MAC Address Filter Per SSID?

[CntrlAltDel]

Hi there,

I have an ASUS RT-AC88U running in AP mode with Merlin 386.14_2 f/w.
Does anyone know of a way to get wireless MAC address filtering (whitelisting) enabled but only for specific SSID's?
I want to have a LAN isolated SSID that I can use for 'quick-connect' without a password.

My use case is that I have a group of devices that I constantly wipe and dont want to have to deal with having to reconnect to my Wi-Fi SSID with a password.

 

[Tech9]

You can't have main LAN isolated SSID in AP Mode to begin with.

 

[CaptainSTX]

Hi there,

I have an ASUS RT-AC88U running in AP mode with Merlin 386.14_2 f/w.
Does anyone know of a way to get wireless MAC address filtering (whitelisting) enabled but only for specific SSID's?
I want to have a LAN isolated SSID that I can use for 'quick-connect' without a password.

My use case is that I have a group of devices that I constantly wipe and dont want to have to deal with having to reconnect to my Wi-Fi SSID with a password.

Double NAT a second router in front of your first router for these devices to connect to. Use a very secure admin password for this router and restrict admin access to a certain IP. Set up the WiFi connection type to be open. Then depending on what security features are available do what you can to restrict access to only certain devices by assigning them static IPs. Depending on the open router's firmware you can see if it will work if you disable assigning IPs and instead all devices use static IPs. If turning off DHCP assignments causes problems set the IP pool to be just one IP address and plug an Ethernet wired device into a lan port on the first router so it will be assigned the single address in the IP pool. Your WiFi clients will be assigned a static IP outside the pool.

 

[Tech9]

This double NAT solution has low practicality. First, the AP is lost at current location where it’s probably needed; second, everything relying on UPnP on the double NATed router will stop working properly; third, port forwarding must be set for eventual open to Internet services. Asus services like Instant Guard won’t work either. May turn into more damage done than possible solution. The new requirements just exceed the old equipment capabilities. Wrong equipment for the task.

 

[CaptainSTX]

If

This double NAT solution has low practicality. First, the AP is lost at current location where it’s probably needed; second, everything relying on UPnP on the double NATed router will stop working properly; third, port forwarding must be set for eventual open to Internet services. Asus services like Instant Guard won’t work either. May turn into more damage done than possible solution. The new requirements just exceed the old equipment capabilities. Wrong equipment for the task.

If OP needs/wants to run a server on the second router then it certainly becomes more complicated requiring double port forwards. As for the UPnP issue I have never had a problem when running in double NAT. As for location of AP nothing says OP couldn't still use the AC88 as an AP while using another older router as the Internet facing router as long as it had GB LAN ports and a reasonable processor.

 

[Tech9]

As for the UPnP issue I have never had a problem when running in double NAT.

You never had an issue because you never needed UPnP. It doesn't work in double NAT. Your solution requires more devices and perhaps located in wrong places. As per older posts the OP has OPNsense router. What is needed - proper AP with native VLAN support. AX1800 class APs start under $100. Other option is scripting VLANs in Asuswrt-Merlin, if the OP is comfortable doing it after some research.

 

[jksmurf]

Sorry to drag up an old thread but I believe it still valid.
I have had occasion to need such a a PER SSID MAC filter and was wondering if an Addon (YazFi?), script or set of Firewall Rules (below) could accomplish this?

# Block specific MAC addresses from accessing primary WiFi interface
# Place this file at: /jffs/scripts/firewall-start
# Make executable with: chmod +x /jffs/scripts/firewall-start

# Echo Dot MAC addresses - REPLACE THESE WITH YOUR ACTUAL MAC ADDRESSES
ECHO_DOT_1="AA:BB:CC:DD:EE:01"
ECHO_DOT_2="AA:BB:CC:DD:EE:02"
ECHO_DOT_3="AA:BB:CC:DD:EE:03"

# Create custom chain for Echo Dot blocking
iptables -N BLOCK_ECHO_PRIMARY 2>/dev/null

# Block Echo Dots from primary WiFi interface (br0)
# br0 = main LAN/WiFi interface on ASUS routers
iptables -I FORWARD 1 -i br0 -m mac --mac-source $ECHO_DOT_1 -j DROP -m comment --comment "Block Echo Dot 1 from primary network"
iptables -I FORWARD 1 -i br0 -m mac --mac-source $ECHO_DOT_2 -j DROP -m comment --comment "Block Echo Dot 2 from primary network"
iptables -I FORWARD 1 -i br0 -m mac --mac-source $ECHO_DOT_3 -j DROP -m comment --comment "Block Echo Dot 3 from primary network"

# Also block them from accessing the router itself on primary interface
iptables -I INPUT 1 -i br0 -m mac --mac-source $ECHO_DOT_1 -j DROP -m comment --comment "Block Echo Dot 1 router access on primary"
iptables -I INPUT 1 -i br0 -m mac --mac-source $ECHO_DOT_2 -j DROP -m comment --comment "Block Echo Dot 2 router access on primary"
iptables -I INPUT 1 -i br0 -m mac --mac-source $ECHO_DOT_3 -j DROP -m comment --comment "Block Echo Dot 3 router access on primary"

 

[bennor]

... was wondering if an Addon (YazFi?),

YazFi doesn't work on 3006.102.x firmware and doesn't work on AiMesh nodes.
Edit to add: If using Guest Network Pro, the profile should have a Mac Filter option. Haven't used it, don't know if it works or is broken.
As for main LAN WiFi, there is the Mac Filter option for each WIFi band.
If you are having issues with an Amazon device trying to join the wrong WiFi SSID, make sure to delete all saved WiFi username/password logins for the device through the Amazon.com website. Reset the Amazon device, delete all saved WiFi logins on Amazon, then connect the Amazon device to the correct WiFi network. Used to have this issue of it trying to connect to the wrong SSID but resetting, deleting the saved logins, then connecting it to a single SSID seems to have worked for my Echo Dot (early model).

 

[bennor]

@jksmurf in case this was missed in my post edit I'm posting it again:
If you are having issues with an Amazon device trying to join the wrong WiFi SSID, make sure to delete all saved WiFi username/password logins for the device through the Amazon.com website. Reset the Amazon device, delete all saved WiFi logins on Amazon, then connect the Amazon device to the correct WiFi network. Used to have this issue of it trying to connect to the wrong SSID but resetting, deleting the saved logins, then connecting it to a single SSID seems to have worked for my Echo Dot (early model).

 

[jksmurf]

@jksmurf in case this was missed in my post edit I'm posting it again:
If you are having issues with an Amazon device trying to join the wrong WiFi SSID, make sure to delete all saved WiFi username/password logins for the device through the Amazon.com website. Reset the Amazon device, delete all saved WiFi logins on Amazon, then connect the Amazon device to the correct WiFi network. Used to have this issue of it trying to connect to the wrong SSID but resetting, deleting the saved logins, then connecting it to a single SSID seems to have worked for my Echo Dot (early model).

Thank you @bennor I believe you are absolutely correct. Was initially trying to find a way to globally “forget” my primary SSID so the EchoDot3 devices connected to the IoT only, but it seems that option doesn’t exist; hence my second attempt was to block them from the primary SSID. Otherwise they invariably join the
primary and you then have to connect them to the IoT then “forget” the primary. Only it never really forgets primary unless you do as suggested, a full on robo-chubby reset. Arghhhh …