WRT54GS - MAC Address Filter & Firewall SPI

Similar Messages

• WRT610N: Cannot enter MAC address in MAC address filter list

  My WRT610N cannot accept a very specific MAC address in any position of the MAC address filter list.  It is a valid address and it was working fine in the filter list of my WRT54G but the 610N will just not take that specific address!  What is this all about?
  Solved!
  Go to Solution.

  gv wrote:
  There is nothing like a "non-critial setup". It's enough to drive by with a car and within a few minutes your network is hacked. Or it's the bored teenager next door...
  I recommend to replace the WEP only device instead of taking the risk of a hacked network.
  And just forget about the wireless mac address filter. Anyone, who wants to crack your WEP network will collect enough accepted MAC addresses during the cracking process. It's just not worth the trouble to set up the filter and keep the list current...
  Thanks for the diligent follow-up gv but I can't replace the WEP-only device for now.  (I need to go through a conversion process for that device to accept WAP and that will take a fair amount of time)  I understand your point about getting accepted MAC addresses but, at least, it requires a bit more effort... Maybe I will return the WRT610 and stick with my old WRT54 until the 610 gets fixed...

• WRT54GL MAC ADDRESS FILTER

  Hi I have a wireless access point WRT54GL and i configure it with mac address filter but it allow me to put only 40 mac and i need more? Is there any way to add more? Thanx

  Install 3rd party firmware like dd-wrt or hyperwrt+thibor. That should give you more. However, remember a bad flash may brick the router and is not covered by warranty.
  Also remember, that the wireless mac address filter does not provide you with any reasonable security. MAC addresses are quickly captured and quickly cloned. It only takes a few minutes to gather some mac addresses which are allowed into your wireless network and that's it.
  Set up wireless security with WPA2 or WPA and a strong passphrase. That's all you can do to really protect your wireless.
  If you want more detailed access control, consider installing a RADIUS server and using user/password authentication based on WPA2 or WPA (using the RADIUS or Enterprise variants).
  But the wireless mac address filter is widely overrated as security mean and only requires a lot of work and time to maintain the lists.

• MAC address filter on router does not work for iOS8

  The MAC address randomization feature in iOS8 is great for privacy, but this being the case, I am not able to connect to a wi-fi router that employs a MAC address filter. Is there a way to turn off this MAC address randomization?

  I had this problem. I followed the directions to replace the netinfo db's. I rebooted, and started going through the initial OS X welcome stuff. When I tried to re-enter my user stuff, I got a "sorry, standard user cannot be added" error, and the machine went to a blue screen.
  This is odd, as I have completely restored the system from scratch (reformatted the hard drives, reinstalled). The first boot up it works fine. It seems that one of the updates must be screwing it up, because after it gets through updating, when it reboots, I can't log in.

• MAC Address Filtering and SPI set up

  Hi,
  I just purchased a WRT54GS V 6 wireless router.  I updated the firmware to the latest (May 30) and the set up seems to be OK.  Using the security recommendations in the manual as a guide, I implemented them - the turn off SSID, and the others. 
  IF I try to filter the MAC addresses (accept only those on the list) for my wife's Sony VAIO VGN - S260 laptop, it can see the network but will not connect. When I turn off the MAC filtering, it is fine.  I used the WPA2 personal encryption, and input the passphrase into both router and computer. 
  My other issue is the firewall Statefull Packet Inspection (SPI).  On the Security set up screen, firewall tab - I have the four radio button settings that I am supposed to (Block WAN request, filter Multicast, Filter NAT, & Filter IDENT), however, I do NOT have the option to turn on the firewall (SPI) above the 4 radio buttons - that setting is totally missing from the set up screen.  Reference Page 28 of the manual.
  I would appreciate any help or suggestions, as I could not find any ideas searching the forum.  Thanks for your help

  you can try and change a few wireless settings ....in the routers wireless section....go to the advanced wireless settings.....here you can reduce the beacon interval to 50...also reduce the RTS and Fragmentation by 40 each.....

• E 2500. Mac Address Filter. Improvement. Sugestion

  Hi, what brings me here is a suggestion for improvement in the product management software. Where you make any configuration and / or alteration.
  My suggestion concerns the application of the 'MAC Number filter'. This application allows you to add devices that may or may not access the Linksys E2500.
  It turns out that the current version of this management software, to insert into the list (restrictive or permissive) of ' MAC  Number filter'. This insert serves to both wifi networks generated (2.4 GHz and 5 GHz).
  In my case the core network for home use is the 5 GHZ. And the 2.4 GHz network was set to 'guests'.
  So, when someone comes to my house is either use the 'Network - Guest' can only be used if:
  1- If I'm applying MAC address filtering for my household devices - must have to individually enter the MAC address of each guest; or
  2- Do not use for my home devices MAC number Filtering
  I understand that this security feature (MAC number Filter) is very good and helpful. But the way it is designed is not practical.
  My suggestion is to update the management / configuration software to enable:
  A) The owner can set Allow List or Prohibition of the home devices in the MAC number filter separately. In the 5 GHz network (main). Leaving free the Guest Network;
  B) Provide the update mentioned in item 'A' (above) also in Cisco Connect application.
  Thank you for your time and attention.

  I think other manufacturers follows the same MAC address filtering protocol but I'm cool with your suggestion and it might be implemented in the future by Linksys. Enabling the Guest Access on the router's setup page (Wireless tab > Guest Access) will ease you out of the hassle of inputting the MAC addresses of your guests' wireless devices. Your visitors will still be able to connect to the guest network even if the MAC address filtering is enabled but those will have limited access to your network.

• CSS VIPs use old MAC address after firewall failover

  We have our CSS load balancers behind our firewalls in a DMZ and when the firewall fails over the physical interface changes the MAC address to the new address of the now active firewall but the VIP's do not and all traffic to those VIPs are broken. Has anyone experienced an issue like this before? Any help would be appreciated.
  Thanks.

  I understand you have CSS load balancers behind firewalls in a DMZ,  could you clarify what interface changes the MAC address  to the new address of the now active firewall after firewall failover? are you expecting VIPS failing over too?
  If firewall failed over, depends on types of firewall, for some firewall, mac will change, new Active Firewall sends a 'gratituous' arp which makes the neighboring devices to save the new mac address of the Active firewall with the ip address. It seems to be your case. If for some reason, that is not happening (gratituous arp missing), it could cause issues like VIPS on CSS broken.
  The failover of the firewall should be transparent to CSS VIPS. Did you take a capture to see what is happening? did CSS receive requests properly? is CSS load balance to server properly?
  If you require CSS failover when firewall failover, then you can define critical service (layer 3) or critical physical interface(layer 2), and if that detect link to firewall down, then it could fail over.

• Is a MAC address filter incompatible on an extended network?

  Hello all,
  I've bought myself an Airport Express and an Airport Extreme.
  The Express serves two roles:
  1. Play music
  2. Extend my network (a real extension, not just a network join)
  On my Extreme, I've setup MAC address filtering with a time-based access (to avoid hacking of my network during the night -- don't worry, I have WPA2 security too...). Here's what I've done:
  - All devices: no access from 11 PM to 7 AM
  - Airport Express: always access
  - Macbook Pro: always access
  So far, so good.
  Now, the problem I see if the following: IF my Express has access anytime, then an unknown device CAN connect to my network at night (midnight for example) simply because it will connect on my Express instead of my Extreme! It's like an unlocked back door!
  So, from what I see, when I extend a network, the MAC filtering is not passed along to the "extending" devices. Also, on an extended network, I CAN'T set a MAC filter... So I'm stuck with an unsecure extending device.
  So, my question is the following: is this normal behavior or is this an oversight from Apple? In other words, how can I extend my network and "propagate" my security setting on all my devices?
  Thanks!
  P.-S. On another topic, but related, any idea how to apply a setting without rebooting the router everytime? This is very annoying.

  HI Yes this works fine. I have these  wifi base stations these configurations on the same subnet in my place *using MAC filtering (access control)* in two extended networks.. Here's how I do it.
  • AEBS 802.11n@5Ghz 9DHCP and WAN.. and MAC ADDRESSES. TimecapsuleTV = SSID="my5Gwifi" , closed network
  • 1 x AEBS 802.11g 2.4Ghz snow coloured dome base station (connected through ethernet to the main 802.11n AEBS) + 2 x 802.11g APx's + 802.11N APX; closed network; name | SSID ="my2.4Gnetwork"; all bridge mode. FOr WDS add all MAC addreses of all devices like iphones, ipods, macs, pea-seas, PS2's etc and the other APX base stations too!.
  Here's the deal:
  for the 802.11N base stations (AEBS . TC or APX gen 2), the extensible wifi stations are through '+extend this network+" in the + Airport Utility+.. There is no provision for the extension stations to addf any ACCESS control if you use BRIDGE MODE> (as I would you to do advise).
  • for the *802.11g or WDS* I have found that you must ADD all the MAC addresses in EACH of the base statsion. This is simple to do my exporting all teh mac address config lists and importing them as you need. THis works fine.
  My company registers world wide all laptop wireless nics. We have over 300,000 employees (3 x 10**5) all dynamically VPN'ed adn mac address filtered for windows , linux and unix. it works for them worldwide. Walk into any office and you are connected.
  As for me and others WEP, WPA2 and all that is a mess around for hours (with that awful redmond based software) with frustrating and a huge waste of time when some one tries to connect to your system with some of those ghastly microsoft opertating systems. They all have their quirks. Vista - well you mostly know.
  In any case the simplest and I beleive effective for most is MAC ADDRESS fitering.
  FWIW all ways can be infiltrated.. you just need to monitr your network or add a GBE hub and use cables where the cables are in a locked oom.
  hth
  w

• Netboot MAC Address filter settings do not hold

  I was able to find this fix for getting the Model property settings to stick:
  * Stop Netboot
  * Uncheck Enable image
  * Make the change
  * DO NOT click "Save"
  * Check Enable image
  * Start Netboot
  but the MAC Address filtering settings do not stay
  Any ideas? My Xserve is running 10.5.5 with all of the latest updates.

  Setting "per image" filtering does not work. This is a known issue. You can set filters for the entire server however.

• Mac address filter

  Is it possible to identify the visitors mac address using PHP
  if yes is there anything to prevent you from limiting access to specific mac addresses (say by using an IF statement to redirect other users to a different site)

  You can identify the IP address, but that doesn't take you down to the level of the individual machine.
  Barry

• MAC Address

  I have WRT54GS Router connected to Cable internet. From this, i have 3 computers, 2 laptops and one desktop. I Would like to get my network so only these 3 computers can connect and ontop of that, would like to give them 100% free access to the internet.
  Reason for that is, i use Azerous to download torrents on my desktop, so i guess that one would be the one that needed the full access. I have a firewall on my notebook, anti spyware, need to find some virus protection. Can someone give me a step by step guide to at least add the 3 mac address to my router.

  I beleave you can only use MAC Address filter on wireless devices..but I am not sure.
  For wireless devices go to the Wireless tab and then go to the Wireless MAC Filter sub-tab. Click enable and select the option that says "Permit Only". Now click the "Edit MAC filter list" button and enter the MAC addresses for your wireless PC's (this may work with wireless but I am not sure).
  To find the MAC address on ur PC's go to Strat > Run> type in CMD and then type in ipconfig /all
  Hope this helps

• Is there any way to find my new Mac Mini's Mac Address before I complete the initialization of the new Mini?

  I am starting my new Mac Mini for the first time. (My first Mac was a classic 128K that I upgraded myself to 512K back in 1985. My most recent Mac is a G4 466 Mhz unit that I am eventually replacing with the new Mac Mini.)
  I hit a snag when I got to the point where the Mini wants to connect to my home network. The network has my G4 and a MacBook on it. I have my linksys WRT54G Router set to accept only those MAC Addresses that I have authorized. This is because there are several neighborhood networks that are within range of mine.
  At this point I can either disable this filtering for a short time or find the MAC address of my new Mini before I initialize it.
  Can I find the MAC address before I initialize the Mini?
  Thanks,
  -Joe

  The serial number and the part number were on the outside of the shipping container. Nothing on the bottom of the unit at all. I worked around this problem by temporarily disabling the MAC Address or hardware address filter on my router until I was able to look up the MAC Address on the machine, entered it to the MAC Address list then I re-enabled the MAC Address filter on the router.
  Thanks for the response, anyway.
  -Joe

• Multicast mac-address Nexus 7k

  Hi,
  i'm going to use Nexus 7000 in Data Center.
  During analysis configuration, I need define mac-address-static configuration for multicast mac address for Firewall Checkpoint cluster.
  In "Layer 2 Switching Configuration Guide, Release 4.1.pdf" documentation speak about
  "Configuring a Static MAC Address
  [..]You cannot configure broadcast or multicast addresses as static MAC addresses[..]"
  Have you a suggestion to manage this problem and why is it not possible configure mac address static multicast?
  Regards
  Dino

  Joseph - The ClusterXL A/A configuration is a variation of the  StoneSoft or Rainfinity clustering technologies that have been used to  cluster Solaris and other *NIX flavored servers and firewalls for  years.  (In fact, StoneSoft filed suit against Check Point in Europe 8  or 9 years ago for patent violations, and lost.)  These configurations  were very common on Check Point clusters running on Solaris from the  late 90's forward - and, as you describe, have unicast IP's with a  multicast MAC for the VIP.  Even from the days of installing these on  the brand new (at the time) 2900 series switches you had to do exactly  as you state above - static MAC entries (or in some cases port mirrors)  so traffic was directed to both active switch ports.  In Active/Passive  mode Check Point ClusterXL clusters are almost always "plug and play"  today - rarely do the switches need anything beyond speed/duplex  settings.  The VIP assumes the MAC of the physical NIC it is currently  bound to, and therefore there are no issues as far as switch config or  proxy ARP entries on the gateways.  All of these issues have to do with  traffic flowing to the VIP and through the firewall, and the ability of  the switch to correctly identify which physical switch port(s) the VIP  is currently patched in to.  This is one of three types of traffic  associated with ClusterXL itself.  The second is state synchronization,  which is accomplished through a crossover cable and therefore not  relevant.  Even when using a switch state sync is a typical TCP 18181  connection from a unicast IP/unicast MAC on one gateway to the other  through a dedicated interface pair.
  The challenge described by CJ is not with the traffic  flowing to the VIP, however.  It is an entirely separate process - Check  Point Clustering Protocol (aka CPHA if filtering in WireShark) is  essentially the heart beat traffic.  Every interface pair within a Check  Point cluster continually communicates with its "partner" interface on  the other cluster members.  If any packet takes over 100ms or shows more  than a 5% loss the gateway is forced in to "probing" mode where it  falls back to ICMP to determine the state of the other cluster member.   Depending on the CPHA timing settings an active gateway will failover to  the passive in as quickly as 500ms or so.  ClusterXL will fail over the  entire gateway to the standby to avoid complications with asynchronous  routing.
  Out of the box, CCP is configured to use  multicast, but it supports broadcast as well. To change this in real  time (no restart required) simply issue the command:
  cphaconf set_ccp {broadcast/multicast}
  At  the Ethernet level, CCP traffic will always have a source MAC of the  Magic MAC of 00:00:00:00:xx:yy where XX is the “Cluster ID” – something  identical on each cluster member but unique from one cluster to another,  and YY is the cluster priority (00, 01, etc.) based on the priority  levels set on cluster members within Dashboard on the cluster object.  The destination MAC will always be the Ethernet broadcast of  ff:ff:ff:ff:ff:ff.
  At the IP level the source of CCP  will always appear as 0.0.0.0. The destination will always be the  network address (ie, x.x.x.0).
  Similarly in multicast mode you will see the same traffic  at the IP level but at the Ethernet level the destination will now be a  IPv4 multicast MAC (ie, 01:00:5e:4e:c2:1e).
  In a tcpdump  with the –w flag opened in WireShark and a filter applied of just “cpha”  (without the quotes) you should see a continual stream of traffic with  the same source and destination IPs on all packets (0.0.0.0 and network  IP), the destination of either a bcast or mcast MAC and the source MAC  alternating between 00:00:00:00:xx:00 and 00:00:00:00:xx:01.
  Long story short, the problem CJ is describing is a  behavior on the 7K where a packet capture taken on the Check Point  interface itself (ie, tcpdump –i eth0 –w capture.cap) ONLY shows CPHA  traffic from it’s own source MAC and no packets from it’s partner. A  tcpdump on the 7K itself will show traffic from both.
  As CJ mentioned, a simple NxOS upgrade will fix the issue per:
  This one:CSCtl67036  basically pryer to NX-OS 5.1(3) the nexus will discard packets that have a source of 0.0.0.0.  Which in broadcast mode is exactly what the CCP heartbeat is.  We bypassed this one.CSCsx47620 is the bug for the for static multicast MAC address feature but it requires 5.2 code on the 7k
  (NOTE:Additional RAM may be required for the 5.2 update)
  Also note that Check Point gateways do support IGMP  multicast groups, given that you have the correct license. It is a  feature of SecurePlatform Professional on the higher end gateways or as a  relatively inexpensive upgrade on the lower end boxes or open  platforms. For lab purposes you can simply type “pro enable” at the CLI  (without the quotes). As of the latest build there is no technical  limitation (no license check) so you can enable advanced routing  features as needed for testing in a lab. For step by step details on  configuring IGMP on SPLAT Pro go to the Check Point support site and  search for sk32702.
  This can be a frustrating issue to troubleshoot, so hopefully this helps someone avoid the headaches I ran in to.

• Do I need to add Base Station MAC address to list?

  Hi, If I choose to use MAC address filtering on my Airport Extreme Time Capsule, do I need to add the wireless MAC address of the Base Station to the list of allowed MAC addresses???  I'd feel real bad if I set up a list, didn't include the base station's MAC address and then could never get in to the network again because I, in effect, locked myself out???  I doubt that address needs to be included but I would like some feedback on that.
  Second, does the one MAC address filter list apply to the Guest Network as well if I should choose to turn it on???  If that was the case, I would just turn off MAC address filtering why guests were present.
  thanks..  bob

  If I choose to use MAC address filtering on my Airport Extreme Time Capsule, do I need to add the wireless MAC address of the Base Station to the list of allowed MAC addresses???
  No. Timed Access would be for wireless devices....computers, mobile devices, printer, etc., that are connecting to the Time Capsule. The Time Capsule does not connect to itself in this regard.
  I'd feel real bad if I set up a list, didn't include the base station's MAC address and then could never get in to the network again because I, in effect, locked myself out???
  Sometimes, users lock themselves out by mistake by entering incorrect times for devices to connect, and they often forget that they can connect to the base station using an Ethernet connection and get back in that way.....since Timed Access only applies to devices that connect using wireless.
  does the one MAC address filter list apply to the Guest Network as well if I should choose to turn it on???
  Yes

• Import / Export of MAC Address Filters (wrt610n to wrt1900ac)

  Is there an easy way to transfer my large MAC address filter list between these two Linksys routers?

  Hi Yemble. There's no easy way to transfer MAC Addresses from one router to another but to do it manually. Sorry.