MAC Filtering for Wired Devices


S

sleepytime

Addicted to LI
Member
Hi all,

From what I understand, Tomato (Shibby) supports MAC Filtering, but only on the wireless devices, not on the wired devices. Is there a way to accomplish that through iptables or are there some other ways?

What I am trying to do is to have a list of certified home devices that are able to use the network. Other devices that are not on the certified list will not be able to do anything on the network. To do that, I have built an exception list with iptables where all the certified devices (MY-HOME-DEVICE-X) will have access on the wired network, and others will not be able to transfer anything:

iptables -t nat -A PREROUTING -i br0 -m mac --mac-source MY-HOME-DEVICE-1 -j ACCEPT
iptables -t nat -A PREROUTING -i br0 -m mac --mac-source MY-HOME-DEVICE-2 -j ACCEPT
iptables -t nat -A PREROUTING -i br0 -j DROP

With the iptables setup like above, MY-HOME-DEVICE-1 & 2 are working, but it's cutting off all other devices on both Wired and Wireless. Is that because both Wired and Wireless are bound to br0? If so, what interface should I pass in to the command just for the Wired connections?

Thanks very much.
 
LAN and WLAN are part of the same VLAN. They're a bridged network. You would have to make LAN & WLAN separate networks to be able to treat them separately. Each would have its own IP subnet different from the other. I believe the MAC filtering option in Tomato is implemented through the closed-source WiFi driver, though someone more familiar with the source would know for sure. This is why it only applies to WiFi clients, despite the LAN & WLAN being on the same VLAN.

MAC filtering really isn't worth this kind of trouble though. If you want security use 802.1x ("WPA2 Enterprise" for WiFi), MAC filtering won't stop anyone. Your MAC is broadcast in the clear and can be picked up whether wired or wireless. I don't need an IP to pick it up over wired or wireless connections, I just need a card in promiscuous mode capturing everything being sent its way.
 
sleepytime said:
What I am trying to do is to have a list of certified home devices that are able to use the network. Other devices that are not on the certified list will not be able to do anything on the network. To do that, I have built an exception list with iptables where all the certified devices (MY-HOME-DEVICE-X) will have access on the wired network, and others will not be able to transfer anything:
Click to expand...

As @Monk E. Boy states, MAC filtering is pretty poor as a real security measure. Sort of like locking your front door, it will keep someone from wandering in, but anyone that wants in won't be stopped.

Also realize there is nothing practical you can do on the router to stop someone from plugging in and accessing the entire LAN/VLAN that segment of Ethernet cable is connected to(including devices connected to other router switch ports). The most you can do is stop their traffic from routing WAN<->LAN or LAN<->VLAN.
 
It might be possible to be done with ebtables, however ebtables in Tomato is known to generate kernel panics and is not practical / very difficult if you have a switch or something.

What are you trying to avoid? Someone not authorized to plug in a laptop in a port and get access to your network?
 
The only way that I have found to limit unauthorized devices is to assign a static IP to every possible allowed device, turn off DHCP, and then limit your IP range to the EXACT number of possible devices on your network.

Basically you have to define the max number of devices, assign them an IP and ARP bind the MAC address to that IP address. If the is nothing else available to use, then they can not connect to or use the network as all.

If you leave an open unassigned IP address you can create a static IP to connect to the network. Yes, someone can still spoof a MAC address and assign a static IP to a predefined address, but if someone has that level of access to know all the variables then you have bigger security issues.
 
ruggerof said:
It might be possible to be done with ebtables, however ebtables in Tomato is known to generate kernel panics and is not practical / very difficult if you have a switch or something.
Click to expand...
if ebtables doesn't panic immediately, it seems to be OK. Not sure what the panic recipe is, but it is finicky and why I wouldn't consider it practical at this point.

With ebtables you could stop LAN<->WLAN traffic or LAN<->WAN traffic. Ebtables does nothing for managing traffic across the router switch ports unless you split each port off into it's own interface, then add all ports back into the same bridge. Doable with a few lines of script, but then the kernel becomes a bottleneck for all LAN<->LAN traffic, again not practical IMO. And as you say, if there is another switch involved it is even less effective.
 
jerrm said:
As @Monk E. Boy states, MAC filtering is pretty poor as a real security measure. Sort of like locking your front door, it will keep someone from wandering in, but anyone that wants in won't be stopped.
Click to expand...
I'd say its more like closing your door but not locking it. They can wander up to your door but all they need to do is turn the doorknob to get in. It's that trivial to defeat. 802.1x is secure but it's more complicated to implement. On the other hand I haven't seen a client in damn near 10 years that didn't have 802.1x support, so it's at least possible to implement now. Back in the old days you had to get specific network cards and similarly crazy stuff, then do all the other work you still have to do today.
 
Thanks everyone for your help. Yeah, I am just trying to avoid visiting guests plugging their laptop into an ethernet jack. While I can't stop them 100% (if they are able to spoof their MAC), I think using a MAC filter is a good enough solution within a home environment.

To accomplish this, I ended up creating another bridge that connects to a list of ethernet jacks around the house that the guests can potentially get to. Using a MAC filter, I am able to allow only the certified devices to access the network. The guest will now need to use the guest WiFi network to access the internet.
 
You must log in or register to reply here.

Back
Top