What setting do I need to change?

[Hector the Dragon]

I recently purchased a new router. I need help setting up a mac filter. I want to add all of my devices to the white list, but there are a few settings that I am not familiar with.

 

I have attached a screenshot of settings to this post. Please help!

 

Thanks in advance!

 

[WereCatf]

2 minutes ago, Hector the Dragon said:

I recently purchased a new router. I need help setting up a mac filter. I want to add all of my devices to the white list, but there are a few settings that I am not familiar with.

Do you actually want to use a whitelist? At the moment, you've got it configured for a blacklist and as such there is no need to add your devices to it.

[beersykins]

That filter looks like a PITA, and those are completely ineffective against any sort of attacker.

[Hector the Dragon]

2 hours ago, WereCatf said:

Do you actually want to use a whitelist? At the moment, you've got it configured for a blacklist and as such there is no need to add your devices to it.

How do I configure it to whitelist, then?

[Hector the Dragon]

1 hour ago, beersykins said:

That filter looks like a PITA, and those are completely ineffective against any sort of attacker.

What do you recommend?

[FrankV]

I think you should reconsider the overall question. 

 

First, what are you attempting to accomplish? Increased security or basic set up? I think in either of these cases, this question is too narrow in scope. 

[WereCatf]

34 minutes ago, Hector the Dragon said:

How do I configure it to whitelist, then?

You set the default policies at the top to deny instead of allow. After that, only the MAC-address that you give the "Allow" - permission will be able to use the Internet.

[Hector the Dragon]

2 hours ago, WereCatf said:

You set the default policies at the top to deny instead of allow. After that, only the MAC-address that you give the "Allow" - permission will be able to use the Internet.

What about source and destination mac? What do they mean? 

 

Also, what about direction and allow settings under the 'Add Filter' option?

[Hector the Dragon]

3 hours ago, FrankV said:

I think you should reconsider the overall question. 

 

First, what are you attempting to accomplish? Increased security or basic set up? I think in either of these cases, this question is too narrow in scope. 

Increased security. I only want the devices I add to the white list to be able connect to my router.

[FrankV]

Well, the basics are to set a string wifi password with the strongest possible encryption that will work. Frankly, I think that is enough. 

 

If you want to do the whitelist thing, I think change outgoing and incoming to Deny and the you'll need to add an outgoing & incoming for each mac address. It appears you need list what each device can communicate with.  

 

Frankly, that is a pain in the ass (as has been said before). I really thing encryption with a solid key is enough and the most usable. If you insist on more, you might be better off with the access control list (I see a tab). 

[Falcon1986]

5 hours ago, Hector the Dragon said:

Increased security. I only want the devices I add to the white list to be able connect to my router.

If you're trying to harden your network security, MAC address filtering should not be your first line of defense. A strong WiFi password with the best security/encryption (e.g. WPA2-AES) is the first step.

 

Hiding your SSID isn't even that much big of a deal as a persistent hacker can identify it. Even MAC addresses can be spoofed to gain access to your network, so MAC address filtering isn't much of a big step in network/WiFi security.

 

In my experience, MAC address filtering can be cumbersome, and you'll only realize it when you're in a jam. For example, say that you place 5 of your network devices on the whitelist (e.g. 2 TVs, 1 smart phone, 1 laptop, 1 tablet), then only those 5 can access the network... and the administration interface of the router! Suppose you don't have your phone, laptop and tablet available to troubleshoot a setting in your router (where you made the whitelist), you're unlikely going to be able to do it through the TVs and you'll have to hope you can find one of your other "whitelisted" devices to gain access. At the rate at which we change devices, you'll eventually run into this problem.

[Hector the Dragon]

15 hours ago, Falcon1986 said:

If you're trying to harden your network security, MAC address filtering should not be your first line of defense. A strong WiFi password with the best security/encryption (e.g. WPA2-AES) is the first step.

 

Hiding your SSID isn't even that much big of a deal as a persistent hacker can identify it. Even MAC addresses can be spoofed to gain access to your network, so MAC address filtering isn't much of a big step in network/WiFi security.

 

In my experience, MAC address filtering can be cumbersome, and you'll only realize it when you're in a jam. For example, say that you place 5 of your network devices on the whitelist (e.g. 2 TVs, 1 smart phone, 1 laptop, 1 tablet), then only those 5 can access the network... and the administration interface of the router! Suppose you don't have your phone, laptop and tablet available to troubleshoot a setting in your router (where you made the whitelist), you're unlikely going to be able to do it through the TVs and you'll have to hope you can find one of your other "whitelisted" devices to gain access. At the rate at which we change devices, you'll eventually run into this problem.

Well... that's a relief. I always thought MAC filter is mandatory. As per security encryption, I do think I set it to 'WPA2-AES'.  And, my password was generated by 'LastPass' so I think it's strong too. 

 

I attached a screenshot. See if there are any other changes I need to make to harden my network security.

 

[beersykins]

You could make it easier by allowing outbound but restricting inbound (assuming 'inbound' is from the perspective of the router).  Add your router's LAN interface to the destination and then add all of your MACs as the sources with the same destination.  It kind of just generates an unnecessary hassle, however.

 

What you have for a PSK sounds decent, just make sure to disable WPS as it has vulnerabilities that can expose your key.

 

That device is pretty old though, if you are concerned about it I'd upgrade to something current as there's vulnerabilities like kr00k that have about a zero percent chance of being patched on your device.

[Falcon1986]

If you're feeling adventurous enough, you can try looking into third party firmware for your router. DD-WRT and OpenWRT should have support.

 

Be careful doing this, though, as a bad flash can permanently brick your router. Also, only install after you've read the documentation and know for sure that your specific make/model/revision of router is supported. While many new features will be "unlocked", some routers just don't have enough flash/RAM/CPU power to keep 3rd-party firmware running stable.

 

However, if what you have seems to be working for you (and it looks fine, BTW), then stick with stock firmware and update as directed by the manufacturer.

[Hector the Dragon]

5 hours ago, beersykins said:

You could make it easier by allowing outbound but restricting inbound (assuming 'inbound' is from the perspective of the router).  Add your router's LAN interface to the destination and then add all of your MACs as the sources with the same destination.  It kind of just generates an unnecessary hassle, however.

 

What you have for a PSK sounds decent, just make sure to disable WPS as it has vulnerabilities that can expose your key.

 

That device is pretty old though, if you are concerned about it I'd upgrade to something current as there's vulnerabilities like kr00k that have about a zero percent chance of being patched on your device.

I cannot afford a new router, but thanks for the tips.

[Hector the Dragon]

3 hours ago, Falcon1986 said:

If you're feeling adventurous enough, you can try looking into third party firmware for your router. DD-WRT and OpenWRT should have support.

 

Be careful doing this, though, as a bad flash can permanently brick your router. Also, only install after you've read the documentation and know for sure that your specific make/model/revision of router is supported. While many new features will be "unlocked", some routers just don't have enough flash/RAM/CPU power to keep 3rd-party firmware running stable.

 

However, if what you have seems to be working for you (and it looks fine, BTW), then stick with stock firmware and update as directed by the manufacturer.

Man, that sounds a li'l bit risky to try any of the stuff you just said. So, I'm gonna stick to the stock firmware like you suggested.