MAC Address Filtering

Discussion in 'General Discussion' started by Volantis, Sep 11, 2006.

  1. Volantis

    Volantis LI Guru Member

    I am the (reluctant) network administrator in our co-op. We have about 50 residents with, on average, 2 computers per household. In order to monitor the network, restrict access, and identify abusers and bandwidth hogs, we have considered requiring our users to provide their MAC addresses and we'll only grant access to the network to a registered MAC address.

    We've just bought a WRT54GL figuring that one of the firmware developers would have a version that would allow us to maintain a MAC address list of 50-100 addresses.

    The stock GL with its most recent firmware upgrade seems to only allow about 12 MAC addresses to be stored.

    1) Can anyone point me in the direction of a firmware that might do the job for me?
    2) Is there some other way that I might do this type of administration within the router?
    3) have we made a poor choice in routers, and perhaps there is anther router that would be better suited for the job.

    Note: it would be nice to one-day use some of the SNMP and other reporting tools offered by some of the 3rd party developers in order to better monitor and report on up-time and usage.

    Note: we are not using the wireless side of the GL. We are just using it as a 4-port wired router at this point in time.

  2. nikqu

    nikqu Guest check them out. there firmware will do it.. in fact im doing it now in a coop in east lansing mi with that firmware (though so far only a handfull of users). It supports 128 though.
  3. turbo53

    turbo53 Network Guru Member

    I don't use DD-WRT mentioned in the previous response, but your comment about only using it as a wired router concerns me (I assume you have switches connected to the ports.)

    In the stock Linksys firmware (and in HyperWrt, which I use) the MAC filtering is only for wireless connections. The router assumes that anything that is directly connected to the ethernet ports is OK.

    One way to restrict access, with either DD-WRT or HyperWrt, would be to assign each MAC a static DHCP address and prohibit assignment of dynamic DHCP address. You could limit the number of dynamic DHCP addresses to 1, for example, and assign it to a known device.
  4. Volantis

    Volantis LI Guru Member

    Thank you for the prompt response. It is very interesting to know that the the MAC address filtering does not apply to the wired side of the router. Drat. We actually have a wireless network running downstream, from the router but it uses 6 InterEpoch dual-radio units and is hardwired to the router.

    If anyone else has a suggestion, I'll continue to check back, but it doesn't look as if the WRT54 was the right choice.

  5. Guyfromhe

    Guyfromhe Network Guru Member

    It's very hard to secure a wired network that the end user has physical access to in general, and it's nearly impossible to do it without throwing a pile of hardware at it...
    Good news is the Access Restrictions Section allows you to enter up to 8 MACs which are allowed access to the LAN (and that applies to wireless and wired) but the bad news is since you need more than 8 allowed PCs it will require some command line jiggery-pokery to make it work.

    I'm not 100% sure what you need to do at the command line to add more than the allowed 8 entries, but i'm sure I can find out in the next day or two (need to find enough time to poke around).
    Keep in mind, a MAC address really isn't all that secure, and their not hard to fish out and change if you know what your looking for.
  6. Volantis

    Volantis LI Guru Member

    hmmm... seems to be confilicting info about whether the MAC address filtering applies to both the wired and the wireless side of the router, or whether it only applies to the wireless side.

    As far as the stock Linksys firmware goes. Its installed and I'll just test it.

    Anyone have a second opinion on the DD-WRT code. Does its MAC filtering apply to the wired side of the router (see my original post for more info on what I am trying to do)?

    We are not looking for a bomb-proof solution. Just a solution that encourages our users (mostly unsophisticated) to register there computers with us. We are running WEP on our wireless and I can always crop MAC addresses from the net if someone is really offending us. (and we're a co-op community, so... we aren't supposed to be maliciously affecting our neighbours).

  7. Guyfromhe

    Guyfromhe Network Guru Member

    The mac filtering under the wireless section does NOT apply to the wired LAN, however the access restrictions section (where you can set times of day and filter urls) does apply to both the WLAN and the LAN.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice