What's new

Feature Requests?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

extensi0n

Occasional Visitor
First off, Thank you again Merlin for your magic. I'm coming at this from a soho standpoint...

Scenario 1: I've taken advantage of site to site OpenVPN across 15 of my sites. This easily enables me to give access to a Synolgy NAS box that hosts files for our offices, and to push scan things from our newer copiers instead of faxing.

The VPN is rock solid stable, with a low build. (.24) I'm going to go to a newer build with a new router, because I was never able to get the VPN working right after .26 for some reason.

So when a DHCP client is connected, that means that those wireless clients have access to my VPN. I'm not seeing it, or how to, and I'm no router/networking expert, but I'd like to disable the wireless in such a way that only the guest wireless would work. That way, there is no way anyone could be snooping around the network if someone hacks the wireless password. It's not really a question of if, it's when. Ideas?

Scenario 2: Mistakenly, there were a couple computers set away from the IP scheme that I was using internally. Wireless DHCP clients go high...200+ range, and all of my static, set on PC's, start at 100. I had some set to .40, and .44, so when I noticed them, I immediately started looking what the heck they were. The network map didn't help much, as for whatever reason, the host names didn't show up.

Luckily, an install of Spiceworks that we were beta testing helped identify the PC's by host name, so I could go fix them. During that time of figuring out what those computers were I went to go block access by mac address.

I went, wait, if it was DHCP, the IP's would be in the 200+ range. I've set static IP's on the computers, not on the router, which obviously would be easier at times. Anyway, I blocked the mac address in the wireless, knowing that would not work...low and behold, of course it didn't...Yes, in the scenario of if you are small office, or a home office, you should know what is physically connected to your network, but, in offices that I am far away from, I have no idea if something is physically connected. Long story short, and I hate to even mention DD-WRT, because DD-WRT left a bad taste in my mouth, but I do miss one thing. Blocking access by mac address.

Is this something that can be done/added in the GUI?

Sorry for being long winded.
 
So when a DHCP client is connected, that means that those wireless clients have access to my VPN. I'm not seeing it, or how to, and I'm no router/networking expert, but I'd like to disable the wireless in such a way that only the guest wireless would work. That way, there is no way anyone could be snooping around the network if someone hacks the wireless password. It's not really a question of if, it's when. Ideas?

If I remember correct, Guest Network is not affected by the MAC access list. If that's the case, I recommend enabling the Wireless MAC Filter (under Wireless), set it to Accept, and leave the list below empty. In theory, only guests should be able to connect.

Scenario 2: Mistakenly, there were a couple computers set away from the IP scheme that I was using internally. Wireless DHCP clients go high...200+ range, and all of my static, set on PC's, start at 100. I had some set to .40, and .44, so when I noticed them, I immediately started looking what the heck they were. The network map didn't help much, as for whatever reason, the host names didn't show up.

Luckily, an install of Spiceworks that we were beta testing helped identify the PC's by host name, so I could go fix them. During that time of figuring out what those computers were I went to go block access by mac address.

I went, wait, if it was DHCP, the IP's would be in the 200+ range. I've set static IP's on the computers, not on the router, which obviously would be easier at times. Anyway, I blocked the mac address in the wireless, knowing that would not work...low and behold, of course it didn't...Yes, in the scenario of if you are small office, or a home office, you should know what is physically connected to your network, but, in offices that I am far away from, I have no idea if something is physically connected. Long story short, and I hate to even mention DD-WRT, because DD-WRT left a bad taste in my mouth, but I do miss one thing. Blocking access by mac address.

Is this something that can be done/added in the GUI?

MAC filtering is something I might eventually implement, tho it's not a priority since my primary target are home users rather than SOHOs, and they wouldn't have much need for such a feature. SOHO have quite different needs, and I don't want to end up with a firmware having a bazillion features that would be next to impossible to maintain (see DD-WRT for a good example).

You should however be able to manually block MACs through iptables. The rule would look somewhat like this:

Code:
iptables -I FORWARD 1 -m mac --mac-source 88:53:2e:11:22:33 -j DROP
iptables -I INPUT 1 -m mac --mac-source 88:53:2e:11:22:33 -j DROP

The first rule would prevent Internet or tunnel access to that MAC. The second should prevent it from accessing the router's internal services (like DHCP).

These wouldn't prevent local LAN access however. For that, you'd need a managed switch.

You can put such rules in a nat-start custom script. See the Wiki for more details.
 
If I remember correct, Guest Network is not affected by the MAC access list. If that's the case, I recommend enabling the Wireless MAC Filter (under Wireless), set it to Accept, and leave the list below empty. In theory, only guests should be able to connect.

I remember reading something about guest wireless there is no IP filtering. Which there shouldn't be in most cases. There is now a link to enable mac filtering via the guest wireless if it isn't enabled. Not sure if it works or not. I also see a yes/no for enabling IP filtering. Default of NO. I'm guessing if you select YES, it'll go of the MAC filtering rules you setup...It does go to the Wireless MAC Filter tab...

That is in: 3.0.0.4.374.33_beta5 (Merlin build)

Not sure when any of that changed, as I haven't been in my guest wireless in a long time.
 
I remember reading something about guest wireless there is no IP filtering. Which there shouldn't be in most cases. There is now a link to enable mac filtering via the guest wireless if it isn't enabled. Not sure if it works or not. I also see a yes/no for enabling IP filtering. Default of NO. I'm guessing if you select YES, it'll go of the MAC filtering rules you setup...It does go to the Wireless MAC Filter tab...

That is in: 3.0.0.4.374.33_beta5 (Merlin build)

Not sure when any of that changed, as I haven't been in my guest wireless in a long time.

No idea either as I don't use it, and haven't modified Asus's code either. They could have changed things with FW 372 or 374, not sure if that actually works either, someone will have to try it and report their results.
 

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top