big list of clients, however I don't know anyone who actually played with that.
 
Last edited:
Hi,

I assemble in a series of environment variables the MAC addresses and then contact the environment variables together as follows:

nvram set wl0_maclist=$list0$list1$list2$list3$list4$list5
and
nvram set wl0_maclist_x=$list0_x$list1_x$list2_x$list3_x$list4_x$list5_x

Each $list... variable is kept <1024 characters, in fact I don't let it assemble more than 40 MAC addresses.

So in my example, with 61 MAC addresses and using a very minimal label which is just the row # from my spreadsheet (i.e. 1-70) as a label my calls to

nvram set wl0_maclist - 1081 characters
nvram set wl0_maclist_x - 1257 characters

The WebGui properly displays ALL the MACs that I load with my script complete with labels.

My sense is that the breakdown is happening when the APPLY/SAVE function from the WebGUI is being called and the background processes are being configured (iptables?)

Is there some output from iptables that I could attach as a debug step?

Thanks again!

Opie
 
nvram set wl0_maclist - 1081 characters
nvram set wl0_maclist_x - 1257 characters

The firmware only had a 1200 bytes buffer, therefore it was being overrun.

I increased it to 3500, which should accommodate 64 MACs with names of 30 chars each. This is the maximum length supported by the httpd service when processing nvram values.
 
Fantastic. I will give it a try with the next release.

If I kept the label names really short, would it support more than 64 MACs or is there something else in the chain that would breakdown?
 
Fantastic. I will give it a try with the next release.

If I kept the label names really short, would it support more than 64 MACs or is there something else in the chain that would breakdown?

Shorter names would be a usable workaround for now. Just make sure the total length of the nvram setting isn't longer than 1200 characters (including all the separators).
 
Hi Merlin,

I tried the 374.43 build last night and found that a larger # of MACs to filter by still appear limited to the ~1000 character limit.

Can you tell me the format iptables command that the web-server is running to establish the MAC based filtering.

I ran 'iptables --list' but couldn't find an associated chain when I had the MAC filtering enabled for either of the radios.

My idea is to build a script that parses a text file of MAC addresses and then call the appropriate iptables command. And then have this run automatically on boot-up.

Perhaps there is another way?

Thanks,

Owen
 
Hi Merlin,

I tried the 374.43 build last night and found that a larger # of MACs to filter by still appear limited to the ~1000 character limit.

Can you tell me the format iptables command that the web-server is running to establish the MAC based filtering.

I ran 'iptables --list' but couldn't find an associated chain when I had the MAC filtering enabled for either of the radios.

My idea is to build a script that parses a text file of MAC addresses and then call the appropriate iptables command. And then have this run automatically on boot-up.

Perhaps there is another way?

Thanks,

Owen

It's not done by the router firewall code, so I suspect it's done internally by the closed-source driver, in which case this means this is a limit I have no way to increase beyond the actual limit. That means I will have to bring it back down to 32 MACs max then. The code I fixed involved the location where the user-entered list was read, processed, and stored in a different nvram setting. I see no reference in the firmware to that other setting.
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top