I set up my first wireless a day ago, a D-Link DI-514. I enabled WEP & MAC filtering. Everything works great.
Today I was rereading the documentation about MAC filtering and it clearly states that its purpose is to prevent users on the LAN from accessing the WAN. Well, this sounded to me like it has no effect on a user gaining wireless access to my LAN. My understanding is that a wireless connection comes straight into the LAN. To test if I was reading the docs right, I changed the MAC address filter for my X50v so that it had an incorrect address. I was still able to get on the network.
Am I interpretting the docs correctly? From what I read, MAC filtering does nothing to secure a wireless connection so that users have access to your LAN. It only stops them from getting Internet access.
It is certainly weak. I didn't know the X50v allowed you to change the MAC address, but assuming that it did and everything is correct then perhaps it's specific to that router?
From memory, with an unlisted MAC address, my Linksys router would allow me to obtain an IP address from the router through DHCP (so packets to and from the router were permitted) but I seem to recall I could not communicate with other WAN or LAN devices.
I'll give it a shot on my DI 624 a little later today and let you know.
Obviously if the X50v does allow you to change the MAC with ease (I'd use a sniffer to verify, or check the routers MAC cache) then it makes the process to bypass MAC Filtering go from VERY easy to EXTREMELY easy :) With WEP you still have security.
__________________
Always read stuff that will make you look good if you die in the middle of it.
I didn't know the X50v allowed you to change the MAC address
I should have clarified that I changed the MAC address for my X50v in the router's filters, not the X50v. My error.
The point I am seeking clarification on is MAC filtering does nothing to keep intruders from getting on your LAN via the wireless access from what I can determine from the docs for the DI-514. I get the impression from the posts I read on this site that MAC filtering DOES prevent unauthorized wireless LAN access. Maybe other routers have the ability to filter inbound MAC addresses to prevent wireless LAN access?
I've got a Linksys WRT54G. When I changed the MAC of a laptop (within the MAC filter list) to an invalid MAC, it no longer had access to anything on the LAN. The router would not assign an IP, it couldn't see the printer server, nothing.
Then I tried editing my Axim's MAC (again, the listing in the MAC filter, not the actual MAC on the device). I don't broadcast SSID, and the Axim didn't even see the network, not even in Mini-stumbler (the laptop did). It never got an IP address, etc.
On the router setup page that leads to the MAC filter list, it has radio buttons to activate MAC filtering or not. The one to activate it says:
"Permit only PCs listed to access the wireless network" The help file says this setting is "to allow specific wireless-equipped PCs to communicate with the Router."
Based on that and the simple tests I ran, the Linksys keeps non-listed devices out of the entire network, LAN and WAN, by completely disabling communication with the router.
If you haven't already.. We spilled over to there a little :)
You already know the answer by now. Without belabouring the issue, I will just say that I feel that MAC filtering isn't much better at providing additional security than those little chains with 1/2" screws that people are so fond of securing their front doors with.
Don't make the mistake of confusing the terms. In the case of your wireless router think of your antennas as just another RJ45 port. For example, I have the Linksys Wireless G router. Four RJ45 ports, twin antennas, and another RJ45 for the WAN. Now, the RJ45 that connects you to your WAN make be going to a cable modem, another hardware router or, in my case an EZBridge 200mw bridge that talks to my 24db high-speed WiFi connection to my ISP. When I stick my WiFi card in my X5 and connect to my network (via, of course, the antennas on the Linksys router) I'm on my LAN---not the WAN. The router then passes my traffic to the WAN port if I'm surfing the Internet and on up to my EZBridge which in turn pumps it out my 24db high-gain parabolic antenna. The MAC filter controls people accessing your LAN via the antennas.
So, contrary to your assumption, the MAC filtering prevents access to your LAN. It does nothing to prevent LAN access to the WAN. Once they are in your LAN, barring any other measures, they can surf the internet. And, yes, MAC addresses can be spoofed, just as can IP addresses, etc. Anyone with skilz and enough intent can circumvent your protection. The purpose behind setting MAC filtering, IP triggering, WEP, etc. are all to make your network a much less attractive target. If they can just waltz right in, then of course they're going to do it. A locked car is much less likely to be stolen than one left unlocked. An unlocked car with the windows rolled down is much more likely to be stolen than one simply left unlocked. And, naturally, an unlocked car with windows down and keys in the ignition is the most likely to be stolen. Just because a security measure CAN be circumvented is not much of a reason not to use it at all. :approve:
The MAC filter controls people accessing your LAN via the antennas.
That is what makes sense and is also what lead me to make the wrong conclusions in the first place. The MAC filters only prevented access to the other PC's on the LAN, but did not stop me from accessing a different router that has WAN access. I will try to explain:
I added a D-Link DI-514 to an existing wired network consisting of a Linksys cable modem plugged into a Linksys router/firewall. There is also a hub attached to the LAN. I added the DI-514 wireless router to the network by connecting a cable from the hub to one of the D-Link's four LAN ports. The DI-514 does not have a cable plugged into its one WAN port.
That's the setup. My understanding is (and please correct me if I am wrong) that I am using the DI-514 as a switch, not a router. No traffic goes through the D-Link's firewall because wireless access comes in through the LAN side of the firewall. I believe this is one of the points you make above.
Here is what I found: With a MAC filter that correctly identified my Axim's MAC address, I could access all the PC's on our network via the wireless access point and have Internet access via the Linksys router, too. BUT (and here's is the shocker), if I changed the MAC filter on the DI-514 so that it INCORRECTLY identified the Axim (I changed the last two digits from 5D to 5C), I was still able to get by the MAC filters onto the DI-514 LAN side, through the hub and on the Linksys router LAN side and from there out through the LAN port to the Internet. The MAC filter did stop me from seeing the other PC's.
I bit more information that explains why I came to a partially incorrect conclusion at first: I had just received my new Axim and was getting the wireless access working as a first step. I had not yet learned how to 'see' the other PC's on our network. I based my conclusions solely on what I was seeing with the MAC filters and my ability to have Internet access regardless of correct or incorrect MAC filters. It was only after I learned how to use File Explorer to access the hard drives on the networked PC's that I then retested the effectiveness of correct and incorrect MAC filters. When I discovered my error I posted a message letting others know that I was partially wrong, and partially right.
There is likely someone with greater networking knowledge than I have who can explain why a MAC filter that should keep me out of my network completely, is letting me still have access to the Internet via the Linksys router.
Howard2k
I didn't know the X50v allowed you to change the MAC address
Originally Posted by VegasGuy
I should have clarified that I changed the MAC address for my X50v in the router's filters, not the X50v.
I am familiar with spoofing the MAC for a desktop / laptop, but thus far have been unsucessful changing it on my Axim. Has anyone succeeded changing the MAC of their handheld?
__________________
To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.
To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.
To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts. (another window may appear, just close it); To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.
It might be some kind of arp cache thingy (the router "remembered" the previously accepted MAC even though you changed it in the router).
Does it work if you restart the router after the change?
Yeah, I'd also like to be able to spoof my MAC.
It doesn't seem like an impossible task, either through registry or through patching (in memory or on BIS).
Follow Us
RSS Feed
Follow on Twitter
Facebook
YouTube
DAP Freshman
Addicted Member
