LEDE/OpenWRT — Restricting Network Access Based on MAC

Typically you would use your firewall to apply restrictions like this, however with devices of the type mac80211, you can set MAC based restrictions directly in your wireless configuration.

It’s worth pointing out that allowing/denying access via MAC address is not a foolproof security method. If someone can learn of one of your MAC addresses, they can spoof it and gain access. So while it can be used to boost privacy, relying on this as a security feature on it’s own is not a good idea.

That being said, this guide will walk you through how to easily hide your SSID.

SSH to your LEDE/OpenWRT device

If you are using Windows then start PuTTY and click Session on the left side, select SSH from the options, and then enter in the IP Address of your LEDE/OpenWRT box into the Host Name field.

Once you’ve done this just click on Open to start up the SSH connection.

PuTTY

If you are connecting via terminal, then just SSH to your LEDE/OpenWRT device using the following command, where 192.168.1.1 is your LEDE/OpenWRT device’s IP address.

ssh root@192.168.1.1

Configuration

First we need to access the wireless config file to make changes. So run the following command:

vi /etc/config/wireless

Once this is open, you will need to find the network you want to hide. This is relatively simple, just look for the SSID of your network.

config 'wifi-iface'
option 'device' 'wl0'
option 'network' 'lan'
option 'mode' 'ap'
option 'ssid' 'MacWiFi'
option 'encryption' 'psk2'
option 'key' 'ReturnOfTheMac'

Above, we have found the interface for the SSID ‘MacWiFi’. We want to add/edit in the following:

option macfilter 'allow'

In the example above we used allow but we can use any of the these three options:

  • disable — This disables the MAC filter feature
  • allow — This turns the filter into a whitelist, allowing only the MAC addresses in the list
  • deny — This turns the filter into a blacklist, blocking the MAC addresses in the list

Next we want to add the actual MAC list, so add in the following:

list maclist 'XX:XX:XX:XX:XX:XX XX:XX:XX:XX:XX:XX'

Add in the MAC addresses in using the format above, separating them with a space.

Once you have done this, your config should look similar to the following:

config 'wifi-iface'
option 'device' 'wl0'
option 'network' 'lan'
option 'mode' 'ap'
option 'ssid' 'MacWiFi'
option 'encryption' 'psk2'
option 'key' 'ReturnOfTheMac'
option 'macfilter' 'allow'
list maclist 'XX:XX:XX:XX:XX:XX XX:XX:XX:XX:XX:XX'

Once you have made your changes you will need to reboot your device or restart the wireless.

To restart your wireless, run the following:

wifi down
wifi up

Or if you want to reboot the whole device, run this instead:

reboot

If you found this post helpful please let us know by clicking the ♥ below.

This blog was brought to you by Cucumber WiFi. Cucumber helps you run a more efficient WiFi network. Check it out here.

Cucumber WiFi — control any (WiFi) device from the cloud.

Responses
The author has chosen not to show responses on this story. You can still respond by clicking the response bubble.