Securifi Community Forum
Securifi Products => Almond and Almond A1A => Topic started by: Appendices on October 14, 2013, 02:33:15 pm
-
I want the router to only accept MACs that I have pre-approved for use. I turned on mac filtering through my web browser, with the default drop setting. When I try to add a MAC address to be accepted by the filter, it adds the rule, but that device still can't connect.
-
I want the router to only accept MACs that I have pre-approved for use. I turned on mac filtering through my web browser, with the default drop setting. When I try to add a MAC address to be accepted by the filter, it adds the rule, but that device still can't connect.
Thank-you for bringing this to our attention. I am doing some testing with the WebUI and the effects of settting changes thereof.
(http://i43.tinypic.com/263ep1s.png)
When I check the effects of these rules, they seem to be in place, but like you, I've noted they aren't effectual. I noted the following:
~ # iptables -L -v
Chain INPUT (policy ACCEPT 35811 packets, 4055K bytes)
pkts bytes target prot opt in out source destination
35811 4055K malicious_input_filter all -- any any anywhere anywhere
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
66477 16M web_filter all -- any any anywhere anywhere
66477 16M macipport_filter all -- any any anywhere anywhere
0 0 malicious_filter all -- any any anywhere anywhere
0 0 TCPMSS tcp -- any any anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
Chain OUTPUT (policy ACCEPT 17906 packets, 4104K bytes)
pkts bytes target prot opt in out source destination
Chain macipport_filter (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- any any anywhere anywhere MAC 00:15:58:C9:3F:9D tcp dpt:80
0 0 DROP tcp -- any any anywhere anywhere MAC 20:10:7A:DB:BE:96 tcp dpt:80
68 15802 DROP tcp -- any any anywhere anywhere MAC 00:1B:77:95:67:66 tcp dpt:80
178 26729 ACCEPT all -- any any anywhere anywhere
Chain malicious_filter (1 references)
pkts bytes target prot opt in out source destination
0 0 synflood_filter tcp -- any any anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN
Chain malicious_input_filter (1 references)
pkts bytes target prot opt in out source destination
450 27000 synflood_input_filter tcp -- any any anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN
Chain synflood_filter (1 references)
pkts bytes target prot opt in out source destination
Chain synflood_input_filter (1 references)
pkts bytes target prot opt in out source destination
Chain web_filter (1 references)
pkts bytes target prot opt in out source destination
~ #
~ # iptables -L -v
Chain INPUT (policy ACCEPT 36259 packets, 4114K bytes)
pkts bytes target prot opt in out source destination
36259 4114K malicious_input_filter all -- any any anywhere anywhere
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
66681 16M web_filter all -- any any anywhere anywhere
66681 16M macipport_filter all -- any any anywhere anywhere
0 0 malicious_filter all -- any any anywhere anywhere
0 0 TCPMSS tcp -- any any anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
Chain OUTPUT (policy ACCEPT 18321 packets, 4134K bytes)
pkts bytes target prot opt in out source destination
Chain macipport_filter (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- any any anywhere anywhere MAC 00:15:58:C9:3F:9D tcp dpt:80
0 0 DROP tcp -- any any anywhere anywhere MAC 20:10:7A:DB:BE:96 tcp dpt:80
136 19866 DROP tcp -- any any anywhere anywhere MAC 00:1B:77:95:67:66 tcp dpt:80
314 60588 ACCEPT all -- any any anywhere anywhere
Chain malicious_filter (1 references)
pkts bytes target prot opt in out source destination
0 0 synflood_filter tcp -- any any anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN
Chain malicious_input_filter (1 references)
pkts bytes target prot opt in out source destination
512 30720 synflood_input_filter tcp -- any any anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN
Chain synflood_filter (1 references)
pkts bytes target prot opt in out source destination
Chain synflood_input_filter (1 references)
pkts bytes target prot opt in out source destination
Chain web_filter (1 references)
pkts bytes target prot opt in out source destination
~ #
I will keep investigating, and reply further within this message thread when I have figured out what the problem is. The "iptables" output presented above suggests that the rules are being put in place properly, so I'll need to trace the chains to find the problem. Stay tuned.....
-
Thanks. I'll make sure to check in. I'm at a college, and they have serious rules about having your own router. I need to make sure it only accepts my trusted devices.
-
Thanks. I'll make sure to check in. I'm at a college, and they have serious rules about having your own router. I need to make sure it only accepts my trusted devices.
Our software team are working on this. For now please simply access the "Access Policy" screen on the Almond at: http://10.10.10.254/wireless/security.asp (http://10.10.10.254/wireless/security.asp)
(adjust if your Almond is not at default address 10.10.10.254)
(http://i42.tinypic.com/2o8d2.png)
Click on image to enlarge
Policy :
Allow : will only allow those client which are added in the list .
I hope this updated information helps you comply with the requirements of your college.
-
It still allows devices besides the one on the list.
-
It still allows devices besides the one on the list.
I managed to get it working here:
(http://i43.tinypic.com/j63jpu.jpg)
Click Image to Enlarge
Ensure you are providing the "Wireless" MAC address of your Laptop/Tablet/Smartphone.
It doesn't become "Active" until you click "Apply"
Reload: http://10.10.10.254/wireless/security.asp (http://10.10.10.254/wireless/security.asp) to ensure the entry was accepted.
-
It did finally work the next day. It disallows any MACs that aren't on the list. Thanks for your help.