Mac Filtering on Guest Nework

[john9527]

Just for information, when I looked at the fork code, I could see that a specific fix had the side effect of always forcing the Guest mode to be equal to the non-Guest mode with respect to the mac filtering. I haven't gone back and double checked if it was the same in the newer levels (and there have been a lot of changes implemented between the most recent levels and the fork).

 

[neil0311]

376.48.1 on RT-AC68P. I have MAC filtering enabled for both bands.

If I enable a guest network and set MAC filtering to "No" on the guest net, devices still cannot connect. If I the MAC address for the device, then it connects.

Am I misunderstanding how this works? If you set the guest net to "No" shouldn't it work without being filtered? Is this a bug?

 

[RMerlin]

376.48.1 on RT-AC68P. I have MAC filtering enabled for both bands.

If I enable a guest network and set MAC filtering to "No" on the guest net, devices still cannot connect. If I the MAC address for the device, then it connects.

Am I misunderstanding how this works? If you set the guest net to "No" shouldn't it work without being filtered? Is this a bug?

Can you post a screenshot? I don't know where you are seeing an option to set MAC filtering on guest networks, the only setting I see is on the MAC filtering page itself, and you can only select the band.

 

[neil0311]

Can you post a screenshot?

Sure, here you go. Am I misreading what this does?

 

[RMerlin]

Sure, here you go. Am I misreading what this does?

Never seen that setting before. Maybe it's not available on the RT-AC87U, I'll have to try with another router.

That might also explain why some people reported being unable to change that setting and I was unable to reproduce it - I always assumed they were referring to the main MAC Filtering page.

 

[neil0311]

Never seen that setting before. Maybe it's not available on the RT-AC87U, I'll have to try with another router.

That might also explain why some people reported being unable to change that setting and I was unable to reproduce it - I always assumed they were referring to the main MAC Filtering page.

Thanks. I just really want to understand what the expected result should be.

My guess is that if you do not have MAC filtering enabled for the primary wireless network on that band, that you can enable just for the guest network, but you can't disable it just for the guest network if it's enabled for the primary network.

Of course then I wonder if different guest networks can have different settings. I could probably test and post the results, but that doesn't answer what the INTENDED functionality should be.

 

[ckaczor]

Never seen that setting before. Maybe it's not available on the RT-AC87U, I'll have to try with another router.

That might also explain why some people reported being unable to change that setting and I was unable to reproduce it - I always assumed they were referring to the main MAC Filtering page.

That's certainly the setting I'm talking about. =)

I want my real network to have a MAC filtering white-list and the guest network to have no MAC filtering and not have access to the internal network.

I had this working on previous firmware - definitely with stock and maybe with an older Merlin, I don't remember for sure - but it is broken now.

Thanks again.

 

[RMerlin]

That's certainly the setting I'm talking about. =)

I want my real network to have a MAC filtering white-list and the guest network to have no MAC filtering and not have access to the internal network.

I had this working on previous firmware - definitely with stock and maybe with an older Merlin, I don't remember for sure - but it is broken now.

Thanks again.

To be accurate, it was previously so broken that it would ALWAYS ignore the blacklist on Guest networks. It just happened to be broken in a way that suited your needs.

I will have to see if the separate Guest Network option is salvageable.

 

[rooky]

(Apologies if this is regarded as off topic, but I think it is related)

I have a feature request in this regard:

* Allow separate mac-filtering settings for main and guest networks.
* Allow guest network to have hidden SSID.

My use case is that for the main network I use a strong password, and don't care about mac-filtering.

However, I have some devices (e.g. network media players, network radio etc) that are either inconvenient to enter a long and difficult password, or the drivers for the network does not support the wifi encryption mode. For these devices I have set up a guest network _with_ mac-filtering, since I have no intention to provide free internet to the neighbours. I also need the guest network to have access to the intranet where the media servers are.

For guests, I'd set up a 2nd guest network, without mac filtering, with an easy password and no access to the intranet.

 

[L&LD]

rooky, setting up a network with no encryption is the worst thing you can do for security. For this very reason I simply refuse to connect to any 'free' network no matter how desperate I might be for an internet connection at that time.

With no encryption, everything is transferred in clear text including the mac address which is easily spoofed by anyone. And with your insistence of allowing intranet access to all network users, including guests, this is a recipe for disaster if someone is inclined to practice hacking on your network.

 

[rooky_]

Ok. Good point. So should make another attempt at getting the devices on the encrypted network I guess.

rooky, setting up a network with no encryption is the worst thing you can do for security. For this very reason I simply refuse to connect to any 'free' network no matter how desperate I might be for an internet connection at that time.

With no encryption, everything is transferred in clear text including the mac address which is easily spoofed by anyone. And with your insistence of allowing intranet access to all network users, including guests, this is a recipe for disaster if someone is inclined to practice hacking on your network.

 

[Zooks64]

I'm running the latest stock firmware on my new AC68U; I was using Merlin's firmware on my N66U but it was time to upgrade to a better router.

I have been forced to created a MAC whitelist to keep my kids from using a MAC spoofer to get around the parental controls.

Last night I created a guest network with a password; none of the guests could connect so I checked out the settings and noticed that the MAC filter was set to yes so I changed it to no and hit save.

I'm sure you can guess what happened... still no connections until I disabled the overall MAC filtering.

I really want this feature to work and I'm willing to go back to using Merlin's firmware if it works. Can anybody verify that I can use a MAC whitelist on my private network and not have to use it also on the guest networks?

 

[TreJack]

I have the same problem with my ASUS RT-AC66U Firmware Version:3.0.0.4.378_4850

Didn't notice it until recently when a guest tried to connect. I assume all the prior guests just shrugged and forgot about it. Specifically:
- old firmware allowed Primary Network to have a MAC filter (whitelist) and Guest Network to not use the MAC filter
- web UI still shows the setting (Yes/No) to enable MAC filter on Guest Network
- will not save the setting to turn Guest Network MAC Filter off, I assume its also works the other way - basically its the MAC Filter setting applies to all networks and can't be individually selected on or off by network

Only solutions are:
1) turn off the MAC filter (whitelist) OR
2) individually add every guest's IP to the MAC filter

I'm doing the latter to maintain security but this is obviously not the ideal solution. Since this has been out here for a while, I assume no one has found a solution but thought I'd ask if anyone has a better work around?

If not, anyone bought a different router instead?

Thanks