What's new

Wireless MAC Filter bug or feature?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Rumboogy

Occasional Visitor
I found a foible in the "Wireless MAC Filter" capability. I would call it a bug but perhaps it was done on purpose. I have only tested this in the "reject" mode. What I found is that "Wireless MAC Filter" only seems to reject MAC address when they are on the main (as opposed to guest) SSIDs. For guest SSIDs "Wireless MAC Filter" has no effect. And it does not matter if the guest SSID has "Access Intranet" turned on or off (in case you were wondering).

I have been using "Wireless MAC Filter" for years to block a few unknown devices on my network (I know it seems crazy that I have stuff plugged in and connected to my network for years and I can't figure out: what it is, where it is, or who connected it). I had assumed that these rogue device were being blocked. But I did some testing over the weekend and discovered that for guest SSIDs the "Wireless MAC Filter" has no effect (as I said above). I have two guest SSIDs that have "Access Intranet" turned on so these rogue devices could be connected via those SSIDs. If that was the case then these rogue devices have full access to my main network. There is no easy way for me to find out which SSID they are on so I don't know if they have access or not.

It seems much preferable that the "Wireless MAC Filter" would block a MAC regardless which SSID it is connected to. This seems to be much more intuitive to me.
 
Router model?
Firmware version?

Just to be clear - you are setting the MAC filter list in the guest network's settings and not in the primary wireless settings?
 
Router model?
Firmware version?

Just to be clear - you are setting the MAC filter list in the guest network's settings and not in the primary wireless settings?
Router: RT-AC86U
Firmware: 384.11_2
I guess I should put that in my signature.

The only place I know to set the wireless MAC Filter is at: Wireless -> Wireless MAC Filter. I have not seen anyway to set these specifically for the guest networks.
 
Router: RT-AC86U
Firmware: 384.11_2
I guess I should put that in my signature.

The only place I know to set the wireless MAC Filter is at: Wireless -> Wireless MAC Filter. I have not seen anyway to set these specifically for the guest networks.

Go to any Guest network you've configured or not and click the bottom option 'Enable MAC filter'. ;)
 
The only place I know to set the wireless MAC Filter is at: Wireless -> Wireless MAC Filter. I have not seen anyway to set these specifically for the guest networks.
In John's firmware there are individual MAC filter lists for each guest network. I have a vague recollection that John added them a year or so ago. I thought the same change had been made by Merlin but I might have been imagining that. If you don't see the options then you might have to set them through NVRAM variables.

https://www.snbforums.com/threads/r..._2-is-now-available.35561/page-11#post-290191

Untitled.png


EDIT: I see @L&LD has provided the answer :).
 
In John's firmware there are individual MAC filter lists for each guest network. I have a vague recollection that John added them a year or so ago. I thought the same change had been made by Merlin but I might have been imagining that. If you don't see the options then you might have to set them through NVRAM variables.

https://www.snbforums.com/threads/r..._2-is-now-available.35561/page-11#post-290191

View attachment 17821

EDIT: I see @L&LD has provided the answer :).
The setting was there in Merlin, I just did not notice them before. I added my "rogue" device in and now it is finally gone.
 
Don't mean to hijack the thread; but is there a "wireline" version of the MAC filter? Did a search on the forum but didn't see anything immediately obvious. Running 384.10_2 on RT-AC68U. [I am assuming that with the name like "Wireless MAC Filter", this feature would not work for the traffic over the Ethernet ports.]
 
Don't mean to hijack the thread; but is there a "wireline" version of the MAC filter? Did a search on the forum but didn't see anything immediately obvious. Running 384.10_2 on RT-AC68U. [I am assuming that with the name like "Wireless MAC Filter", this feature would not work for the traffic over the Ethernet ports.]
No, that's not possible.
 
No, that's not possible.

Well that would depend on what we say about MAC filtering and IPTABLES commands, at least this is what I found when I googled:

Drop all connection coming from mac address 00:0F:EA:91:04:08 (add the following command to your firewall script):

/sbin/iptables -A INPUT -m mac --mac-source 00:0F:EA:91:04:08 -j DROP​
 
Well that would depend on what we say about MAC filtering and IPTABLES commands, at least this is what I found when I googled:

Drop all connection coming from mac address 00:0F:EA:91:04:08 (add the following command to your firewall script):

/sbin/iptables -A INPUT -m mac --mac-source 00:0F:EA:91:04:08 -j DROP​
Yes you're correct, it does depend on what you expect the "filter" to do. I should have been more clear.

It's not possible to have something like the MAC Filter for wired devices that stop the device from connecting to your LAN at all. However it is possible to block that device from connecting through to the internet by the use of iptables. The iptables command you quoted is not quite correct but you can do the same thing through the router's GUI. The problem with the iptables method is that it doesn't stop the client communicating with other devices on the LAN.
 
The problem with the iptables method is that it doesn't stop the client communicating with other devices on the LAN.

Correct, that would demand VLAN for each port on the router, and I do not think that is possible - but I might be wrong? And VLAN is not on MAC address it is only for what the VLAN is defined for so it still is not good enough most likly (this is where I loved my pfSense firewall I tested - although I gave up that since it was just to demanding to manage day-to-day, don't get me wrong but all options were just to many - I never got over the feeling I always seemed to forget something that was open or so....).
 
The setting was there in Merlin, I just did not notice them before. I added my "rogue" device in and now it is finally gone.
I never noticed it either, I thought, like you, the main MAC filter covered everything. I’m grateful you brought this up.
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top