MAC Address filtering across multiple access points

The network is the forum.

Moderators: Steel, notfred

MAC Address filtering across multiple access points

Postposted on Thu Jan 24, 2013 2:21 am

Please excuse me if I use the incorrect terms or use the terms incorrectly.

I can't get a single wireless router to cover the whole house. So we have a primary wireless router and then we have 2 other wireless routers connected to it (the house is prewired). These other routers are located around the house and set as access points. The primary router is the DHCP server. The main router also is providing the DHCP address reservations. Basically, I configured the main router with all the rules I want for the entire network. I just want the access points to provide a signal but follow all the rules I set for the whole network.

Now, my question is this. I've set up MAC Address filtering on the primary router. Now, if someone tries to connect to one of the access points, are those access points going to follow the rules of the primary router? Or do I need to configure all the routers with their own rules?

Thank you for any tips you guys can provide me. :)
onlysublime
Gerbil
 
Posts: 81
Joined: Sat Jul 16, 2005 3:20 pm

Re: MAC Address filtering across multiple access points

Postposted on Thu Jan 24, 2013 3:12 am

I'm not a networking guru but I imagine the best solution depends on your specific needs. If you want to do mac address filtering I'd imagine you'd want to filter based on the mac address for your remote access points, not the Macs of individual devices.

Again depending upon your needs have you looked into filtering based on the WPA key?
redavni
Gerbil
 
Posts: 17
Joined: Wed Aug 20, 2008 10:06 pm

Re: MAC Address filtering across multiple access points

Postposted on Thu Jan 24, 2013 3:30 am

I'm a little confused about what you mean by "filtering based on the WPA key".

Yes, there's a WPA2/AES password on each of the routers. The issue is we're renting out a room and we told him he can have one device on the network. But we don't want him to have multiple devices on the network and we don't want his friends to have access to the network. Since he has the password to get Internet access, he can freely give that to anyone. So the only thing I can think of is MAC filtering to keep the rest off. I know MAC filtering doesn't do much good but I don't think his friends are the type to try to hack the system so I think MAC filtering will be enough to discourage their attempts to access.

I can't directly install stuff on his PC or manage it directly. So I need a way to restrict his use of the bandwidth as well as how many devices he has. I started reading about QoS and also about DHCP reservation and MAC filtering. As far as my understanding goes, I'm not sure what else to look at.

I know I can't control whether he tethers other devices to his "allowed" device. But if we can cap the bandwidth to that allowed device, it doesn't matter to us how many devices he tethers.
onlysublime
Gerbil
 
Posts: 81
Joined: Sat Jul 16, 2005 3:20 pm

Re: MAC Address filtering across multiple access points

Postposted on Thu Jan 24, 2013 5:41 am

You've got the right idea. If the other access points are just wireless repeaters, and don't have DHCP enabled so they're not handing out IP addresses, then they'll be passing everything along to the master router. And the master router will do a check against the MAC whitelist before it hands out an IP. Of course any device can "associate" with one of your access points, but if it can't get an IP there's not much it can do -- provided there's an unsophisticated user behind it. Of course you should check the client list periodically to see if anything unexpected shows up.

Some wireless routers support two SSIDs simultaneously, with one being a "guest" network with its own set of rules (this allows you to do things like turn on wireless isolation and disable local network browsing for just the users of that SSID, so your wireless devices can see your other wireless devices and access your network, but users of the guest network cannot).
UberGerbil
Gerbil Khan
 
Posts: 9973
Joined: Thu Jun 19, 2003 3:11 pm

Re: MAC Address filtering across multiple access points

Postposted on Thu Jan 24, 2013 4:17 pm

It's pretty easy to statically configure an IP and default route that will get you past DHCP not handing you an address. The MAC filtering on Wifi is more about whether you get to associate or not, I don't know if it will even go to the DHCP configuration and prevent it handing out addresses. You would really need to MAC filter on the NAT side of things. This is all getting above what most home routers will support, are you running 3rd party firmware or do you have a fancy router?
notfred
Grand Gerbil Poohbah
 
Posts: 3716
Joined: Tue Aug 10, 2004 10:10 am
Location: Ottawa, Canada

Re: MAC Address filtering across multiple access points

Postposted on Thu Jan 24, 2013 5:21 pm

thanks for the help, guys. much appreciated.

my brother tested this out for me. He was able to connect a device that wasn't on the MAC list to the primary router via the SSID/password but he couldn't use the Internet. This is behavior we hoped for.

However, he could connect and browse the Internet when connected to the secondary access point in the back of the house. So this suggests that I do need to set up a MAC address filtering list on each router?

Can you give me a brief primer on this "MAC filter on the NAT side of things"?

I just picked up the Linksys AC 1750 (EA6500) router. And it does have this "guest" network feature that UberGerbil talked about. Can I use this "guest" network feature and somehow provide coverage across all the access points?

also, is there anything I can do to counter this static IP thing you guys are talking about? that will bypass MAC filtering on the wireless routers?
onlysublime
Gerbil
 
Posts: 81
Joined: Sat Jul 16, 2005 3:20 pm

"connected" list is showing a device that's not connected

Postposted on Tue Jan 29, 2013 1:48 am

Hi guys, I have a new question and was wondering if anyone knew the answer.

You know my setup in the previous posts above.

My Internet was slow. We have a number of users on it. I was looking at the devices connected list and one of the devices that I own was listed even though I 100% knew the device was totally turned off and actually disconnected. I refreshed the list and it's still showing as "online". Is someone spoofing the MAC and the IP for this device? Is there any way for me to determine what this device is? Or do you think it's just a glitchy list that the router is showing? And is there a way to block it? simply blocking the MAC and IP would seem like it would disable my actual device if I actually decided to reconnect it to the network.
onlysublime
Gerbil
 
Posts: 81
Joined: Sat Jul 16, 2005 3:20 pm

Re: MAC Address filtering across multiple access points

Postposted on Wed Jan 30, 2013 7:40 pm

For the device still showing online, it is most likely just a stale entry and even if not there should be something in the GUI to let you kick that device off the network. I think you are going to have to repeat your exact configuration on each AP to get the behavior you are looking for with consumer grade stuff. The enterprise grade stuff is more capable of propagating a single configuration across the network.
notfred
Grand Gerbil Poohbah
 
Posts: 3716
Joined: Tue Aug 10, 2004 10:10 am
Location: Ottawa, Canada

Re: MAC Address filtering across multiple access points

Postposted on Thu Jan 31, 2013 12:45 am

I hope it's a stale entry. I looked everywhere for a feature to remove a system. I'll dig more but I see no option to kick a system off the network. I can't believe a router would not have that option. You think a $200 router would have that feature!

Anyways, thanks for the reply. Yeah, I'll start implementing whatever lock down features I can do across all of them.
onlysublime
Gerbil
 
Posts: 81
Joined: Sat Jul 16, 2005 3:20 pm


Return to Networking

Who is online

Users browsing this forum: No registered users and 4 guests