Reply
SuperUser
Posts: 6,017
Registered: ‎09-03-2013
Kudos: 2090
Solutions: 399

Re: MAC filtering on UniFi


@The100 wrote:

question 1:

If a blacklists is ever added is it possible to add a preferred AP option ? So that when you have AP,1 AP2 and  AP3 in your house. The APs force a device with a specific mac adres to connect with AP1 when its above a certain RSSI value. But if AP1 has a bad RSSI value or if AP1 is offline, the device is still able to connect with AP2 or AP3. (or use the values for Minimum RSSI from the conf panel)

 

? i have no idea if these APs talk to each other (or need to) in some way and could allow a blacklisted mac adres if it sees no other APs on the network or if a cloudkey is needed to make this work or whatever Man Happy (:Man Happy (: Man Happy (: Man Happy (:

 

question 2:

would we be able to allow/block a range of mac adres (with wildcards like * or ^ or whatever) for devices that use multiple mac adresses in  a certain range.


That's not how roaming on Wi-Fi netoworks works, so it's not as simple as that.

You don't need a cloud-key, but you will need an instance of the UniFi controller to manage this access points anyway.

Redcon IT Solutions - Florianópolis/SC/Brazil -www.redcon.com.br
Member
Posts: 108
Registered: ‎02-03-2016
Kudos: 13
Solutions: 2

Re: MAC filtering on UniFi

[ Edited ]

@R4V3Rif i understood it correctly roaming works on the client side, and lets the client decide when to switch between APs.

 

So what iam asking is if a smart block/allowed mac filter that runs as part of the controller (on a pc or cloudkey) could tell the APs which clients are allowed in realtime to connect and when to kick them based on preset filters.

 

In that way you could allow preferred APs for each client (device looks for APs, All APs in range see the device, the device is allowed to make a connection with the preferred AP if the connection is better then the minus RSSI (kick value) and is blocked on all other APs. Untill the preferred AP goes offline out of range or drops below a certain RSSI value, if that happends the other APs do allow the client.

 

Does any other brand have smart black/whitelists like that ?

I know some android apps allow preferred SSID but for whatever reason they only work on the SSID level and not the BSSID level.

 

p.s. btw iam also real happy with a dump mac filter list Man Happy mac ranges would still be real sweet Man Happy

 

anyways what i was asking is ......... if you run a controller 24/7 could it add anything to a whitelist/blacklist versus a dump whitelist/blacklist that just runs on the APs themself without an controller online.

 

p.s.s i like to do everything the unlogical and complicated way Man Happy

SuperUser
Posts: 6,017
Registered: ‎09-03-2013
Kudos: 2090
Solutions: 399

Re: MAC filtering on UniFi

@The100, yeah, I think unlogical and complicated pretty much defines what you're describing here. Icon Smile

Not really feasible I would say, it's a too much complicated logic to be implemented in real time, considering that one should consider both stationary and fast moving client devices at the same time. Man Wink

Redcon IT Solutions - Florianópolis/SC/Brazil -www.redcon.com.br
Member
Posts: 108
Registered: ‎02-03-2016
Kudos: 13
Solutions: 2

Re: MAC filtering on UniFi

yeps, i was only considering one would use a preferred AP feature for stationary devices, like printers, internet of things devices and streaming devices connected by hdmi.

Why would anyone use a preferred option on his mobile phone or tablet or the likes, those mobile devices should just be made for proper roaming.

 

Sounds indeed to complicated for now, hope in 5 years something like it exist Man Tongue Would have been nice if client devices wouldnt be so stupid and let you set advanced conenction filters instead SSID only.

 

 

New Member
Posts: 1
Registered: ‎02-26-2016

Re: MAC filtering on UniFi

 
Emerging Member
Posts: 53
Registered: ‎11-23-2016
Kudos: 15

Re: MAC filtering on UniFi

[ Edited ]

I'm planning to use the following workaround, using a managed switch with port security options.

 

My MAC filtered WLAN needs to be on the same subnet of the not filtered one because I'm running multicast multimedia apps, and routing multicast and icmp is a pain in the ass.

 

So the MAC filtered WLAN use a dedicated VLAN (30) instead of the standard VLAN (10).

 

On the switch the VLAN 30 is tagged on the ubiquiti AP ports and not on the upstream port.

I defined two untagged ports on the switch: one belongs to the VLAN 30 and the second one belongs to the standard VLAN 10.

A patch cord is connetcting the two ports so the MAC filtered hosts can reach the gateway and the VLAN 10.

A MAC filter table on the switch port does the trick.

New Member
Posts: 4
Registered: ‎01-04-2017
Kudos: 2

Re: MAC filtering on UniFi

[ Edited ]

Hello. My name is Marcin, and this is my 1st post Man Happy

My story is simple: i'm working at school (not large), and we got some wifi network. It's made on 7, very cheap, simple APs that work as repeaters (which is making network working slow with half of their bandwitch that is 150Mb/s max). They were for like $10 each. I just put some Linux on them, used WPA2 with AES, and MAC filtering with whitelisting (about 60-70 devices that can access network). I done it because default firmware have limit up to 25 MAC address filtering, and no repeater option (there is WDS but didn't work stable). We got ~300 students. For a time period of 5 years - there was no even 1 example of trying to spoofy MAC address. So when i read in this topic, how simple it is, and how 6 years old kids do that - sorry guys, i think You do not know what You are talking about. You mix up possibilities with real life.

Well, as it were cheap devices, they slowly become more and more unstable. Because school do not have many money for large incporporation of high quality devices, i started slowly. Changed Internet connection to much faster, bought few UPS devices etc. Now i wan't to finally upgrade wifi network, so i bought 2 AP LR for good start, and prepared one PC that will work as controller server (with ubuntu lts). I made some tests today, and find out that UniFi AP are much better with signal quality, and performance than currently used devices (even they are not so bad after all). But what i need, is MAC filtering. The reasons are: no RADIUS server, no AD server too. We got some wifi devices, that do not support RADIUS/WPA Enterpreise like some projectors, old computers, wifi printers, APs that work only as wifi clients for some computers.

I'm hoping i will find that in next controller release. Without it i just can't build wifi network and i will have to find different devices.

SuperUser
Posts: 9,419
Registered: ‎01-10-2012
Kudos: 5853
Solutions: 385

Re: MAC filtering on UniFi


@nicram wrote:

For a time period of 5 years - there was no even 1 example of trying to spoofy MAC address.


Just because no one has yet doesn't mean they couldn't still Icon Wink

 

Having said that, I saw some chatter somewhere where this feature is apparently on their road map - but probably not any time in the next month at least.  So if you need it now or in the near future Unifi is probably not for you.

When you receive a solution to your question/issue, don't forget to mark your thread as solved and to give kudo's to the people who have helped you out!

Having wifi problems? Take a look here first: https://help.ubnt.com/hc/en-us/articles/221029967-UniFi-Debugging-Intermittent-Connectivity-Issues-on-your-UAP
New Member
Posts: 1
Registered: ‎06-05-2017

Re: MAC filtering on UniFi

Any chance to get an update regarding the Mac filtering?

New Member
Posts: 8
Registered: ‎05-07-2017
Kudos: 2

Re: MAC filtering on UniFi

A solution I'm using at a small chain of restaurants.

 

My Issue: Found that 50%+ of my Guest Network was being used by Employees devices.  It made sense to create a employee network for servers, cooks, and chefs, while severly limiting their bandwidth.  When I created the new network and informed my GM to have everyone move to the new SSID, some did.  However, many of their devices would connect to the old network automatically (not intentional) next time they came in.  Frankly, many of them do not know how to "forget a network" on their device.

 

After blocking users, etc, decided it was easier to just add each employee I wanted on the new network with a static IP on the new SSID.  Took about 10 minutes for ~50 users.  Not ideal, but forced the move to the correct SSID.

 

Now the guest network if for Guests, and employees monitored.  Most importantly, our POS has plenty of bandwidth and is the priority.

 

Just putting this out there in case it is useful for others.  Not elegant, but works.

New Member
Posts: 1
Registered: ‎10-18-2017

Re: MAC filtering on UniFi

Im not from the IT world, and dont want to get into an argument about what is and isn't "inherently insecure" I bougt a bunch of Ubiquifi APs yesterday, and am *staggered* that I cant do MAC filtering. What I am even more dumbfounded by is that the official Ubiquifi line is that you're not providing it because its "inhertently insecure" Excuse me, but I didnt ask for your opinions on what is best for my deployment, I asked for a a feature. I understand the implications and shortfalls of this feature, what it will do for me, and what it cant do for me. It remains the simplest solution for what I am trying to achieve. You seem to belive you understand my system, my needs, my goals, and what what I am achieve in enough detail to suggest that the feature I am asking for is not suitable. Thats pretty arrogant? So, back to the question... Can we have a MAC range white/black list feature built into the dashboad please?
Regular Member
Posts: 729
Registered: ‎09-27-2017
Kudos: 179
Solutions: 22

Re: MAC filtering on UniFi


@mrchrisstyles wrote:
Im not from the IT world, and dont want to get into an argument about what is and isn't "inherently insecure" I bougt a bunch of Ubiquifi APs yesterday, and am *staggered* that I cant do MAC filtering. What I am even more dumbfounded by is that the official Ubiquifi line is that you're not providing it because its "inhertently insecure" Excuse me, but I didnt ask for your opinions on what is best for my deployment, I asked for a a feature. I understand the implications and shortfalls of this feature, what it will do for me, and what it cant do for me. It remains the simplest solution for what I am trying to achieve. You seem to belive you understand my system, my needs, my goals, and what what I am achieve in enough detail to suggest that the feature I am asking for is not suitable. Thats pretty arrogant? So, back to the question... Can we have a MAC range white/black list feature built into the dashboad please?

It (whitelisting and blacklisting) is already built into the controller interface. What version of the controller software are you running?

SuperUser
Posts: 9,419
Registered: ‎01-10-2012
Kudos: 5853
Solutions: 385

Re: MAC filtering on UniFi


@mrchrisstyles wrote:
 I bougt a bunch of Ubiquifi APs yesterday, and am *staggered* that I cant do MAC filtering.

From 5.6.19 that's stickied at the top of the forums right this second:

Screen Shot 2017-10-18 at 21.26.05.png

 

It might have been in an earlier versiontoo, I don't recall.  

 

5.6.19 has a ton of other important improvements (especially around the USG) and I'm hoping it leaves release candidate status and moves to release sooner rather than later.

When you receive a solution to your question/issue, don't forget to mark your thread as solved and to give kudo's to the people who have helped you out!

Having wifi problems? Take a look here first: https://help.ubnt.com/hc/en-us/articles/221029967-UniFi-Debugging-Intermittent-Connectivity-Issues-on-your-UAP
Ubiquiti Employee
Posts: 3,906
Registered: ‎01-11-2016
Kudos: 1160
Solutions: 29

Re: MAC filtering on UniFi

Yes this is in the WLAN group config ^^
Want to try out new features or fixes before they're released as Stable? Sign up for Beta here: https://help.ubnt.com/hc/en-us/articles/204908664-How-To-Signup-for-Beta-Access
Having connectivity issues? See: https://help.ubnt.com/hc/en-us/articles/221029967-UniFi-Debugging-Intermittent-Connectivity-Issues-on-your-UAP
Member
Posts: 255
Registered: ‎06-10-2014
Kudos: 130
Solutions: 3

Re: MAC filtering on UniFi

Is there anyway to wildcard this or use a mac prefix?  I have a school where we are essentially want to only allow chrome books on to a particular ssid.

Ubiquiti Certified - UCWA
Ubiquiti Employee
Posts: 3,906
Registered: ‎01-11-2016
Kudos: 1160
Solutions: 29

Re: MAC filtering on UniFi

@smtharrison It is not currently possible, but we can certainly add it to our roadmap.
Want to try out new features or fixes before they're released as Stable? Sign up for Beta here: https://help.ubnt.com/hc/en-us/articles/204908664-How-To-Signup-for-Beta-Access
Having connectivity issues? See: https://help.ubnt.com/hc/en-us/articles/221029967-UniFi-Debugging-Intermittent-Connectivity-Issues-on-your-UAP
Established Member
Posts: 1,507
Registered: ‎08-20-2012
Kudos: 795
Solutions: 19

Re: MAC filtering on UniFi

While doing this, can you consider doing the same with minRSSI since some devices can have a lower output power generally Tham lther thus making it impossible to connect at all... i have had such a site before and even posted a feature request about it due that site.
New Member
Posts: 1
Registered: ‎04-28-2016

Re: MAC filtering on UniFi

Does the MAC filtering require the controller to be online, or does it write the authorized MACs to the APs?

Ubiquiti Employee
Posts: 3,906
Registered: ‎01-11-2016
Kudos: 1160
Solutions: 29

Re: MAC filtering on UniFi

@mradmin No, it does not require the controller to be online.
Want to try out new features or fixes before they're released as Stable? Sign up for Beta here: https://help.ubnt.com/hc/en-us/articles/204908664-How-To-Signup-for-Beta-Access
Having connectivity issues? See: https://help.ubnt.com/hc/en-us/articles/221029967-UniFi-Debugging-Intermittent-Connectivity-Issues-on-your-UAP
New Member
Posts: 8
Registered: ‎09-24-2014

Re: MAC filtering on UniFi

Hi !!,
I have active the feature and it does not work ...

 

Untitled-3.jpg

Reply