I have a wifi extender (TP-Link RE220) that reports one and the same source MAC for multiple clients, each with a different IP address… Is there a way to get IPFire’s blue access to play nicely with that situation? As it is, IPFire’s blue access setup refuses to allow more than one IP address for each MAC address.
In IPFire’s blue access setup I can leave the MAC field blank for each of the extender clients to allow communication, but doesn’t that compromise security by turning off MAC filtering?
Q5.I have enabled wireless MAC filter, wireless access control, or access control list (ACL) on my router. What should I do before configuring the extender?
When a device connects through the extender to your router, the MAC address of the device shown on the router is translated to another MAC address. If your router’s MAC filter, wireless access control, or ACL is enabled, the devices connected to the extender cannot get an IP address from the extender and cannot access the Internet.
To solve this problem, please follow the steps below:
1.Log in to your router and disable the MAC filter, wireless access control or ACL.
[image]Note: For more information about how to disable your router’s MAC filter, wireless access control or ACL, please refer to your router’s user guide.
2.Power on your extender, and run the Quick Setup to configure your extender.
3.Connect all of your devices to the extended network.
4.On your router, add all the Online Devices’ MAC addresses to your router’s MAC filter table.
5.Enable the router’s MAC filter, wireless access control, or ACL to complete the configuration.
For step 3 in the procedure I can successfully connect 2 clients with static IP addresses to the extender (and the internet). The (virtual) MAC address for those 2 clients shows up in the IPFire firewall log. When I try to allow Blue interface access on the IPFire web UI, it refuses because of a duplicate MAC address.
It looks like the extender I have doesn’t supply a distinct MAC address for each distinct client.
Leaving out the MAC address in the Blue access setup allows the clients to access the internet, but then there is no MAC filtering.
I tried allowing access by just entering the MAC address (and no IP addresses), but IPFire didn’t like that. Apparently it’s not filtering on merely the MAC address.
Perhaps a single custom iptables line that would allow frames with a given source MAC address to be passed along, irrespective of the source IP address.
But where to add that line and what would it look like?
My setup has two MAC filters. One is in the extender that uses the physical MAC addresses of the wireless clients connected through it and the other is the Blue access filter that is part of my IPFire router.
My issues are with the IPFire router. On it, only one of the extender clients at a time can be configured with the one virtual MAC provided by the extender. To set up an additional client on the IPFire web UI Blue access page the MAC address field has to be left blank for that client…
Because the repeater knows the real identity of the devices ( MAC address ), I would disable the MAC filter in IPFire or enable the repeater generated MAC address only.
If I understand right, all allowed connections are forwarded to IPFire with one MAC address ( repeater’s address? ).
The extender allows two clients outside the side of the house (a solar power installation) to join the main Blue network access point that is towards the center of the house. The Blue access point services a different set of clients. If either of the MAC filters is disabled it reduces the barriers to wifi intruders. There is a strong password for joining my wifi setup.
I can enable the repeater generated MAC address, but IPFire requires an IP address (and one only) to enable Blue access, so that only allows one of the two clients to connect. BTW the IP address 0.0.0.0 doesn’t seem to implement “any”.
Yes, you are correct. the repeater forwards all allowed connections to IPFire with one MAC address.
looking at the wiki you are right. But I just tried to enter a rule with MAC only.
It is accecpted and the iptables rule is inserted in WIRELESSINPUT ( the chain for Blue Access ).
This means, you can define a rule to allow the repeaters MAC address. The repeater filters devices connecting to it. This rule indirectly gives access to your outdoor devices only.
Thank you Bernhard, that solution does indeed work for me. The corresponding entry given by iptables -L in the WIRELESSINPUT chain is
RETURN all -- anywhere anywhere MAC 26:2f:d0:01:98:48
which shows the desired MAC address and IP addresses that are left open.
I tried this solution a few days ago and rejected it without looking further because of an (apparently inconsequential) artifact: when I leave the IP address field blank when adding an entry for Blue access (https://my_local_ipfire_server_ip_address:444/cgi-bin/wireless.cgi), the entry is accepted, but now displays a source IP address associated with it. The IP is in the DHCP range for the Blue interface, but there is no active connection at that address and it is not the IP address of the repeater or the two clients connected to it.
This artifact is no big deal and I will ignore it.