WRT160N V3 router ignores MAC address Access Restrictions, Filtering policies

I have added a list of 2 MAC addresses in the Access Restrictions for the access policy #1 and enabled it with Allow policy.  But one of my PC's MAC address which is not on the list of access policy #1 still can access the internet and ping websites.  I tried to add a Deny policy in 2nd policy for this PC MAC address and then it can not ping websites anymore.
The problem is why my PC with a MAC address not on the list of Allow Policy #1 can access the internet? It seems the router Access Restrictions don't work well.

I've already added Deny rule (blocking all LAN IPs) to all computers accessing my network in Access Restrictions Policy #1 but I leave one PC left to access the router web configuration.
Then in Acess Restrictions Policy #2, I added an Allow rule to one of my PC's MAC addresses (and its IP too) but the PC can not access internet and ping websites. It looks like the allow rule in policy #2 doesn't overwrite the Deny rule in Policy #1.

Similar Messages

  • Arp aging time on router and mac address aging time on switches set close t

    Hi,
    appreciate some advice on the following:
    what is the benefit of setting arp aging time on router and mac address aging time on switches close to each other?
    Thanks,
    Christina

    Hi,
    based on the below output, do you think implementing it will benefit? Thanks.
    C2950#sh int fa0/43
    FastEthernet0/43 is up, line protocol is up (connected)
    Hardware is Fast Ethernet, address is 000d.5e11.4e2b (bia 000d.5e11.4e2b)
    MTU 1500 bytes, BW 100000 Kbit, DLY 1000 usec,
    reliability 255/255, txload 7/255, rxload 2/255
    Encapsulation ARPA, loopback not set
    Keepalive set (10 sec)
    Full-duplex, 100Mb/s
    input flow-control is off, output flow-control is off
    ARP type: ARPA, ARP Timeout 04:00:00
    Last input never, output 00:00:00, output hang never
    Last clearing of "show interface" counters never
    Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
    Queueing strategy: fifo
    Output queue: 0/40 (size/max)
    5 minute input rate 933000 bits/sec, 149 packets/sec
    5 minute output rate 2981000 bits/sec, 263 packets/sec
    2819781393 packets input, 3782332886 bytes, 0 no buffer
    Received 266693 broadcasts (0 multicast)
    0 runts, 0 giants, 0 throttles
    0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
    0 watchdog, 0 multicast, 0 pause input
    0 input packets with dribble condition detected
    4015025747 packets output, 2328228393 bytes, 0 underruns
    0 output errors, 0 collisions, 2 interface resets
    0 babbles, 0 late collision, 0 deferred
    0 lost carrier, 0 no carrier, 0 PAUSE output
    0 output buffer failures, 0 output buffers swapped out
    C2950#

  • MAC address access control

    Why does my airport express/time capsule show more wireless clients than I've authorized via the MAC address access control?

    Sorry, but I have to re-awaken this old thread.
    1. I recently purchased a new iPad.
    2. With a) a hidden SSID, b) a MAC address-based access control list and c) a WPA2 secured network, I am assuming that no new device should be able to access my WiFi network.
    3. When I got home with the new iPad on Friday evening, and started it, it was online without even asking me whether to connect, or what the WPA2 key was.
    I find this strange.
    Additional information:
    4. I also have an iPhone 4S.
    5. I used the personal hotspot feature of the iPhone 4S to connect the WiFi-only iPad to the Internet while on the road.
    6. That personal hotspot feature was still enabled when I got home with the iPhone and the new iPad.
    7. Home network setup:
    7a) Fritz.Box 7270 as DSL modem/router (WiFi disabled)
    7b) Apple Airport Extreme (v 7.6.4) connected via LAN to DSL router, (in bridge mode, create wireless network), Access control on this base station.
    7c) Apple Airport Express (v 7.6.4) connecte to Airport Extreme via WiFi (extend wireless network), Access control not an option on this base station.
    8. Native IPv6 enabled on all devices (and provided by ISP).
    Any suggestion and help is highly appreciated.

  • SG300 inter-VLAN routing and MAC address changes in incoming packets

    Hello
    I have SG300-20 working in Layer3 mode
    VLAN1 is not used
    Internet gateway is in VLAN211
    Clients are in other VLANs
    Switch is default gateway for clients and itself has internet gateway as default route.
    MAC address of switch is XX:XX:XX:XX:XX:63
    When client sends trafic to Internet destination MAC address in outgoing packets is XX:XX:XX:XX:XX:63
    But in incoming packets source MAC address is XX:XX:XX:XX:XX:69
    Why does it change? And how can I setup switch to use only XX:XX:XX:XX:XX:63 MAC address?

    Hi Robert,
    I'd like to pick up this old thread because we have a huge problem with the behavior of the SG300 router/switch regarding the "spoofed" MAC source addresses. We have connected this switch to another router which has some special routing capabilities. It routes certain IP packets directly to MAC addresses which it learned from snooping on special traffic.
    When connected to a SG300 router with an Ethernet base address of XX:XX:XX:XX:XX:48 we receive packets with Ethernet source addresses like e. g. XX:XX:XX:XX:XX:49 or XX:XX:XX:XX:XX:4D (depending on which hardware port they came from). Our special router "learns" these MAC addresses and tries to send associated outgoing packets directly to these addresses using e. g. XX:XX:XX:XX:XX:49 as the MAC destination address.
    Our problem is that the SG300 does not forward the packet if the MAC destination address is not equal to the switch's Ethernet base address (XX:XX:XX:XX:XX:48 in our case). This renders the SG300 series useless for our systems.
    Is there new firmware available which fixes this problem for us? We don't care which MAC source address the SG300 uses in incoming packets we receive, but we expect that the SG300 handles packets correctly for outgoing packets we send with this MAC address as the destination address.
    Thanks,
    Chris

  • MAC address access control default?

    I'm still using old graphite ABS, and all of them
    are using MAC address access control.
    Just by accident I connected a PB G4 with an
    internal extreme Airport card.
    The MAC address of this AirPort card wasn't in the
    access list of the ABS.
    It looks like ABS does only limit access through
    MAC addresses for 802.11b cards. I'll spend some time
    to double check this behaviour.
    Did anyone already see this default of access
    control?

    I'm pretty well aware of the limitations of any kind of
    MAC address control: in an hostile environment its a
    "straw house" or an "empty extinguisher".
    But in a collaborative and friendly environment I thought
    it may be a useful "frontier marker" between "friendly" and
    clearly "hostile" behaviors.
    This belief was foolish.

  • Extended 48-bit MAC address access list

    How can I apply extended 48-bit MAC address access list on Cisco 7606?

    You can use the following example for the MAC address based access list :
    mac access-list extended CAPTURE 10
    permit any any
    vlan access-map IDS 10
    match mac address CAPTURE
    action forward capture
    vlan filter IDS vlan-list 115,119
    interface FastEthernet 3/48
    switchport
    switchport capture

  • Mac-address access lists

    I have a single remote device attached to a 1700 sereis router. I need to ensure that if anyone disconnects the device, they can't easily plug anything elses in to the router and hence wanted to use a mac-adddress access list.
    I have created an access list as follows:
    access-list 700 permit xxxx.xxxx.xxxx 0000.0000.0000, but there appears to be no way to add this to the Fa0 interface on the router.
    Can anyone confirm if this is possible on a router or does this only work on a switch?

    No, its the Ethernet local LAN interface of a routed link so no bridging going on.
    Config below:
    interface FastEthernet0
    description Mufulira Post Office Post Office LAN
    ip address xxx.xxx.xxx.xxx 255.255.255.248
    ip access-group 120 in
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    no ip mroute-cache
    speed auto
    full-duplex
    no cdp enable
    IP access lst 120 defines just a single host allowed in to a group of servers.
    I'm having to tie everything down as much as possible as its for a remote ATM on the end of a Wireless backhaul link and our Risk people are trying to insist that we use mac address security as well. I am already running a GRE tunnel and IPSec 3DES over the routed portion of the link.

  • Browser corrupting MAC address access-list in 1232 AP

    We're having a problem with an access point when we try to build Mac Address filter tables using the browser inteface. Here is what we have:
    Product/Model Number: AIR-AP1232AG-A-K9
    System Software Filename: c1200-k9w7-tar.123-8.JEA
    System Software Version: 12.3(8)JEA
    Bootloader Version: 12.3(2)JA4
    Something is corrupting browser generated Mac address filter lists and causing us to have to manually remove the lists using the CLI even though the CLI was never used as the list was being entered initially.
    When the browser works, the CLI shows the table as:
    permit 0040.965d.db6b 0000.0000.0000 (3799 matches)
    permit 0016.e3ec.3e06 0000.0000.0000
    permit 00a0.f8ec.9dcd 0000.0000.0000 (7814 matches)
    permit 001c.26c8.3f60 0000.0000.0000
    permit 001a.731e.4f6e 0000.0000.0000
    permit 0040.9652.50ff 0000.0000.0000 (5899 matches)
    permit 0040.9649.08c0 0000.0000.0000 (2010 matches)
    deny 0000.0000.0000 ffff.ffff.ffff
    When the browser doesn't work, it shows up like this in the CLI:
    permit 0016.e3ec.3e06 0000.0000.0000
    permit 00a0.f8ec.9dcd 0000.0000.0000
    permit 001c.26c8.3f60 0000.0000.0000
    permit 001a.731e.4f6e 0000.0000.0000
    permit 0040.9652.50ff 0000.0000.0000 (179 matches)
    permit 0015.7032.7e37 0000.0000.0000
    deny 0000.0000.0000 ffff.ffff.ffff (69 matches)
    permit 0040.9649.08c0 0000.0000.0000
    With the last permit entry that follows the deny being one that we tried to add.
    Is there a way to use the CLI to edit the list so that it can be updated by the browser? Any ideas why the list is getting messed up like this in first place? Do we need to upgrade the AP's software?

    Are you IE. If you have Google toolbar check if you have any Pop-up blocker or Anti-spy in the system blocking this . Try disabling them . If it doesnt work try using Mozilla Firefox.

  • Lynksys Router requires MAC address

    I have a new iPhone and want to connect to my home wi-fi network. I require a MAC address to be put into the Lynksis to allow connection to my network. How can I get the MAC address for my iPhone?

    Where do you enter the Mac address in the router?

  • MAC (Media Access Control) filtering

    I have MAC filtering set on my wireless router. How can I find the MAC address of my iPod Touch to be able to let it thru'?
    Thanks
    Nigel

    Ben,
    Many thanks for that and sorry for the slow reply!
    Now I just need to find how to get my music and videos onto it without having to use iTunes or download stuff and pay for it! I will be happy.
    Thanks
    Nigel

  • RBE: ignoring MAC address?

    When RBE is configured on an ATM interface. Design guide tells me that incoming packets are directly forwarded to the IP routing process.
    We've configured RBE on a ATM Interface and see every incoming IP packet beeing processed by the IP routing - even if the packet has not a MAC of this RBE interface.
    So this RBE interface seems to be in promiscuous mode and processes packets for other IP host as well.
    Is it correct that IRB makes a MAC filtering and RBE does not?

    Hi,
    I never tried what you say, but I can perfectly believe that there is no check on received mac w/ RBE. This way there is less code to execute, and less chances that a misbehaving CPE won't work and cause calls to ISP's customer service.

  • MAC address and router access control

    My iPhone 3GS can only access the network (through my Netgear KWGR614 wireless router) when the router's MAC address access control is off. When I turn it on the phone is blocked. The MAC address I use is taken from the iPhone settings. It begins with 64. All other MAC addresses I have ever seen begins with 00. Is this MAC address correct? If it is right, could it be that the router can't handle this address?

    The first 3 bytes of the mac address identifies the manufacturer. For example, mine starts with 04:1e:64 which is Apple
    04-1E-64 (hex) Apple, Inc
    041E64 (base 16) Apple, Inc
    1 Infinite Loop
    Cupertino CA 95014
    UNITED STATES
    . if it starts with 64 then it belongs to
    64-4F-74 (hex) LENUS Co., Ltd.
    644F74 (base 16) LENUS Co., Ltd.
    18-5 Gwacheon-Dong
    Gwacheon Gyeonggi-Do 427-060
    KOREA, REPUBLIC OF
    check this list : http://standards.ieee.org/regauth/oui/index.shtml
    enter your first 3 numbers (first 3 pairs) from your wifi (settings/general/about) (don't use colons in the search)
    Not sure about the router as I never tried mac filtering. Each router will behave differently.
    Hope this helps.

  • How do I restrict access to Wireless router (800 series) by mac address

    I hope I'm in the correct area.
    I'm trying to deny access to 3 wireless devices to the cisco 800 series wireless router
    The MAC address are:
    MAC Address    IP address      Device        Name            Parent         State
    0014.6caf.410a 192.168.2.26    unknown       -               self           Assoc
    9803.d8ba.cd42 192.168.2.41    unknown       -               self           Assoc
    a4d1.d205.72e1 192.168.2.25    unknown 
    If this cannot be done is it poosible to assign the mac address to an ip address and then denying access to the ip address.
    Thanks
    Jon

    Hello Jon,
    You should be able to do it either way. Best way would be by IP address so you do not even allow the host to associate with your AP.
    Looking for some Networking Assistance? 
    Contact me directly at [email protected]
    I will fix your problem ASAP.
    Cheers,
    Julio Carvajal Segura
    http://laguiadelnetworking.com

  • WRT160N mac address to use for dhcp reservation

    I have to reserve this one router's MAC address in the main router for the building. Both routers in question are WRT160Ns. The router I have to reserve's MAC address ends in 5A (on the bottom of the router, and in the ARP table when connected via wifi), but it's 5B that is listed in the DHCP resrvation table for the main router. Why is this? What should I do? I am trying to reserve it in order to keep the nettalk voIP adaptor connected to the network.

    How about if you access the setup page of the 2nd router then go to the status and check the local mac address under the local network subtab. From there you will be able to compare if you have the right mac address.

  • Mac Address restriction

    Hi there,
    I have a express acting as a access point to my network for wireless devices, just wondering if anyone know if it is possible to restrict access via MAC address within the express station? This is a last attempt by me for some security as I can't get encryption to work with all devices. Any help will be good, thanks
    Thanks
    Connor

    You can, however in my opinion it only adds a superficial level of security which can be easily broken.
    Airport Admin Utility -> Configure > Access Control Tab.
    It use to be useful, but MAC address access control is really no longer a real option when it comes to wireless security.
    The problem arises as the MAC addresses are sent unencrypted and therefore can be picked up and read by a determined hacker.
    Not only that with many ethernet devices you can now very easily change the MAC address to a different one, so making it very easy to spoof the Mac address and fool a wireless base station into believing that you are an authenticated client.
    What security are you trying to configure?
    WEP or WPA?
    iFelix

Maybe you are looking for

  • Time machine wont go full time

    I have a lacie 180g external hard drive. When I try to do a time machine backup it stops about one third into the back up. It appears to have backed up in the time machine preferences, but info from the external drive shows that only about 1/3 data h

  • How to solve decimal subtraction error?

    i heard that 2.0 - 1.1 gives 0.8999999999999999, instead of 0.9 how to solve this can anybody give solution with an example that solves this subtraction Thanks in advance

  • If I upgrade to a new device, will I be able to keep my current unlimited data plan?

    I've been eligible for an upgrade since July 2011 but I've been waiting to see what Verizon has that really makes me want to change from my Droid X. But so far, that's been nothing. I would like to know, however, when I do decide to upgrade will I be

  • Copying between PDFs blurs my table

    Hey, I'm pretty new to Illustrator so the problem may be caused by my ignorance, but none the less I need help with it. I have drawn up a table and some text to go with it. Then I wanted to use this table in several PDFs, but when I pasted it in the

  • IChat complains that it cant' get data for 10 seconds

    and drops my video or audio connection. I've been killing myself trying to get screen sharing, video and audio chat to work w/ a friend. ALL of the equipment is Apple. Me: Macbook running latest Leopard <- wired -> Time Capsule <- wired -> Westell DS