The content of this topic has been archived on 2 May 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.
hi all,
i would like to know how to enable the macfilter. i want to allow wireless access just for user, whose mac address are in the maclist.
i add following line to /etc/config/wirelss:
option 'maclist' '00-00-00-00-00-f8 00:00:00:00:00:0e'
option 'macpolicy' 'allow'
unfortunately it does not matter which kind of mac address is configured. its always working. also if i try to configure "deny" its possible to connect.
where is my mistake....?
thx
(Last edited by shuo on 28 Feb 2009, 11:45)
The first MAC address is in wrong format.
but if it is the wrong format, why it is possible to connect? the router should allow just the mac addresses which are configured in the list. shouldnt?
nobody any idea?
Same annoying problem here, mac filtering isn't effective at all, whatever I put in macpolicy.
I tried "deny" but no effect either, it's as if macfilter is always disabled. I used "wifi" command to force AP to use new parameters after each modification of the /etc/config/wireless file (dunno if it's the right way)
option 'maclist' ' 00:12:17:94:04:10 00:18:F8:2C:9A:FA 00:1c:bf:04:b0:52 00:0e:9b:44:e9:ce 00:1c:f0:d3:cb:aa 00:1e:e5:ff:3a:6b 00:1f:3c:33:8e:55'
option 'macpolicy' 'allow'Any wifi adapter (with its mac not in maclist) can connect to AP.
This problem appears after upgrading WRT54GL from White Russian to 8.09 Kamikaze (through Xwrt/Kamikaze 8.09 (with 2.4 kernel, not a 2.6 with b43 which doesn't support macfiltering as far as I know) firmware package). Mac filter was fine with White Russian.
Is there some nvram interaction remaining? Something induced by the upgrade process (imported some setup part from nvram?)?
BTW, the /etc/config/* kamikaze files are really nice and easy to configure (had to inject a FW rule impossible to handle with Xwrt webif).
(Last edited by el_goretto on 11 Apr 2009, 20:12)
Maybe it is related to some problem in the wifi interface name (I'm not used to uci yet):
root@OpenWrt:/etc/config# uci show wireless
wireless.wl0=wifi-device
wireless.wl0.type=broadcom
wireless.wl0.hwmode=
wireless.wl0.channel=11
wireless.wl0.maxassoc=[...]
wireless.wl0.disabled=0
wireless.wl0.antenna=
wireless.wl0.country=
wireless.@wifi-iface[0]=wifi-iface
wireless.@wifi-iface[0].device=wl0
wireless.@wifi-iface[0].network=lan
wireless.@wifi-iface[0].mode=ap
wireless.@wifi-iface[0].ssid=HOHOHO
wireless.@wifi-iface[0].bssid=
wireless.@wifi-iface[0].encryption=psk2
wireless.@wifi-iface[0].server=
wireless.@wifi-iface[0].port=
wireless.@wifi-iface[0].hidden=0
wireless.@wifi-iface[0].isolate=0
wireless.@wifi-iface[0].txpower=
wireless.@wifi-iface[0].bgscan=0
wireless.@wifi-iface[0].frag=
wireless.@wifi-iface[0].rts=
wireless.@wifi-iface[0].wds=0
wireless.@wifi-iface[0].key=HAHAHAHA
[...]
wireless.@wifi-iface[0].maclist= 00:12:17:94:04:10 00:18:F8:2C:9A:FA 00:1c:bf:04:b0:52 00:0e:9b:44:e9:ce 00:1c:f0:d3:cb:aa 00:1e:e5:ff:3a:6b 00:1f:3c:33:8e:55
wireless.@wifi-iface[0].macpolicy=allowI've seen this page: http://oldwiki.openwrt.org/OpenWrtDocs( … 7b743224a6
But still no wl package to install said opkg, and as you can see, I get wireless.@wifi-iface[0].macpolicy and not wireless.wl0.macpolicy, though they are connected somehow (wireless.@wifi-iface[0].device=wl0).
Is this procedure still accurate? Should I make my own init script to filter mac?
And btw... why is this not included in Kamikaze core?
Thank you for your answer.
(Last edited by el_goretto on 11 Apr 2009, 20:05)
You should try with iptables.
Something like that:
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -A INPUT -i wl0 -j DROP
iptables -A FORWARD -i wl0 -j DROP
iptables -A INPUT -i wl0 -m mac --mac-source 00:11:22:33:44:55:66 -j ACCEPT
iptables -A FORWARD -i wl0 -m mac --mac-source 00:11:22:33:44:55:66 -j ACCEPTBut I think you have to remove (disable) uci firewall and build your own iptables firewall with this lines at the end.
(Last edited by KeFaS on 12 Apr 2009, 02:14)
Yes, I could use iptables for my own purpose ^^
But router is not mine (family one) and I don't want to put some specific configuration that can't be handled through a webif by non-tech people (... family 
). That's why mac filtering is borderline but ok, iptables not at all.
I'm amazed by the lack of documentation about kamikaze releases. I luckily found something (while looking for info about luci): http://luci.freifunk-halle.net/UserDocs/FAQ
wireless.@wifi-iface[0].macpolicy is for madwifi, for broadcom, it's wireless.@wifi-iface[0].macfilter.
Hurrah.
Except that wireless.@wifi-iface[0].macfilter is not effective either, no matter what value is in wireless.@wifi-iface[0].macpolicy or even if it's not defined at all.
Note that MAC filtering alone isn't a very secure way of setting things up.
...But still no wl package to install said opkg..
Looks like wl package is available by now.
Is there any wl package for 2.6? I think it is just for target 2.4.
So, how to set up mac filter on 2.6 targets? (beside the iptables solution)
Is there any wl package for 2.6? I think it is just for target 2.4.
So, how to set up mac filter on 2.6 targets? (beside the iptables solution)
Xwrt/Kamikaze 8.09 (with 2.4 kernel, not a 2.6 with b43 which doesn't support macfiltering as far as I know
I don't know if this 2.6 b43 driver status has changed.
Thanks ninja for the info about wl package.
Btw, I installed it and made some "dirty" modifications to the script from the Kamikaze documentation:
#!/bin/sh /etc/rc.common
# The macfilter 2 means that the filter works in "Allow" mode.
# Other options are: 0 - disabled, or 1 - Deny.
#
# The maclist is a list of mac addresses to allow/deny, quoted, with spaces
# separating multiple entries
# eg "00:0D:0B:B5:2A:BF 00:0D:0C:A2:2A:BA"
START=47
#MACFILTER=`uci get wireless.wl0.macfilter`
MACFILTER=`uci get wireless.@wifi-iface[0].macfilter`
[ $MACFILTER == "allow" ] && MACFILTER=2
[ $MACFILTER == "deny" ] && MACFILTER=1
[ $MACFILTER == "none" ] && MACFILTER=0
#MACLIST=`uci get wireless.wl0.maclist`
MACLIST=`uci get wireless.@wifi-iface[0].maclist`
start() {
wlc ifname wl0 maclist "$MACLIST"
wlc ifname wl0 macfilter "$MACFILTER"
}
stop() {
wlc ifname wl0 maclist none
wlc ifname wl0 macfilter 0
}So that Xwrt webif still inject a valid configuration in /etc/config/wireless that is properly translated by this script.
--
edit: tested on 2.4 branch, and it seems to work correctly in "allow" mode at least.
mac filtering: Solved for me.
(Last edited by el_goretto on 23 May 2009, 20:48)
Just a shame this topic sinked into nowhere...
Hullo,
I have mac filtering working, thanks largely to this post (thanks!). My script is similar to el_groetto's and I have installed it in /etc/init.d. So far so good.
When I add or remove a MAC address from my list I'd ideally like this script to be called automatically. I noticed the message "Reloading wireless ..." that appears when I update my mac list via the webif2 wireless configuration page.
So far my experiments with adding calls to my init script have been random shots in the dark. I'll keep on plugging, and post the solution should I stumble onto it, but would appreciate any help if it can be given.
thx
(BTW - I'm running KAMIKAZE (8.09.1, r18452))
If I understood b43 homepage correctly, then it should support mac filter. Any inputs on this?
I really would like so see wrt-radauth ported to support kernel 2.6 and b43 but I guess this is a dream never come true.
The discussion might have continued from here.