Enabling MAC ID Filtering with "extended/repeated" WiFi network

Toggle sidebar Toggle sidebar
G

goodtimesnw

Reputable
Feb 21, 2014
10
0
4,510
Our fire dept local has our own private wireless network. We want to enable MAC ID filtering. We know its not the "best" but its a good deterrent to keep non-union personnel off the network for security and privacy reasons (and they don't pay for it).

When enabling MAC ID on the primary router, do you have to enable it on the secondary routers as well? Secondary routers have DHCP disabled and act merely as repeaters, so to speak...

Thanks for any info you can provide...
 
Sort by date Sort by votes
H

hapkido

Distinguished
Oct 14, 2011
1,067
0
19,460
MAC filtering is trivial to bypass. It's a good deterrent in the same way latching the gate but leaving your front door completely wide open is a good deterrent for restricting access to your house. It only keeps out people who really don't care to get in anyway.

To answer your question, while it's a terrible way to "secure" your network, you should only have to enable it on the router that handles DHCP. I would strongly suggest you enable WPA2 and only hand out the passphrase to authorized personnel.
 
Upvote 0 Downvote
B

bill001g

Titan
Aug 9, 2012
28,325
2,755
125,640
It depends which filter you are using. There is one that prevents them from connecting and that one you would have to place in all the devices but repeaters are a little strange so some do not support it when running in repeater mode. The other one is firewall type filters where you can restrict which sites they can do to. If you put a filter on that one they would likely be able to connect to the network but could not get to the internet. the firewall fitlers only go in the main router
 
Upvote 0 Downvote
G

goodtimesnw

Reputable
Feb 21, 2014
10
0
4,510
Thanks for the replies. I should have mentioned that the network will still be password protected (as it currently is) w/ WPA2. We have had an issue of the key getting out to people outside of the union... as well as members of the public, vendors, etc requesting a network. Its always been assumed that our network was available to use. The decision has been made by the E-Board that the "anyone" access is to stop... hence the MAC Filtering. Unless you can offer any other solutions OTHER than changing the network key on a regular basis?

And RE: the filtering, its MAC ID filtering, not internet filtering. We don't want anyone connecting successfully via wireless if they're not part of the union... even if they have the correct key (i.e. it was 'given' to someone who shouldn't have it).

So... if I understand you correctly, only the router with DHCP enabled should have the whitelisted MAC ID's entered? Not the secondary, DHCP disabled routers?

Thanks again!
 
Upvote 0 Downvote
H

hapkido

Distinguished
Oct 14, 2011
1,067
0
19,460
As long as everything is setup correctly, yes.

Just be aware, MAC filtering is tedious to maintain and it's not effective anyway. A more secure solution would be to only give the key to a couple trusted individuals, and access requests are granted by them physically typing it into the new machine (i.e. do not freely hand it out to union members).

Also, have you thought about setting up a guest network for non-union members?
 
Upvote 0 Downvote
G

goodtimesnw

Reputable
Feb 21, 2014
10
0
4,510
We do not want anyone using our internet, so the guest network is out.

Regarding the MAC filtering being "tedious," after entering the IDs into the routers, what else is there to do? We only have 36 or so members and new devices are not a very regular occurrence. They can also be updated remotely.

How is it "not effective" from keeping non-white listed devices from connecting ?

Your other suggestion of having a few individuals manually entering the password might be a good idea... although those tend to get out as well...
 
Upvote 0 Downvote
H

hapkido

Distinguished
Oct 14, 2011
1,067
0
19,460
MAC filtering isn't effective because MACs 1) aren't private, and 2) are easily spoofed. MAC filtering will only stop the laziest users. It was never meant to be a security measure and is therefore a terrible security measure.
 
Upvote 0 Downvote
B

bill001g

Titan
Aug 9, 2012
28,325
2,755
125,640
It used to actually take some small amount of skill to fake a mac....well watch a youtube video. Now there are some wireless card drivers you can just set the mac just like you do with a wired card. There are also a couple "range extenders" ie repeaters you can also key in what ever mac address you like. So all someone needs to do is find the mac of a whitelisted devices and use it.

There really is no good solution to this without going to a lot of effort. This is why there is enterprise mode on wireless. You would setup a radius/domain server and give everyone their own personal id and password. The problem is running enterprise mode breaks most repeaters because enterprise mode uses 802.1x and you are not allowed to repeat the control messages it uses.
 
Upvote 0 Downvote
You must log in or register to reply here.

TRENDING THREADS

Latest posts

Moderators online

Share this page

COMPANY
RESOURCES
FOLLOW
Top Bottom