LEDE/OpenWRT — Restricting Network Access Based on MAC

CT WiFi
CT WiFi
Jan 18, 2017 · 3 min read

Typically you would use your firewall to apply restrictions like this, however with devices of the type mac80211, you can set MAC based restrictions directly in your wireless configuration.

It’s worth pointing out that allowing/denying access via MAC address is not a foolproof security method. If someone can learn of one of your MAC addresses, they can spoof it and gain access. So while it can be used to boost privacy, relying on this as a security feature on it’s own is not a good idea.

That being said, this guide will walk you through how to easily hide your SSID.

SSH to your LEDE/OpenWRT device

If you are using Windows then start and click Session on the left side, select SSH from the options, and then enter in the IP Address of your LEDE/OpenWRT box into the Host Name field.

Once you’ve done this just click on Open to start up the SSH connection.

Image for post
Image for post
PuTTY

If you are connecting via terminal, then just SSH to your LEDE/OpenWRT device using the following command, where 192.168.1.1 is your LEDE/OpenWRT device’s IP address.

ssh root@192.168.1.1

Configuration

First we need to access the wireless config file to make changes. So run the following command:

vi /etc/config/wireless

Once this is open, you will need to find the network you want to hide. This is relatively simple, just look for the SSID of your network.

config 'wifi-iface'
option 'device' 'wl0'
option 'network' 'lan'
option 'mode' 'ap'
option 'ssid' 'MacWiFi'
option 'encryption' 'psk2'
option 'key' 'ReturnOfTheMac'

Above, we have found the interface for the SSID ‘MacWiFi’. We want to add/edit in the following:

option macfilter 'allow'

In the example above we used allow but we can use any of the these three options:

  • disable — This disables the MAC filter feature
  • allow — This turns the filter into a whitelist, allowing only the MAC addresses in the list
  • deny — This turns the filter into a blacklist, blocking the MAC addresses in the list

Next we want to add the actual MAC list, so add in the following:

list maclist 'XX:XX:XX:XX:XX:XX XX:XX:XX:XX:XX:XX'

Add in the MAC addresses in using the format above, separating them with a space.

Once you have done this, your config should look similar to the following:

config 'wifi-iface'
option 'device' 'wl0'
option 'network' 'lan'
option 'mode' 'ap'
option 'ssid' 'MacWiFi'
option 'encryption' 'psk2'
option 'key' 'ReturnOfTheMac'
option 'macfilter' 'allow'
list maclist 'XX:XX:XX:XX:XX:XX XX:XX:XX:XX:XX:XX'

Once you have made your changes you will need to reboot your device or restart the wireless.

To restart your wireless, run the following:

wifi down
wifi up

Or if you want to reboot the whole device, run this instead:

reboot

If you found this post helpful please let us know by clicking the ♥ below.

This blog was brought to you by . Cucumber helps you run a more efficient WiFi network. Check it out .

Cucumber WiFi — control any (WiFi) device from the cloud.

LEDE/OpenWrt & IoT

Tutorials based on LEDE/OpenWrt from CT WiFi

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store