1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

MAC Filtering for Wired Devices

Discussion in 'Tomato Firmware' started by sleepytime, Nov 14, 2017.

  1. sleepytime

    sleepytime Serious Server Member

    Hi all,

    From what I understand, Tomato (Shibby) supports MAC Filtering, but only on the wireless devices, not on the wired devices. Is there a way to accomplish that through iptables or are there some other ways?

    What I am trying to do is to have a list of certified home devices that are able to use the network. Other devices that are not on the certified list will not be able to do anything on the network. To do that, I have built an exception list with iptables where all the certified devices (MY-HOME-DEVICE-X) will have access on the wired network, and others will not be able to transfer anything:

    iptables -t nat -A PREROUTING -i br0 -m mac --mac-source MY-HOME-DEVICE-1 -j ACCEPT
    iptables -t nat -A PREROUTING -i br0 -m mac --mac-source MY-HOME-DEVICE-2 -j ACCEPT
    iptables -t nat -A PREROUTING -i br0 -j DROP

    With the iptables setup like above, MY-HOME-DEVICE-1 & 2 are working, but it's cutting off all other devices on both Wired and Wireless. Is that because both Wired and Wireless are bound to br0? If so, what interface should I pass in to the command just for the Wired connections?

    Thanks very much.
     
  2. Elfew

    Elfew Network Guru Member

    Good question :)
     
  3. sleepytime

    sleepytime Serious Server Member

  4. Monk E. Boy

    Monk E. Boy Network Guru Member

    LAN and WLAN are part of the same VLAN. They're a bridged network. You would have to make LAN & WLAN separate networks to be able to treat them separately. Each would have its own IP subnet different from the other. I believe the MAC filtering option in Tomato is implemented through the closed-source WiFi driver, though someone more familiar with the source would know for sure. This is why it only applies to WiFi clients, despite the LAN & WLAN being on the same VLAN.

    MAC filtering really isn't worth this kind of trouble though. If you want security use 802.1x ("WPA2 Enterprise" for WiFi), MAC filtering won't stop anyone. Your MAC is broadcast in the clear and can be picked up whether wired or wireless. I don't need an IP to pick it up over wired or wireless connections, I just need a card in promiscuous mode capturing everything being sent its way.
     
    jerrm likes this.
  5. jerrm

    jerrm Network Guru Member

    As @Monk E. Boy states, MAC filtering is pretty poor as a real security measure. Sort of like locking your front door, it will keep someone from wandering in, but anyone that wants in won't be stopped.

    Also realize there is nothing practical you can do on the router to stop someone from plugging in and accessing the entire LAN/VLAN that segment of Ethernet cable is connected to(including devices connected to other router switch ports). The most you can do is stop their traffic from routing WAN<->LAN or LAN<->VLAN.
     
  6. ruggerof

    ruggerof LI Guru Member

    It might be possible to be done with ebtables, however ebtables in Tomato is known to generate kernel panics and is not practical / very difficult if you have a switch or something.

    What are you trying to avoid? Someone not authorized to plug in a laptop in a port and get access to your network?
     
  7. Mercjoe

    Mercjoe Network Guru Member

    The only way that I have found to limit unauthorized devices is to assign a static IP to every possible allowed device, turn off DHCP, and then limit your IP range to the EXACT number of possible devices on your network.

    Basically you have to define the max number of devices, assign them an IP and ARP bind the MAC address to that IP address. If the is nothing else available to use, then they can not connect to or use the network as all.

    If you leave an open unassigned IP address you can create a static IP to connect to the network. Yes, someone can still spoof a MAC address and assign a static IP to a predefined address, but if someone has that level of access to know all the variables then you have bigger security issues.
     
  8. jerrm

    jerrm Network Guru Member

    if ebtables doesn't panic immediately, it seems to be OK. Not sure what the panic recipe is, but it is finicky and why I wouldn't consider it practical at this point.

    With ebtables you could stop LAN<->WLAN traffic or LAN<->WAN traffic. Ebtables does nothing for managing traffic across the router switch ports unless you split each port off into it's own interface, then add all ports back into the same bridge. Doable with a few lines of script, but then the kernel becomes a bottleneck for all LAN<->LAN traffic, again not practical IMO. And as you say, if there is another switch involved it is even less effective.
     
  9. Monk E. Boy

    Monk E. Boy Network Guru Member

    I'd say its more like closing your door but not locking it. They can wander up to your door but all they need to do is turn the doorknob to get in. It's that trivial to defeat. 802.1x is secure but it's more complicated to implement. On the other hand I haven't seen a client in damn near 10 years that didn't have 802.1x support, so it's at least possible to implement now. Back in the old days you had to get specific network cards and similarly crazy stuff, then do all the other work you still have to do today.
     
  10. sleepytime

    sleepytime Serious Server Member

    Thanks everyone for your help. Yeah, I am just trying to avoid visiting guests plugging their laptop into an ethernet jack. While I can't stop them 100% (if they are able to spoof their MAC), I think using a MAC filter is a good enough solution within a home environment.

    To accomplish this, I ended up creating another bridge that connects to a list of ethernet jacks around the house that the guests can potentially get to. Using a MAC filter, I am able to allow only the certified devices to access the network. The guest will now need to use the guest WiFi network to access the internet.
     

Share This Page